Two of my Windows 2008 Enterprise DCs are both getting Event 1000 errors every 5 minutes in their Application logs. Type: Error Source: Application Error Event ID: 1000 Event Time: 2/10/2011 7:10:37 AM User: n/a Computer: CMSAdmin001.cmsprod.da.ocgov.com Description: Faulting application name: cscript.exe, version: 5.8.7600.16385, time stamp: 0x4a5bca2a Faulting module name: ntdll.dll, version: 6.1.7600.16695, time stamp: 0x4cc7b325 Exception code: 0xc00000fd Fault offset: 0x0000000000004a23 Faulting process id: 0x1cf4 Faulting application start time: 0x01cbc934aabd2ae1 Faulting application path: C:\Windows\system32\cscript.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: e9befded-3527-11e0-93b2-00215ad07292 They both have SCOM 2007 R2 CU4 agents installed. I've stopped the HealthService on one for 10 minutes and the errors go away. Has anyone seen this behavior before? My guess is that it's a Windows 2008 issue, perhaps a memory leak maybe?Orange County District Attorney

Well, the health service will run monitoringhosts which in turn will run scripts by launching CSCRIPT.exe. Has the allow scripting policy been changed on those computers recently?Microsoft Corporation

No, it doesn't look like we have changed any policies on these servers. The are in a child domain, that's the only difference for us.Orange County District Attorney

Hi, Please try clearing the HealthService queue on the server and see how it works: 1. Stop System Center Management service. 2. Go to C:\Program Files\System Center Operations Manger 2007\, and rename the “Health Service State” folder. 3. Restart System Center Management service. Hope this helps. Thanks. Nicholas Li - MSFT Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for the suggestions Nicholas. I cleared the HealthService queue as you suggested however I'm still getting the errors. Also, after every error a Windows Error Report is generated too. Perhaps SP1 soon to be released might offer a fix.Orange County District Attorney

Any solution for this problem related with AD Management pack (Windows Server 2008 R2 SP1 x64? Log Name: Application Source: Application Error Date: 9/28/2011 8:15:11 PM Event ID: 1000 Task Category: (100) Level: Error Keywords: Classic User: N/A Computer: xxx.xxx.xxx.com Description: Faulting application name: cscript.exe, version: 5.8.7600.16385, time stamp: 0x4a5bca2a Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c8f9 Exception code: 0xc00000fd Fault offset: 0x0000000000053560 Faulting process id: 0x288 Faulting application start time: 0x01cc7e0a8fa5172f Faulting application path: C:\Windows\system32\cscript.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: cd860055-e9fd-11e0-aeb9-00199917bda5 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-09-28T18:15:11.000000000Z" /> <EventRecordID>114341</EventRecordID> <Channel>Application</Channel> <Computer>DCDUNAV02.internal.dunav.com</Computer> <Security /> </System> <EventData> <Data>cscript.exe</Data> <Data>5.8.7600.16385</Data> <Data>4a5bca2a</Data> <Data>ntdll.dll</Data> <Data>6.1.7601.17514</Data> <Data>4ce7c8f9</Data> <Data>c00000fd</Data> <Data>0000000000053560</Data> <Data>288</Data> <Data>01cc7e0a8fa5172f</Data> <Data>C:\Windows\system32\cscript.exe</Data> <Data>C:\Windows\SYSTEM32\ntdll.dll</Data> <Data>cd860055-e9fd-11e0-aeb9-00199917bda5</Data> </EventData> </Event>

having crash dump you are able to identify cscript.exe arguments(WinDBG/IDA) and therefor identify exact SCOM vbs/js name. then you will be able to run the same script line by line finding crashing place. most likely the issue is related to some COM component which is created through CreateObject() invocation. try to find where you crash dump is located and if possible share it. maybe someone will be able to help.

Do you have step-by-step procedure, how to do that? Tools? I have used Process Monitor, regarding this article http://blogs.technet.com/b/smsandmom/archive/2008/12/10/opsmgr-2007-how-to-identify-what-scripts-are-running-on-the-agents-including-frequency-and-parameters.aspx but all cscript.exe processess show me SUCCESS.. can not locate problematic script. Do you have any suggestion?

check if you have crash dumps of cscript.exe here C:\Users\XXX\AppData\Local\Microsoft\Windows\WER C:\ProgramData\Microsoft\Windows\WER if no, enable Error Reporting in ServiceManager>StartPage>ResourcesAndSupport or simple change regitry HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ DWORD Disabled =0 and having mdmp file use WinDBG to get process arguments,

I have event points on this C:\ProgramData\Microsoft\Windows\WER ...Report.wer I can not see from this report, what it causing problem. Version=1 EventType=APPCRASH EventTime=129617071205156410 ReportType=2 Consent=1 ReportIdentifier=5ba0c8da-e9fd-11e0-aeb9-00199917bda5 IntegratorReportIdentifier=5ba0c8d9-e9fd-11e0-aeb9-00199917bda5 Response.type=4 Sig[0].Name=Application Name Sig[0].Value=cscript.exe Sig[1].Name=Application Version Sig[1].Value=5.8.7600.16385 Sig[2].Name=Application Timestamp Sig[2].Value=4a5bca2a Sig[3].Name=Fault Module Name Sig[3].Value=ntdll.dll Sig[4].Name=Fault Module Version Sig[4].Value=6.1.7601.17514 Sig[5].Name=Fault Module Timestamp Sig[5].Value=4ce7c8f9 Sig[6].Name=Exception Code Sig[6].Value=c00000fd Sig[7].Name=Exception Offset Sig[7].Value=0000000000053560 DynamicSig[1].Name=OS Version DynamicSig[1].Value=6.1.7601.2.1.0.272.7 DynamicSig[2].Name=Locale ID DynamicSig[2].Value=1033 DynamicSig[22].Name=Additional Information 1 DynamicSig[22].Value=12a9 DynamicSig[23].Name=Additional Information 2 DynamicSig[23].Value=12a916a0b6b7b4801583f9091703375b DynamicSig[24].Name=Additional Information 3 DynamicSig[24].Value=cee4 DynamicSig[25].Name=Additional Information 4 DynamicSig[25].Value=cee411bbc812729f97eef1399c58d532 UI[2]=C:\Windows\system32\cscript.exe UI[5]=Check online for a solution (recommended) UI[6]=Check for a solution later (recommended) UI[7]=Close UI[8]=Microsoft ® Console Based Script Host stopped working and was closed UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available. UI[10]=&Close LoadedModule[0]=C:\Windows\system32\cscript.exe LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll LoadedModule[2]=C:\Windows\system32\kernel32.dll LoadedModule[3]=C:\Windows\system32\KERNELBASE.dll LoadedModule[4]=C:\Windows\system32\msvcrt.dll LoadedModule[5]=C:\Windows\system32\OLEAUT32.dll LoadedModule[6]=C:\Windows\system32\ole32.dll LoadedModule[7]=C:\Windows\system32\GDI32.dll LoadedModule[8]=C:\Windows\system32\USER32.dll LoadedModule[9]=C:\Windows\system32\LPK.dll LoadedModule[10]=C:\Windows\system32\USP10.dll LoadedModule[11]=C:\Windows\system32\RPCRT4.dll LoadedModule[12]=C:\Windows\system32\VERSION.dll LoadedModule[13]=C:\Windows\system32\ADVAPI32.dll LoadedModule[14]=C:\Windows\SYSTEM32\sechost.dll LoadedModule[15]=C:\Windows\system32\IMM32.DLL LoadedModule[16]=C:\Windows\system32\MSCTF.dll LoadedModule[17]=C:\Windows\system32\CRYPTBASE.dll LoadedModule[18]=C:\Windows\system32\SXS.DLL LoadedModule[19]=C:\Windows\system32\CLBCatQ.DLL LoadedModule[20]=C:\Windows\system32\vbscript.dll LoadedModule[21]=C:\Windows\system32\WINTRUST.dll LoadedModule[22]=C:\Windows\system32\CRYPT32.dll LoadedModule[23]=C:\Windows\system32\MSASN1.dll LoadedModule[24]=C:\Windows\system32\CRYPTSP.dll LoadedModule[25]=C:\Windows\system32\rsaenh.dll LoadedModule[26]=C:\Windows\system32\MSISIP.DLL LoadedModule[27]=C:\Windows\system32\wshext.dll LoadedModule[28]=C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\COMCTL32.dll LoadedModule[29]=C:\Windows\system32\COMDLG32.dll LoadedModule[30]=C:\Windows\system32\SHLWAPI.dll LoadedModule[31]=C:\Windows\system32\SHELL32.dll LoadedModule[32]=C:\Windows\system32\scrobj.dll LoadedModule[33]=C:\Windows\system32\mlang.dll LoadedModule[34]=C:\Program Files\System Center Operations Manager 2007\MOMScriptAPI.dll LoadedModule[35]=C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll LoadedModule[36]=C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCP90.dll LoadedModule[37]=C:\Program Files\System Center Operations Manager 2007\HealthServiceRuntime.dll LoadedModule[38]=C:\Windows\system32\ESENT.dll LoadedModule[39]=C:\Windows\system32\psapi.dll LoadedModule[40]=C:\Program Files\Common Files\Active Directory Management Pack Objects\oomads.dll LoadedModule[41]=C:\Windows\system32\NETAPI32.dll LoadedModule[42]=C:\Windows\system32\netutils.dll LoadedModule[43]=C:\Windows\system32\srvcli.dll LoadedModule[44]=C:\Windows\system32\wkscli.dll LoadedModule[45]=C:\Windows\system32\DSROLE.DLL LoadedModule[46]=C:\Windows\system32\LOGONCLI.DLL LoadedModule[47]=C:\Windows\system32\WSOCK32.dll LoadedModule[48]=C:\Windows\system32\WS2_32.dll LoadedModule[49]=C:\Windows\system32\NSI.dll LoadedModule[50]=C:\Windows\system32\ACTIVEDS.dll LoadedModule[51]=C:\Windows\system32\adsldpc.dll LoadedModule[52]=C:\Windows\system32\WLDAP32.dll LoadedModule[53]=C:\Windows\system32\ATL.DLL LoadedModule[54]=C:\Windows\system32\NTDSAPI.dll LoadedModule[55]=C:\Windows\system32\adsldp.dll LoadedModule[56]=C:\Windows\system32\mswsock.dll LoadedModule[57]=C:\Windows\System32\wshtcpip.dll LoadedModule[58]=C:\Windows\system32\SECUR32.DLL LoadedModule[59]=C:\Windows\system32\SSPICLI.DLL LoadedModule[60]=C:\Windows\system32\credssp.dll LoadedModule[61]=C:\Windows\system32\pwdssp.dll LoadedModule[62]=C:\Windows\System32\wship6.dll LoadedModule[63]=C:\Windows\system32\DNSAPI.dll LoadedModule[64]=C:\Windows\system32\IPHLPAPI.DLL LoadedModule[65]=C:\Windows\system32\WINNSI.DLL LoadedModule[66]=C:\Windows\system32\rasadhlp.dll LoadedModule[67]=C:\Windows\System32\fwpuclnt.dll LoadedModule[68]=C:\Windows\system32\kerberos.DLL LoadedModule[69]=C:\Windows\system32\cryptdll.dll LoadedModule[70]=C:\Windows\system32\bcrypt.dll LoadedModule[71]=C:\Windows\system32\bcryptprimitives.dll LoadedModule[72]=C:\Windows\system32\wshom.ocx LoadedModule[73]=C:\Windows\system32\MPR.dll LoadedModule[74]=C:\Windows\system32\ScrRun.dll FriendlyEventName=Stopped working ConsentKey=APPCRASH AppName=Microsoft ® Console Based Script Host AppPath=C:\Windows\system32\cscript.exe

you need to find binary file with extenstion mdb/mdmp as for text report, the crashed script is exactly related to AD MP (not windows os MP, not cluster MP, etc ) as oomads.dll module was loaded. you may go further with crash dump analysis or simply check all AD scripts (not many) one by one manually running them.

BTW, are you using the latest AD MP available?

Yes I do. I am more concernd about "What I should do when I locate problematic script". Thanks Pavel

I think this is a AD_General_Response.vbs script, cause I have too this problem.

I have the same problem and I found solution. First of all this event generated by AD_General_Response.vbs Analyzing this script I found that it read and write keys ErrorCount and ErrorDescription in registry with path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Modules\{2839A786-E42E-0761-1278-85974BA2C2F3}\S-1-5-18\Script\AD Management Pack\AD General Response. Value ErrorCount was 12249 and ErrorDescription was very long string with unprintable symbols inside it. After ErrorCount and ErrorDescription was cleared problem was solved. It's very strange and seems for me like a stack or buffer overflow.

I have the same problem and I found solution. First of all this event generated by AD_General_Response.vbs Analyzing this script I found that it read and write keys ErrorCount and ErrorDescription in registry with path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Modules\{2839A786-E42E-0761-1278-85974BA2C2F3}\S-1-5-18\Script\AD Management Pack\AD General Response. Value ErrorCount was 12249 and ErrorDescription was very long string with unprintable symbols inside it. After ErrorCount and ErrorDescription was cleared problem was solved. It's very strange and seems for me like a stack or buffer overflow.