I set up a couple Windows 10 1803 Enterprise machines a few months ago and have had ongoing issues with the EventLog service crashing, often daily. The problem stopped on one machine for a couple months, but now it’s back. I opened a support ticket with Microsoft but they let the case languish for several weeks, eventually closing it without suggesting an answer.
Misleading Errors
I run a daily script on these machines to check the event log for some specific events. Trying to track back through some errors…
“There are no more endpoints available from the endpoint mapper”
This is the first error I was getting, when I ran the script:
Get-WinEvent : There are no more endpoints available from the endpoint mapper At C:\Scripts\MyScript.ps1:283 char:22 + $StandardEvents += Get-WinEvent -ComputerName $EventLogComputer ` + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Com mands.GetWinEventCommand
“The RPC server is unavailable”
Trying to simplify, what happens if I just run Get-WinEvent? Then, “The RPC server is unavailable”:
Get-WinEvent
Get-WinEvent : The RPC server is unavailable
At line:1 char:1
+ Get-WinEvent -ListLog *
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
nEventCommand
Note that this happens on the local computer. Most of the advice I found about the RPC server error related to resolving network issues, firewall, etc.
“The data is invalid”
Later, the error changed to “The data is invalid”:
PS C:\> Get-WinEvent
Get-WinEvent : The data is invalid
At line:1 char:1
+ Get-WinEvent
+ ~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogInvalidDataException
+ FullyQualifiedErrorId : The data is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand
That could in fact be the issue described in this post re. too many logs. At this point, Get-WinEvent –ListLog * was working fine and in fact, my script is working again.
The Cause
It seems that the cause of the first two errors was the crashed Windows Event Log service. I think the service got restarted (by my monitoring tool) before I got the third error. Interestingly, when trying to duplicate later, if I manually stopped the Windows Event Log service and ran Get-WinEvent –ListLog *, it immediately started the service and the command succeeded.
So the interim solution to the first two error is to restart the crashed Windows Event Log service. Now if only I knew why it was crashing.