EventSystem service problems

Symptom:

The system bar icon of SEP11 disappears. The error 0x8007042c is prompted when you try to start the service.

Symantec Management Client (prompt cannot start)

System Event Notification Service (indicating that the Service has been deleted, actually exists)

 

Solution Process:

1. Try to uninstall and reinstall SEP11. the problem persists.

2. google traces the problem that the System Event Notification Service cannot be started. The solution is to run netsh windsock reset catalog in safe mode, which is invalid after the attempt.

3. the LSP fixing method is also invalid.

4. the root cause of the problem is the EventSystem (COM + Event System) service. Check the Service Manager and find that the service does not exist. a friend on the Internet has provided a solution to the problem, import the relevant registry information. After you try to import and restart the registry, everything will return to normal.

 

Cause analysis:

The machine was infected with a USB flash drive virus earlier days, and recently it often received a prompt "detected [SID: 20386] ms rpcss Attack" in the LAN. For some reason, the EventSystem service is deleted, and services dependent on it cannot be started properly. After registry information is imported, the problem is recovered.

 

Attached with the Registry Information for restoring the EventSystem Service (save as the reg file and import it ):

Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\EventSystem]"DisplayName"="@comres.dll,-2450""ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\00,65,00,00,00"Description"="@comres.dll,-2451""ObjectName"="NT AUTHORITY\\LocalService""ErrorControl"=dword:00000001"Start"=dword:00000002"Type"=dword:00000020"DependOnService"=hex(7):72,00,70,00,63,00,73,00,73,00,00,00,00,00"ServiceSidType"=dword:00000001"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\00,00,00,00"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\00,01,00,00,00,e8,03,00,00,01,00,00,00,88,13,00,00,00,00,00,00,00,00,00,00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\EventSystem\Parameters]"ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\65,00,73,00,2e,00,64,00,6c,00,6c,00,00,00"ServiceDllUnLoadOnStop"=dword:00000001

 

Verification Environment: Windows 7 U 32-bit Simplified Chinese version

 

Solution source, see: http://fpangchina.blog.163.com/blog/static/2680084720106494954529/