2014年8月15日 星期五

Logon/Logoff Event ID 540 when not logged on

1. Backup the SCM.MOF file from the %WINDIR%\System32\wbem folder in case the settings have to be reverted.

 2. Review the following lines to the SCM.MOF file (will be at the bottom of the file..), and change as needed:
instance of NTEventLogEventConsumer
{
Name = "SCM Event Log Consumer";
SourceName = "Service Control Manager";
EventType = 1;
Category = 0;
NameOfUserSIDProperty = "sid";
CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0};
};
/////////////////////////////////////////////////////////////////////////////
// SCM Event Log filter
instance of __EventFilter
{
Name = "SCM Event Log Filter";
QueryLanguage = "WQL";
Query = "select * from MSFT_SCMEventLogEvent";
EventNamespace = "root\\cimv2";
CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0};
};
/////////////////////////////////////////////////////////////////////////////
// SCM Event Log filter-to-consumer binding
instance of __FilterToConsumerBinding
{
Consumer = "NTEventLogEventConsumer.Name=\"SCM Event Log Consumer\"";
Filter = "__EventFilter.Name=\"SCM Event Log Filter\"";
CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0};
};

 3. Save the file as SCM.MOF after making the changes.

 4. Open a command prompt and navigate to the %WINDIR%\System32\wbem folder.

 5. Execute the following command in a system command prompt:
mofcomp.exe scm.mof
Note To open a system command prompt, use the following command:
at <time> /interactive cmd.exe
Note The <time> placeholder represents the time for when the command will run.

 6. Restart the computer.

沒有留言:

張貼留言