Share via

Cannot get decriptions for events from ETW Providers

DucNM19 0 Reputation points
2024-12-10T13:14:22.63+00:00

I created a trace on my Windows 10 laptop using this logman command:

logman create trace "Microsoft-Windows-Kernel-File" -p Microsoft-Windows-Kernel-File 0x1800 -o "C:\Logs\Microsoft-Windows-Kernel-File.etl"

then I started the trace. Overall, the trace works normally. It created an .etl file in the path I specified and logged the events it could with the keywords I enabled. However, there is a problem when viewing the log. If I open the .etl file with Event Viewer, it prompts me to save a copy in .evtx format. I did. But when I view the events, it said:

The description for Event ID 27 from source Microsoft-Windows-Kernel-File cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

Other information of the event is visible normally, like filepath,... Just the description for the event could not be generated.

Has anyone faced this issue or know how to solve this?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
12,077 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Wesley Li 11,125 Reputation points
    2024-12-10T15:19:25.79+00:00

    Hello,

    This can happen if the necessary message files are not present on your system. Here are a few steps you can try to resolve this issue:

    Update Windows: Make sure your Windows 10 system is fully updated. Sometimes, missing components can be restored through Windows updates.

    Reinstall the Provider: You can try reinstalling the provider that generates these events. This might involve reinstalling or repairing the Windows components related to the Kernel-File provider.

    Check for Corrupted Files: Use the System File Checker tool to repair missing or corrupted system files. Open Command Prompt as an administrator and run:

    sfc /scannow

    Manual Installation of Message Files: If you have access to another system where the event descriptions are working correctly, you can try copying the necessary message files from that system to your current system.

    Check the Registry: Sometimes, the registry entries for the event log provider might be missing or incorrect. You can check the registry under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-Kernel-File

    Ensure that the EventMessageFile entry points to the correct file.

    If none of these steps resolve the issue, you might need to look into more specific troubleshooting based on the exact configuration and setup of your system.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.