W3C Logging Service stopping due to sysmon driver

Recently worked on a case and here is the details:



SYMPTOMS:

--We see ‘W3C Logging Service’ is stopped and if we try to enable the service we get below error message.



<![if !vml]>

medium?v=1.jpg

<![endif]>





Error Message

‘u_ex******_x.log’ file is not getting created. Event ID 6001 : W3C Logging Service failed to start.













CAUSE:

We performed a clean boot of the server and found issue is resolved

Steps for clean boot:

Runàmsconfig->hit on ok.

-go to services tab->check on Hide all Microsoft services->select the options disable all.

-Go to start up tab->select disable all->hit apply and ok and reboot the mahcine and monitor the behavior.



The task was to figure out culprit process

with trial and error method we found it to be sysmon64

-from the procmon any path which has w3SVClog does not have the stack loaded nor the modules loaded

<![if !vml]>

medium?v=1.jpg

<![endif]><![if !vml]>

medium?v=1.jpg

<![endif]>





BUT WHY SYSMON WAS CAUSING ISSUE:

--GUID collision between the sysmon driver from SysInternals and the W3LogSVC service

- when sysmon is activated to monitor DNS events in the EventLog this would create conflicts with W3logSVC as GUID is same.

- W3LogSVC will not be able to start since the Sysmon driver has already started using the GUID which is shared by both.





RESOLUTION:

- the issue has been patched in the latest version of the sysmon driver: version 10.42 available to download publicly and also fixed in Vnext of IIS

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Continue reading...
 
Top Bottom