Hi I've set up evetn forwarding and its great but some messages do not display the full description. The collector is Server 2008 R2 SP1 and the clients are Windows XP SP3 This seem to be quite a common isssue and I've read the following article http://social.technet.microsoft.com/Forums/en/winserverManagement/thread/7c652d50-0440-4b40-8b5d-0f96d96ea239 and impletmented the solutions. So as an example for a forwarded event from userenv the description is The description for Event ID 1041 from source Userenv cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: {7B849a69-220F-451E-B3FE-2CB811AF94AE} If I look in the registry the following key exists HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Userenv and points to userenv.dll in the system32 folder which also exists. I've also changed the format to Events but I still don't get the full description. The userenv.dll is a different version on the client and server so I copied the dll from the client to the server and pointed the registry entry at is and rebooted but still no joy. Any suggestions?

Hi, I suggest you go to MSDN forum for better support, hope this helps. http://social.msdn.microsoft.com/Forums/en-US/category/windowsdesktopdev In addition, please check the event forwarding configuration, some Microsoft materials for your reference. Configure Computers to Forward and Collect Events http://technet.microsoft.com/en-us/library/cc748890.aspx Forwarding Security Events from Windows XP, Server 2003, and Vista/Server 2008 http://blogs.technet.com/b/otto/archive/2009/06/22/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx Jeff Ren TechNet Community Support beneficial to other community members reading the thread.

Hi I eventually solved this one. I'll illustrate the fix using the example of events from userenv. On the collector server I opened up HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Userenv and noted the EventMessageFile string. It read %SystemRoot%\System32\userenv.dll I found a copy of the userenv.dll on a Windows XP PC and copied it to a file c:\XP_DLL on the 2008 server I then pointed the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Userenv\EventMessageFile to c:\XP_DLL\userenv.dll Also in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Userenv there was a value ProviderGUID. I renamed this string OLD_ProviderGUID. After making these changes I rebooted the server and all the messages for userenv displayed correctly. Cheers P