|
GetUserDefaultLCID failed (solved) |
Post Reply 
|
Page 12> |
| Author |
 Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search  Topic Options
|
|||||||
dirbase 
Senior Member 
Joined: 26 March 2008 Online Status: Offline Posts: 439 |
 Post Options
 Quote Reply
 Topic: GetUserDefaultLCID failed (solved)Posted: 21 March 2009 at 1:49pm |
|||||||
|
I reproduce below a simplified sequence of calls from OpenWMI to error detection:
wmisvc!CWMIDataBlock::OpenWMI ►wmisvc!CWMIDataBlock::AssignNewHandleAndKeepItIfWMITellsUsTo ►advapi32!WmiOpenBlock ►advapi32!WmipOpenKernelGuid ►advapi32!WmipSendWmiKMRequest ►kernel32!DeviceIoControl ►ntdll!NtDeviceIoControlFile : triggers error 0xC0000295 due to an ioctl (function code = 0x4F, i.e. WmiOpenGuidForQuerySet), to perform Wmi open Guid for query set on Device\WMIDataService, when \wmiguid\ 05901221-D566-11d1-B2F0-00A0C9062910 is not found ►kernel32!BaseSetLastNTError: where the error is translated as error 0x1068 (4200d): ERROR_WMI_GUID_NOT_FOUND ►wmisvc!CWMIDataBlock::MapReturnCode: where return code 4200 is mapped for logging Edited by dirbase - 24 September 2009 at 9:36am |
||||||||
 |
||||||||
|
dirbase
Senior Member
Joined: 26 March 2008 Online Status: Offline Posts: 439 |
Post Options
Quote Reply
Posted: 17 March 2009 at 1:01am |
|||||||
|
When "WDM call returned error: 4200" occurs, Process Monitor shows the following sequence of events:
"Sequence","Process Name","PID","TID","Operation","Path","Category","Result" 39872,"svchost.exe","1064","2260","RegQueryValue","HKLM\System\CurrentControlSet\Control\WMI\Security\05901221-D566-11D1-B2F0-00A0C9062910","Read","NAME NOT FOUND" 39873,"svchost.exe","1064","2260","RegQueryValue","HKLM\System\CurrentControlSet\Control\WMI\Security\00000000-0000-0000-0000-000000000000","Read","NAME NOT FOUND" 39874,"svchost.exe","1064","2260","RegCloseKey","HKLM\System\CurrentControlSet\Control\WMI\Security","","SUCCESS" 39875,"svchost.exe","1064","2260","CreateFile","C:\WINDOWS\system32\wbem\Logs\wmiprov.log","","SUCCESS" 39876,"svchost.exe","1064","2260","QueryStandardInformationFile","C:\WINDOWS\system32\wbem\Logs\wmiprov.log","Read Metadata","SUCCESS" 39877,"svchost.exe","1064","2260","QueryStandardInformationFile","C:\WINDOWS\system32\wbem\Logs\wmiprov.log","Read Metadata","SUCCESS" 39878,"svchost.exe","1064","2260","QueryNameInformationFile","C:\WINDOWS\system32\wbem\Logs\wmiprov.log","Read Metadata","SUCCESS" 39879,"svchost.exe","1064","2260","WriteFile","C:\WINDOWS\system32\wbem\Logs\wmiprov.log","Write","SUCCESS" In fact, WDM error 4200, aka "GUID not found" seems to originate in event#39875 where the call stack contains the following sequence (already recalled earlier in this thread) 12 wmisvc.dll __Trace::get_logfile + 0x86 0x4f0bf344 13 wmisvc.dll __Trace::Trace + 0x4d 0x4f0bf50c 14 wmisvc.dll ErrorTrace + 0x30 0x4f0bf6de 15 wmisvc.dll CWMIDataBlock::MapReturnCode + 0x22 0x4f0c72aa 16 wmisvc.dll CWMIDataBlock::OpenWMI + 0x8a 0x4f0c7513 17 wmisvc.dll CWMIStandardShell::QueryAndProcessAllBinaryGuidInstances + 0x57 0x4f0c462f 18 wmisvc.dll CWMIBinMof::BinaryMofsHaveChanged + 0x180 0x4f0c38d5 19 wmisvc.dll CMonitorEvents::TimerCallBack + 0x1ba 0x4f0bc218 wmisvc!CWMIStandardShell::QueryAndProcessAllBinaryGuidInstances calls first wmisvc!CWMIProcessClass::GetGuid, which processes the guid string {05901221-D566-11d1-B2F0-00A0C9062910} hardcoded in the wmisvc.dll module. Then it calls wmisvc!CWMIDataBlock::OpenWmi which, on systems where ACPI to WMI mapping is not implemented, triggers error code 1068h i.e. 4200d, ERROR_WMI_GUID_NOT_FOUND. This code is then processed by wmisvc!CWMIDataBlock::MapReturnCode to be logged in wmiprov.log Edited by dirbase - 21 March 2009 at 12:33pm |
||||||||
|
||||||||
|
dirbase
Senior Member
Joined: 26 March 2008 Online Status: Offline Posts: 439 |
Post Options
Quote Reply
Posted: 14 March 2009 at 11:07pm |
|||||||
|
Here are some more details:
In wmiguid.h from the DDK kit, '05901221-D566-11D1-B2F0-00A0C9062910' is defined as BINARY_MOF_GUID and in wmidata.h as MSWmi_MofDataGuid . In the WMI namespace, MSWmi_MofData is associated with this Guid as shown in this screenshot from wbemtest.exe:  AFAIU, querying an instance of MSWmi_MofData on a box where wmiacpi.sys is not loaded will result in an error. This is what the WMI service appears to do 240 seconds (4 minutes) after it has been started, by launching AutoDiscovery/AutoPurge (ADAP). This delay is defined in the registry under the value HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\ADAPDelay (I have referred to this delay in the posts above, rather approximately, as "4 minutes after logon/bootup"). Also, querying an instance in WMI CIM Studio results in a WDM error 4200 message box (see below);  The same WMI CIM Studio query triggers the following error logging in wmiprov.log: (Sat Mar 14 22:23:57 2009.226266921) : WDM call returned error: 4200 (Sat Mar 14 22:23:57 2009.226266921) : WDM specific return code: 4200 At the same time, Process Monitor reports that the registry value HKLM\System\CurrentControlSet\Control\WMI\Security\05901221-D566-11D1-B2F0-00A0C9062910 cannot be found. All these elements seem to consolidate the explanation on WDM error 4200 given in my post above. In the absence of wmiacpi.sys, as indicated in the WMI and ACPI article, Acpi.sys can only provide the temperature zone information, as illustrated below:  Edited by dirbase - 24 March 2009 at 3:43pm |
||||||||
|
||||||||
|
dirbase
Senior Member
Joined: 26 March 2008 Online Status: Offline Posts: 439 |
Post Options
Quote Reply
Posted: 13 March 2009 at 3:45pm |
|||||||
|
Hi molotov,
Thanks very much for testing this. Glad that my assumption could be correct!  edit: molotov has also kindly indicated to me that on a system where wmiacpi has been installed, this GUID is present in two locations in the registry: i.e., in the key HKLM\SOFTWARE\Microsoft\WBEM\WDM and its sub-key HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE with the same string value: ACPI\PNP0C14\0_0-{05901221-D566-11d1-B2F0-00A0C9062910} REG_SZ LowDateTime:5354xxxxx,HighDateTime:0***Binary mof compiled successfully Edited by dirbase - 22 March 2009 at 6:32pm |
||||||||
|
||||||||
|
molotov
Moderator Group 
Joined: 04 October 2006 Online Status: Offline Posts: 17492 |
Post Options
Quote Reply
Posted: 13 March 2009 at 3:18pm |
|||||||
|
Hi dirbase,
wmiacpi.sys is present, and the string "4200" does not appear in wmiprov.log. Seems like your explanation is accurate! |
||||||||
|
Daily affirmation:
net helpmsg 4006 |
||||||||
|
||||||||
|
dirbase
Senior Member
Joined: 26 March 2008 Online Status: Offline Posts: 439 |
Post Options
Quote Reply
Posted: 13 March 2009 at 8:43am |
|||||||
|
A further look, using ProcMon, has shown that the "WDM call returned error: 4200" message in wmiprov.log could be linked to a missing GUID 05901221-D566-11D1-B2F0-00A0C9062910.
This GUID seems related to an on-demand PnP device driver which registers using ID PNP0c14 and performs the ACPI WMI mapping functionality. This ACPI WMI mapping is not installed on the PCs I have tested. This could explain the error logged in wmiprov.log on each box. To confirm this, I would appreciate if someone with a PC equipped with this ACPI-WMI mapping functionality (just check if wmiacpi.sys is present in c:\windows\system32\drivers\ directory) could check if the line "WDM call returned error: 4200" is logged in the c:\windows\system32\wbem\logs\wmiprov.log file, in particular 4 minutes after each logon following a bootup (wmi logging has to be set to "error only" -which is the default option- or "verbose"). Edited by dirbase - 13 March 2009 at 3:16pm |
||||||||
|
||||||||
|
dirbase
Senior Member
Joined: 26 March 2008 Online Status: Offline Posts: 439 |
Post Options
Quote Reply
Posted: 09 March 2009 at 7:36am |
|||||||
|
Hi Molotov,
Thanks for replying. So the behavior is confirmed with the first opening of ProcMon 2.03. According to an MS WMI expert quoted here: " WDM error 4200 means some particular operation wasn't supported by a driver. A particular driver may not support the ioctl sent to it. Binary MOFs for drivers are deleted and replaced when drivers are updated." (Not sure if it is related to "ERROR_WMI_GUID_NOT_FOUND" decimal 4200 or hexadecimal 0x1068:"The GUID passed was not recognized as valid by a WMI data provider."). Edited by dirbase - 09 March 2009 at 8:57pm |
||||||||
|
||||||||
|
molotov
Moderator Group
Joined: 04 October 2006 Online Status: Offline Posts: 17492 |
Post Options
Quote Reply
Posted: 09 March 2009 at 2:58am |
|||||||
|
Hi dirbase,
On XP SP3, starting Procmon v2.03 the first time results in the following entries in wmiprov.log (verbose logging enabled):
|
||||||||
|
Daily affirmation:
net helpmsg 4006 |
||||||||
|
||||||||
|
dirbase
Senior Member
Joined: 26 March 2008 Online Status: Offline Posts: 439 |
Post Options
Quote Reply
Posted: 08 March 2009 at 6:28pm |
|||||||
|
Interestingly, launching Process Monitor version 2.0 or higher triggers a familiar logging in wmiprov.log on my XP SP3 box (member of a LAN):
(Sun Mar 08 17:51:40 2009.36593984) : Instance Provider constructed (Sun Mar 08 17:51:40 2009.36594031) : Successfully Registered for Mof Events (Sun Mar 08 17:51:40 2009.36594046) : WDM call returned error: 4200 (Sun Mar 08 17:51:40 2009.36594468) : End of processing Binary MOFS (Sun Mar 08 17:51:40 2009.36594468) : *************************************** (Sun Mar 08 18:13:35 2009.37909546) : Impersonation failed - Access denied This behaviour is not recorded with earlier versions of ProcMon; it is related to the added Network Event Class (filtering out this Event class results in no logging). I would be interested to know if someone using XP SP3/SP2 (with or without LAN) observes the same behavior for ProcMon (version 2.03 is the present version). Edited by dirbase - 08 March 2009 at 6:31pm |
||||||||
|
||||||||
|
dirbase
Senior Member
Joined: 26 March 2008 Online Status: Offline Posts: 439 |
Post Options
Quote Reply
Posted: 07 March 2009 at 9:51pm |
|||||||
|
Turning to
another WMI log file under XP SP2/SP3, wmiprov.log, I have noted that some
of the errors are linked to the settings of the WMI performance adapter service
(wmiapsrv.exe). Right after logon : nothing
exactly 4
minutes after logon about 8 minutes after logon: nothing This table summarizes the situation:
12 wmisvc.dll __Trace::get_logfile + 0x86 0x4f0bf344 Edited by dirbase - 09 March 2009 at 10:46am |
||||||||
|
||||||||
|
Post Reply
|
Page 12> |
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
