Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 333 Source: Application Popup

An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in or write out or flush one of the files that contain the system's image of the Registry.
I had this problem in some server on LUN network, when the storage was moved to other site. To solve this, I removed the iSCSI parameters and Volume mount point device and after that I rebooted the system. When the system came back I reconfigured the iSCSI and re-scanned the device volume.
Had this event on dozens of W2K3 SP2. Turned out to be caused by a service that allocated handles without properly releasing them. After a couple of days uptime other services crashed and event id 333 was written to the system log twice a minute.

In our case the culprit was gpamon.exe (Beta 48 Tracker) from Beta Systems.

To find the process causing the problem, enable the Handle Count column in Task Manager (process tab) and check the process(es) with the highest number(s). If you cannot logon to the server anymore, try pslist \\servername (from Sysinternals, now part of Microsoft).

On W2K8R2 the same problem didn't cause event id 333 but event id 51 ("An error was detected on device \Device\Harddisk0\DR0 during a paging operation"), by the way.
I was experiencing this error with increasing frequency on Server 2003 SP2. Solved it with a free tool Free Registry Defrag (see EV100296). It makes sense since the error refers to an I/O error writing to the registry. The tool said it would compact the registry by 76% after running a scan, I have experienced no errors since running it.
In my case, Symantec Antivirus Corporate causes this error on Windows Server 2003 Standard SP2. Tried all solutions, I googled, but same error again after rebooting. Uninstalling with NoNav and rebooting solved it.
The /3GB switch caused the problem on a customers server. Event ID 333 suddenly appeared after installing the updates from 15-03-2010. The server was running Windows 2003 Enterprise with 2 Gb of ram, so no need for the /3GB switch there. The EV100035 article was also helpful.

The Non Paged Memory or the Paged Pool Memory may be temporarily insufficient. See EV100036 and ME970054 for information about troubleshooting this event (apparently, quite infamous).
If this is happening on HP hardware running Windows Server 2003 try the HP Document ID: emr_na-c01682687-1 - see the link in the Links section (you need to register in order to access it, but the registration is free).
This issue may occur when the Non Paged Memory or the Paged Pool Memory is temporarily insufficient. A hotfix is available for Windows Server 2003, see ME970054 for details.
In my case, I was running a Win2k3 Terminal Server and got this error every 5 seconds in my event log. I rebooted the server a few times and the message would go away for a while, but eventually would come back.

Contacted Microsoft and they had me install 5 hotfixes: ME948496, ME953490 , ME955280, ME959608 and ME967327. So far the problem is fixed.
For me the problem was solved after remove of option /3GB in the boot.ini in a cluster environnement of HP DL380 G4 Windows 2003 sp2 X86. In non-cluster environment I had no problem with /3GB option.
I got this together with event id 8193 from VSS. I resolved it by using Symantec Document ID 302192.
As per Microsoft: "This problem may occur when the Single Instance Storage driver (Sis.sys) leaks the NtFC nonpaged pool memory while the driver processes an alternative stream. This alternative stream may be generated by a third-party program". See ME950310 for a hotfix applicable to Microsoft Windows Server 2003.
I worked with Microsoft support on this issue and they suggested that I should run the following steps.
1. Open MSCONFIG (Start -> Run -> type msconfig and press Enter).
2. On the services tab, check the box “Hide All Microsoft Service”.
3. Disable all the remaining services.
4. Reboot the system.
5. Check if this resolved the issue.
6. If it did resolve the issue, browse through the disabled services and bring them back online one at a time to see which one was causing the issue.
For me I was able to fix this issue with Affinity I/O changes. SQL 2005 runs its own and so does Windows. According to Microsoft, you cannot run them at the same time as this causes "unpredictable" issues. See the link to “Affinity I/O mask option” for details on this issue.

From a newsgroup post: "Based on my investigations, this error usually indicates some sort of disk issue. It could be a disk hardware issue or it could occasionally be low resources, often memory. In general, something is preventing the system from writing to disk or the registry hive files are corrupt. With the information I have, I would like to suggest the following to narrow down the issue:
1. Install hotfix ME898060. It was reported that this problem might occur when the version of TCPIP.SYS is 5.2.3790.1830. If your system has this file version, please install hotfix ME898060, which contains the TCPIP.SYS of version 5.2.3790.2453. After installing the hotfix, please test this problem again.
2. Check the disk. To ensure that the disk is working properly, run the "chkdsk /r" command to check the disk that the user registry hive is located on.
3. Clean Boot. Some antivirus and backup applications can monitor the system in a very low level and it is likely to damage the system files. In addition, as far as I know, Norton has the function to clean the registry. This function may also cause problems in the registry. Please temporarily uninstall your Anti-Virus application to test this issue. Please perform a clean boot on SBS as following:
a. Click Start, click Run, and then in the Open box, type "MSCONFIG" (without the quotation marks). Click OK.
b. In the System Configuration Utility (MSConfig) window, click to select the Selective Startup button.
c. Click to clear the check mark from "Load startup items" below Selective Startup.
d. Click the Services tab, check the "Hide All Microsoft Services" box, and remove all the check marks from the remained non-Microsoft services. Please note that the Exchange services could be marked as non-Microsoft. Please do not disable those services.
e. Click OK to close the MSConfig window. Click Yes when you are asked to restart your computer in order to enable the changes.
f. After restarting, please check whether this issue will reoccur".

From a newsgroup post: "This problem occurred on our Win2K3 servers running IIS. User profiles would not load, and IIS authentication (required on our site) failed. The problem required many hours on tech support calls to fix. It seems that the installation of SP2 pushed the registry size beyond some unknown limit. After booting to floppy, we were able to snag the software hive. Microsoft provided a registry clean and a registry compression utility, which brought it down to less than one-third of the original size. This fix got rid of the errors and put us back in normal operation.  Look at the size of the HKLM Software hive".

See the link to "ChicagoTech - Troubleshooting Event ID 333" for additional information on this event.
In my case, this problem was fixed when I did some performance troubleshooting on SQL Server. So, if SQL is fully installed, check the following: Open Enterprise Manager -> Microsoft SQL Servers -> Microsoft SQL Server Group -> Instance Name -> Properties -> Memory Tab. The default settings are:
"Dynamically configure SQL Server memory": slider set to ZERO
"Minimum Query Memory (KB)":  1024
"Reserve physical memory for SQL Server": unchecked
"Configured Values" (at the bottom): selected.
After applying these settings, reboot the server.
I had this issue yesterday on our active-active cluster configuration on a NAS system. I got the pop-up every minute on both nodes. Having checked everything available here, I verified with the backup team if any changes have been done. Since last night, they were trying snapshots functionalities on the NAS system (Clarion X300). This seemed to have an impact on our cluster (used as a file server). A new LUN was created with a new volume for the backup system and was not set right and caused the error. I made them removed the LUN and volume created earlier then restarted the nodes one after the other. The message went away and did not came back so far.
This happened in a 10 Win2k3 farm with Citrix Presentation Server 4 installed. I found out that what was causing; it was Symantec Antivirus Corporate Edition 10. The errors went away after I removed it from the servers.
From a newsgroup post: "My problem was that I had disk quotas enabled and a new scheduled task with a new domain account had reached its quota. I had forgotten that we had disk quotas enabled. What seemed to be happening was that the account had "run out" of disk space and could no longer write to the registry, hence the errors. When I changed the quota limit for the account, the event log messages went away".
This instance occurred after a power fault on a W2K3/SP1 server. Everything seems to be ok with the HDDs. In the start-up phase the server stops while "Applying computer settings" reasonably unable to load registry entries. Uninstalling SP1 fixes the problem.
In my case, the clients were no longer having their local printers mapped on our Terminal Servers running Windows Server 2003 SP1. I then noticed this event in the event log. I bounced the server and all is well. I am not sure if the printer mapping and this event were related but bouncing the server fixed both.
In one case, hundreds of this Event ID appeared on a computer running Windows 2003 SP1. It appeared after "CHKDSK C: /F /S" was run on computer on which Windows swap file configuration changes had been made.

In another case, this Event ID appeared on a computer running Windows 2003 SP1. It appeared after the D: drive became faulty and an attempt was made to reformat it from Computer management -> Disk Management. This attempt proceeded extremely slow taking several days to reach "5% formatted". Windows became unresponsive even though Windows Manager showed that there was CPU available. This was resolved by removing the D: drive until a replacement became available.
Checkout ME898060, it does not describe this problem, but does in fact solve the problem.

Quote from Microsoft Product Support Services:
"The first thing you will need to do is to download the patch in ME898060 and install it on all the servers that have tcpip.sys version 5.2.379.1830. After the patch is installed on the server and a reboot, the tcpip.sys version should 5.2.3790.2453".

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.