How to Check for Running processes in Event Viewer

[Jeff Zylstra]

I'm hopeful that someone here can help me.  I have an issue with our Acronis Backup software not completing backups before the day begins.  It gets hung up at 50% or so, and stops many of the services from running as a result.  Important things like DHCP and the like, not to mention locking files.  If it would just finish that would be one thing, but it never finishes all day long, and I need to reboot the server sometimes.

I need a way for the server to text and/or email my phone at 7:00 AM if it is not finished by then.  That way, I can remotely log in, and force the server to reboot using the shutdown /r command.  I would like to either use task manager to run this at 7:00 AM, or use event viewer to check and see if the backup process is resident in memory at that time, and then have either one send a text and/or email to let me know I need to log in and reboot. 

I know I have to find the reason that this happens, but I'm going on vacation tomorrow and I am looking for a quick fix for right now.  It only does this once a month, but it's debilitating when it happens as noone can handle it in my absence.

[Mark]

Sounds like a job for EventTriggers Man!

Or just eventtrriggers.  https://technet.microsoft.com/en-us/library/bb490901.aspx

In order to do something based off an event, you'll need to check the logs and find an event that you can use to "watch for".  Otherwise I think I have an old VBS script that checks for running processes and does an action based on what you're looking to do. (reboot, email etc).  Automatically rebooting a server kind of tastes funny, especially when you are on vacation, so you might just want it to send you an email/text.

Another option I just thought of after typing all that; I'm stuck with a really crappy piece of software the crashes all the time. So I have a batch script that check's if a service is running and starts it if it is not.  this should be able to do the trick as well if you can look at services to get your information.

[Jeff Zylstra]

It's actually a process that runs and is visible in Windows task manager.  Unfortunately, choosing "end process" seems to have little or no effect on it.  The only thing that it responds to is restarting the server.   That said, I would not want to just automatically restart the server.  I would definitely want to check running open files and shares before I rebooted the server.  I don't need data corruption on top of the already lost time and aggravation!   

I did check out event triggers, but as I understand them, they need an event to happen before they can look for that event.  I looked at the event logs and don't see any events that are triggered as a result. 

Scratch that.  I just logged in and found 48 THOUSAND "event 51" errors in the System Event Viewer Log.  The timestamps are all within a minute of each other.  No wonder the system froze.  It said Event ID 51: "An error was detected on device \Device\Harddisk3\DR1067 during a paging operation.".   Thankfully, Harddisk3 is a USB drive that I copy backups to. 

Unfortunately, I've had this before and have never been able to fix it.  I've never had this many, however, and not in this short time span.  I've tried cleaning out the USB plug and play history, and there is no BIOS or firmware to update on the drives.  It doesn't seem to be any specific manufacturer or model.  It's an equal opportunity abuser.   

The Acronis Backup and Recovery 10 error log show this below, which dovetails with the fact that computers can't pull an IP address from the server's DHCP server when they try to boot up.  That means no network drives, and no internet, which makes perfect sense.  I'm not sure if Event 51 is the cause of all of this or just a symptom.   Can Event Notifications show multiple event triggers in a certain amount of time?  This event 51 would work for that, but it only showed up from 8:31 AM to 8:32 AM, with 48,000 event notifications!  All ideas are welcome.


--------------------------------------------------------
Acronis Log Entry Details
------------------------------------------------------------------------------------------------------------------------------
Type:          Error
Date and time: 2/7/2017 1:43:17 AM
Backup plan:   [None]
Task:          [None]
Code:          5,242,881(0x500001)
Module:        80
Owner:         Acronis84E094CDC5A01
Message:       
  Failed to retrieve parameter 'Windows name'.
Additional info:
--------------------
Error code: 1
Module: 80
LineInfo: 6ddb03e02a4503c4
Fields:  $module : C:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe
Message: Failed to retrieve parameter 'Windows name'.
--------------------
Error code: 1006
Module: 20
LineInfo: c523d9a02d03d484
Fields:
Message: Failed to enumerate the WMI class object.
--------------------
Error code: 65520
Module: 0
LineInfo: bd28fdbd64edb8c1
Fields:  code : 2148007941
Message: Server execution failed
--------------------
Acronis Knowledge Base: http://kb.acronis.com/errorcode/

Event code: 0x00500001+0x001403EE+0x0000FFF0+0x80080005


Thanks, Mark!

[Mark]

It might be possible that those 48,000 events in such a small window create some type of internal denial of service causing other issues, but I can't tell you that for sure.

You could do something like if x service is still running at y time in the morning, send a text alert (email to SMS).  However, you'll need internet to do so.

Or, on the first instance of that error 51, send an alert, but I guess that may depend on whether the first sign of a 51 in your event log is when you want to be notified.

[Jeff Zylstra]

It might be possible that those 48,000 events in such a small window create some type of internal denial of service causing other issues, but I can't tell you that for sure.

You could do something like if x service is still running at y time in the morning, send a text alert (email to SMS).  However, you'll need internet to do so.

Or, on the first instance of that error 51, send an alert, but I guess that may depend on whether the first sign of a 51 in your event log is when you want to be notified.

I think you are right that it has the same effect as a DOS attack, but of course, it never registers as such with anti-virus or firewalls.  I believe that the server itself is still functional and has network and internet service since I can log into it via RDP.  It's just those machines that use DHCP that have a problem. 

I already have an event viewer trigger that looks for this very error.  Usually, just unplugging and replugging the USB drive "fixes" the problem temporarily.  I didn't know it was possible to have the event viewer triggers look for the existence of a running process at a certain time of day.  I guess I'll have to check into how that would work. 

I've never had this issue this bad before, but this is ridiculous.  I'll have to dig into this and maybe hire a pro to look at it when I get back from vacation.  Thanks, Mark.

[Mark]

Maybe all you need to do is restart your dhcp service at a certain time of day.