Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Troubleshooting
  New Posts New Posts RSS Feed - GetUserDefaultLCID failed (solved)
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

GetUserDefaultLCID failed (solved)

 Post Reply Post Reply Page  12>
Author
Message
dirbase View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 March 2008
Status: Offline
Points: 503
Post Options Post Options   Thanks (0) Thanks(0)   Quote dirbase Quote  Post ReplyReply Direct Link To This Post Topic: GetUserDefaultLCID failed (solved)
    Posted: 28 February 2009 at 5:19pm

After installing XP SP3 on SP2, you may notice the following recurring and somewhat alarming message in one of the WMI logs, i.e. c:\windows\system32\wbem\logs\wbemcore.log
"GetUserDefaultLCID failed, restorting to system verion"(sic!)
(you may see an example
here)

AFAIU, it is apparently due to a new version of wbemcore.dll installed with XP3, i.e. version 5.1.2600.5512 (531,456 bytes), which must be the same file as installed by
KB914463 (version 5.1.2600.2979, also with 531,456 bytes).
(The original SP2 version is 5.1.2600.2180 with 530,944 bytes).

The good news is that according to
KB963075this error may be ignored:

Originally posted by KB963075 KB963075 wrote:

GetUserDefaultLCID failed, restoring to system version

You may receive this error for successful WMI connections because of changes made in the design in KB 914463.

This error may be ignored.


Edit: Information on a workaround for this error may be found in my other post

Edited by dirbase - 09 April 2009 at 9:40pm
Back to Top
dirbase View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 March 2008
Status: Offline
Points: 503
Post Options Post Options   Thanks (0) Thanks(0)   Quote dirbase Quote  Post ReplyReply Direct Link To This Post Posted: 02 March 2009 at 8:11pm
On a related subject, the wbemess.log file (also in \windows\system32\wbem\logs) shows the same error messages under XP SP3 as under XP SP2 (tested on several boxes), namely: (with the default "error only" setting)

(timestamp) NT Event Log Consumer: could not retrieve sid, 0x80041002

with "verbose" setting on, the same error is reported as:

(timestamp) : NCProv: NCMSG_PREPPED_EVENT index 30
(timestamp) : NT Event Log Consumer: could not retrieve sid, 0x80041002

(error 0x80041002 is  WBEM_E_NOT_FOUND)

These errors are clearly related to the entries in the Windows event log/system.
For example, if I stop the Windows Image Acquisition (WIA) service, this triggers one error in wbemess.log as described above and, at the same time, two entries in the Windows Event Log (System) with type: information, event#: 7035 & 7036, source: SCM, the first for stop request sent, the second for service entered stopped state.

I tend to think that these errors appearing in wbemess.log "may be ignored", however I would like to get a confirmation for the root cause and whether it is possible to stop them (apart from disabling WMI event loggingWink)


Edited by dirbase - 04 March 2009 at 8:26pm
Back to Top
dirbase View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 March 2008
Status: Offline
Points: 503
Post Options Post Options   Thanks (0) Thanks(0)   Quote dirbase Quote  Post ReplyReply Direct Link To This Post Posted: 03 March 2009 at 11:30pm
I did make some progress in understanding the error message "NT Event Log Consumer: could not retrieve sid, 0x80041002" reported in wbemess.log.

According to the MSDN description, "the NTEventLogEventConsumer class logs a specific message to the operating system event log when an event is delivered to it".

I'll take one example to illustrate the situation as I understand it:
If I stop the WIA service (as an example) via services.msc two consecutive events are delivered, which NTEventLogEventConsumer logs into the System event log (this is the file c:\windows\system32\config\sysevent.evt).
Both events' properties are visible in the event viewer, with the following details - the probable corresponding NTEventLogEventConsumer properties from the MSDN description being indicated in brackets:

Event#1
Event type (EventType) : Information
Event source (SourceName): Service Control Manager
Category (Category): None
Event ID (EventID): 7035
Timestamp: 03/03/2009, 17:12:02
User (NameOfUserSidProperty) current user name
Computer (UNCServerName): local computer name
Description (InsertionStringTemplates): "A stop request has been correctly sent to the WIA service..."

No error message is logged in wbemess.log at this stage

Next message in event viewer:
Event#2
Event type (EventType) : Information
Event source (SourceName): Service Control Manager
Category (Category): None
Event ID (EventID): 7036
Timestamp: 03/03/2009, 17:12:03
User (NameOfUserSidProperty): N/A
Computer (UNCServerName): local computer name
Description (InsertionStringTemplates): "The WIA service has entered the stopped state..."

The following error message is logged simultaneously in wbemess.log:
(Tue Mar 03 17:12:03 2009.262881796) : NT Event Log Consumer: could not retrieve sid, 0x80041002

If I go back to the description of NameOfUserSidProperty, MSDN tells me that: "The property must be either an array of bytes (uint8) or a string. If it is an array of bytes, it is assumed to be a SID. If it is a string, it is a string SID that is converted into a SID."
Now I fire up WMI CIM Studio to look up the properties of the NTEventLogEventConsumer class in the root\subscription namespace, for its only instance: "SCM Event Log Consumer". I can see that NameOfUserSIdProperty is of string type, with a default value of "sid".Geek




This is supported by the file "wbemcons.mof" which contains this definition:
class NTEventLogEventConsumer : __EventConsumer
{
  [key> string Name;
  string UNCServerName;
  [NOT_NULL> string SourceName;
  [NOT_NULL> uint32 EventID = 0;
  [NOT_NULL,ValueMap{"0", "1", "2", "4", "8", "16"},Values{"Success", "Error", "Warning", "Information", "Audit Success", "Audit Failure"}> uint32 EventType = 1;
  [NOT_NULL> uint16 Category;
  [NOT_NULL> uint32 NumberOfInsertionStrings = 0;
  [Template> string InsertionStringTemplates[> = {""};
  string NameOfRawDataProperty;
  string NameOfUserSIDProperty;
};


confirming that on my XP Pro SP3 system NameOfUserSIDProperty is a string.

So my interpretation of the error is as follows: when the SCM event provides a user SID string (as it appears to be the case for event 7035), the user is identified and there is no error logged in wbemess.log. If for some reason, the SCM event does not provide the user SID, as seems to be the case for event 7036, the default string value of "sid" for NameOfUserSIDProperty is not updated, no corresponding user can be found for this artificial SID, hence an error is reported in wbemmess.log as
"could not retrieve sid, 0x80041002" meaning: "sid does not correspond to a SID" (0x80041002 is WBEM_E_NOT_FOUND). The event viewer indicates the user as N/A (not available).

According to the Event Viewer helpfile: "User is the user name of the user that was logged on when the event occurred" and Technet adds:  "N/A indicates that the entry did not specify a user."

Conclusion: "User : N/A" is expected; however in this case, the template SID, "sid" is not updated and it can of course not map to an existing SID thus an error message for "object not found", is logged into wbemess.log.
In other words, AFAIU, this error, linked to a "User:N/A" & "Source: SCM" entry in the system event log, may be ignored.Smile


Edited by dirbase - 06 March 2009 at 8:58pm
Back to Top
dirbase View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 March 2008
Status: Offline
Points: 503
Post Options Post Options   Thanks (0) Thanks(0)   Quote dirbase Quote  Post ReplyReply Direct Link To This Post Posted: 07 March 2009 at 9:51pm

Turning to another WMI log file under XP SP2/SP3, wmiprov.log, I have noted that some of the errors are linked to the settings of the WMI performance adapter service (wmiapsrv.exe).

After logon, if the WMI performance adapter service was set to automatic start, the following text is logged in verbose mode (with "errors only", only the red lines are logged):

 Right after logon

(Sat Mar 07 12:48:48 2009.65093) : Instance Provider constructed
(Sat Mar 07 12:48:48 2009.65218) : Successfully Registered for Mof Events

(Sat Mar 07 12:48:48 2009.65234) : WDM call returned error: 4200
(Sat Mar 07 12:48:49 2009.65687) : End of processing Binary MOFS
(Sat Mar 07 12:48:49 2009.65703) : ***************************************
 

exactly 4 minutes after logon

(Sat Mar 07 12:52:33 2009.290062) : WDM call returned error: 4200
 (Sat Mar 07 12:52:33 2009.290078) : ***************************************
 (Sat Mar 07 12:52:33 2009.290078) : BinaryMofsHaveChanged returned FALSE:


about 8 minutes after logon

(Sat Mar 07 12:56:09 2009.505843) : Impersonation failed - Access denied
 

If WMI performance adapter service was set to manual start (the default setting for XP SP2/SP3), the following is logged:

Right after logon : nothing    

exactly 4 minutes after logon
 (Sat Mar 07 10:45:08 2009.293656) : WDM call returned error: 4200
 (Sat Mar 07 10:45:08 2009.293656) : ***************************************
 (Sat Mar 07 10:45:08 2009.293656) : BinaryMofsHaveChanged returned FALSE:

about 8 minutes after logon: nothing

Notice that the first "WDM call returned error: 4200" error has disappeared as well as the " Impersonation failed - Access denied" error. The same situation is noted if the WMI performance adapter service has been disabled.

This table summarizes the situation:

WMI Perf Adapter Service

wmiprov.log

errors after logon

Disabled

1

Automatic Start

3

Manual start

1

I still have to find out the root cause for the remaining "WDM call returned error: 4200" which is logged exactly 4 minutes after logon.
Using Process Monitor, it should be related to this portion of the call stack of the relevant thread from svchost.exe :

12            wmisvc.dll               __Trace::get_logfile + 0x86  0x4f0bf344            
13            wmisvc.dll               __Trace::Trace + 0x4d   0x4f0bf50c            
14            wmisvc.dll               ErrorTrace + 0x30  0x4f0bf6de             
15            wmisvc.dll                CWMIDataBlock::MapReturnCode + 0x22  0x4f0c72aa            
16            wmisvc.dll                 CWMIDataBlock::OpenWMI + 0x8a   0x4f0c7513           
17            wmisvc.dll      CWMIStandardShell::QueryAndProcessAllBinaryGuidInstances + 0x57 0x4f0c462f

18            wmisvc.dll            CWMIBinMof::BinaryMofsHaveChanged + 0x180    0x4f0c38d5    
19            wmisvc.dll            CMonitorEvents::TimerCallBack + 0x1ba    0x4f0bc218



Edited by dirbase - 09 March 2009 at 10:46am
Back to Top
dirbase View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 March 2008
Status: Offline
Points: 503
Post Options Post Options   Thanks (0) Thanks(0)   Quote dirbase Quote  Post ReplyReply Direct Link To This Post Posted: 08 March 2009 at 6:28pm
Interestingly, launching Process Monitor version 2.0 or higher triggers a familiar logging in wmiprov.log on my XP SP3 box (member of a LAN):
(Sun Mar 08 17:51:40 2009.36593984) : Instance Provider constructed
(Sun Mar 08 17:51:40 2009.36594031) : Successfully Registered for Mof Events

(Sun Mar 08 17:51:40 2009.36594046) : WDM call returned error: 4200
(Sun Mar 08 17:51:40 2009.36594468) : End of processing Binary MOFS
(Sun Mar 08 17:51:40 2009.36594468) : ***************************************

(Sun Mar 08 18:13:35 2009.37909546) : Impersonation failed - Access denied
This behaviour is not recorded with earlier versions of ProcMon; it is related to the added Network Event Class (filtering out this Event class results in no logging).
I would be interested to know if someone using XP SP3/SP2 (with or without LAN) observes the same behavior for ProcMon (version 2.03 is the present version).



Edited by dirbase - 08 March 2009 at 6:31pm
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 09 March 2009 at 2:58am
Hi dirbase,

On XP SP3, starting Procmon v2.03 the first time results in the following entries in wmiprov.log (verbose logging enabled):
Quote ***************************************
BinaryMofEventChanged returned FALSE:
Instance Provider constructed
Successfully Registered for Mof Events
WDM call returned error: 4200
End of processing Binary MOFS
***************************************



Daily affirmation:
net helpmsg 4006
Back to Top
dirbase View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 March 2008
Status: Offline
Points: 503
Post Options Post Options   Thanks (0) Thanks(0)   Quote dirbase Quote  Post ReplyReply Direct Link To This Post Posted: 09 March 2009 at 7:36am
Hi Molotov,

Thanks for replying. So the behavior  is confirmed with the first opening of ProcMon 2.03.
According to an MS WMI expert quoted here:
" WDM error 4200 means some particular operation wasn't supported by a
driver. A particular driver may not support the ioctl sent to it. Binary
MOFs for drivers are deleted and replaced when drivers are updated.
"
 (Not sure if it is related to "ERROR_WMI_GUID_NOT_FOUND" decimal 4200 or hexadecimal 0x1068:"The GUID passed was not recognized as valid by a WMI data provider.").

Edited by dirbase - 09 March 2009 at 8:57pm
Back to Top
dirbase View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 March 2008
Status: Offline
Points: 503
Post Options Post Options   Thanks (0) Thanks(0)   Quote dirbase Quote  Post ReplyReply Direct Link To This Post Posted: 13 March 2009 at 8:43am
A further look, using ProcMon, has shown that the "WDM call returned error: 4200" message in wmiprov.log could be linked to a missing GUID 05901221-D566-11D1-B2F0-00A0C9062910.
This GUID seems related to an on-demand PnP device driver which registers using ID PNP0c14 and performs the ACPI WMI mapping functionality. This ACPI WMI mapping is not installed on the PCs I have tested.  This could explain the error logged in wmiprov.log on each box.

To confirm this, I would appreciate if someone with a PC equipped with this ACPI-WMI mapping functionality (just check if wmiacpi.sys is present in c:\windows\system32\drivers\ directory) could check if the line "WDM call returned error: 4200" is logged in the c:\windows\system32\wbem\logs\wmiprov.log file, in particular 4 minutes after each logon following a bootup (wmi logging has to be set to "error only" -which is the default option- or "verbose").



Edited by dirbase - 13 March 2009 at 3:16pm
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 13 March 2009 at 3:18pm
Hi dirbase,

wmiacpi.sys is present, and the string "4200" does not appear in wmiprov.log.  Seems like your explanation is accurate!
Daily affirmation:
net helpmsg 4006
Back to Top
dirbase View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 March 2008
Status: Offline
Points: 503
Post Options Post Options   Thanks (0) Thanks(0)   Quote dirbase Quote  Post ReplyReply Direct Link To This Post Posted: 13 March 2009 at 3:45pm
Hi molotov,

Thanks very much for testing this. Glad that my assumption could be correct!Smile

edit: molotov has also kindly indicated to me that on a system where wmiacpi has been installed, this GUID is present in two locations in the registry:
i.e., in the key HKLM\SOFTWARE\Microsoft\WBEM\WDM and its sub-key HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE with the same string value:
ACPI\PNP0C14\0_0-{05901221-D566-11d1-B2F0-00A0C9062910}  REG_SZ  LowDateTime:5354xxxxx,HighDateTime:0***Binary mof compiled successfully





Edited by dirbase - 22 March 2009 at 6:32pm
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down