KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q173210: How to Troubleshoot Event 2000 in System Event Log

Article: Q173210
Product(s): Microsoft Windows NT
Version(s): WinNT:3.5,3.51,4.0
Operating System(s): 
Keyword(s): kbtshoot kbhowto
Last Modified: 09-AUG-2001

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0 
- Microsoft Windows NT Server versions 3.5, 3.51, 4.0 
-------------------------------------------------------------------------------

SYMPTOMS
========

An event ID 2000 may appear in the System Event log of a computer running
Windows NT server when a remote network command fails. The following error
message may appear as well:

  STATUS_NO_SUCH_FILE

CAUSE
=====

An event 2000 may appear when a network application sends a Delete File command
to the shared network drive of a computer running Windows NT Server if the file
it is trying to delete does not exist on that server. A "STATUS_NO_SUCH_FILE"
event ID 2000 with the following data will appear in the System Event Log:

  0000: 00040000 00540001 00000000 c00007d0
  0010: 00000000 c000000f 00000000 00000000
  0020: 00000000 00000000 05180bc5

MORE INFORMATION
================

When you review an event 2000, pay particular attention to the second word in
the second line of the event data (in this case, c000000f). The event that
corresponds to c000000f is the one connected with the STATUS_NO_SUCH_FILE
message.


If your computer is running Windows NT Server 4.0, you can determine the cause of
the event by installing the Network Monitor Tools and Agent. You can do this in
Control Panel, by double-clicking Network, clicking Services, and then clicking
Add.

For instructions on setting up Network Monitor, see the following Microsoft
Knowledge Base article:

  Q148942 How to Capture Network Traffic with Network Monitor

If you need to monitor the network from an alternate platform, contact Microsoft
Technical Support; or obtain Network Monitor from the Systems Management Server
installation, if it is available.


RESOLUTION
==========

The System.evt file can be monitored in the same time window to determine the
time interval that may contain an event 2000 in the trace. Filtering event 2000s
in Network Monitor makes reviewing the capture easier to read.

To filter in Network Monitor, use the following steps:

1. Open a capture file; use any name ending in .cap.

2. Click the Capture menu, and then click Display Captured Data, and then press
  F8 to show the Display Filter window.

3. In the Display Filter window, double click the second line under AND where it
  reads ANY<->ANY.

4. Click the Property tab.

5. Click +SMB in the Protocol:Property window.

6. Click Command, and then select Delete File from the Value column on the
  right.

7. Click OK twice.

Network Monitor displays frames containing filtered data. Traces similar to the
ones below will be displayed:

  4207 SMB C delete file, File = \APPS\EIS\APL\PCDM\PCDMNNI\PCDMNNI.TAF
     134.131.3.62 134.131.51.1 IP

  4217 SMB R delete file - DOS Error, (2) FILE_NOT_FOUND 134.131.51.1
     134.131.3.62 IP

  5031 SMB C delete file, File = \APPS\EIS\APL\PCDM\PCDMNNI\PCDMNNI.ILM
     134.131.3.62 134.131.51.1 IP

  5040 SMB R delete file 134.131.51.1 134.131.3.62 IP

Frame 4207 shows that a computer with the address 134.131.3.62 is sending the
Delete File command to delete the file Pcdmnni.taf. Frame 4217 shows that the
computer running Windows NT Server with the address 134.131.51.1 responds with
the message FILE_NOT_FOUND; this frame will correspond with the event 2000
listed in System.evt. Frame 5031 shows that the file has been renamed to
Pcdmnni.ilm and that the command Delete File is sent again. Finally, frame 5040
shows that the file has been deleted successfully.


======================================================================
Keywords          : kbtshoot kbhowto 
Technology        : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT351search kbWinNT350search kbWinNT400search kbWinNTW350 kbWinNTW350search kbWinNTW351search kbWinNTW351 kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS350 kbWinNTS351search kbWinNTS350search
Version           : WinNT:3.5,3.51,4.0
Issue type        : kbprb

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.