Windows 10: Updates KB4503293/KB4503327 kills event viewer

[German]After installing the June 2019 cumulative updates KB4503293/KB4503327, Windows 10 users may notice that the Event Viewer no longer works when the Custom Views branch is selected. You will receive an error message. Here is a fix.


Advertising


Affected are Windows 10, versions V1903 (Update KB4503293) and V1809 (Update KB4503293). If the Event Viewer is called and the Custom Views branch is selected, the display hangs. A dialog box appears with the message ‘An error was detected in a snap-in and the snap-in is removed’.

Note: Such an error usually indicates broken files. Mark Heitbrink gives the tip to empty the MMC cache in %appdata%\Microsoft\MMC. But that might not help in this case.

Furtunately the colleagues at German site deskmodder.de have described the error in this blog post. They gave the hint, that the message “The process cannot access the file ‘C:\ProgramData\Microsoft\Event Viewer\Views\View_0.xml’ because it is used by another process”. is displayed in this context. The solution proposed by colleagues is therefore quite simple. Navigate to the following folder in Explorer:

‘C:\ProgramData\Microsoft\Event Viewer\Views\

There you should find a file View_0.xml or with another consecutive number. This file must be deleted (requires administrator privileges). The MMC.exe will then recreate the View_x.xml at the next start if required and the display of the user-defined views should work again. Thanks to Matthias for the hint (and also to Max for the comment here).

Addendum: A more extensive analysis

I’ve added a detailled analysis of the bug within my German edition of this article. There I describes, in which circumstances the bug occurs and what you can do as a temporary workaround.


Advertising

  • First of all, this crash occurs only, if custom views in event viewer are defined.
  • Don’t delete the View_0.xml file (and others) – move em into a created backup folder, because the XML files contains your settings for custom views.
  • Affected are not only Windows 10 V1903 and V1809, nearly all Windows versions, that has been patched with June 11, 2019, updates are showing this behavior.
  • You can’t use custom views anymore, until Microsoft delivers a fix – maybe it helps, to uninstall the June 2019 update.

In some cases, it’s not sufficient, to remove the XML files in

C:\ProgramData\Microsoft\ Event Viewer\Views\

The event viewer also stores the data within the profile folder:

C:\Users\<account>\AppData\Local\Microsoft\Event Viewer\Views\

So you need to check both folders und move the xml files into a backup folder created.

Microsoft has confirmed the bug

At askwoody.com I found the hint, that Microsoft has confirmed the bug. They wrote:

Event Viewer may close or you may receive an error when using Custom Views

You may receive an error and the app may stop responding or close when trying to expand, view or create Custom Views in Event Viewer. You may also receive an error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:

  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Read custom event event view via PowerShell

Bleeping Computer has an article here mentions a workaround from Microsoft to use custom event views using PowerShell.

function get-EventViewer {
                Write-Output "List of custom views on the machine"
                Write-Output ""
                Get-ChildItem "C:\ProgramData\Microsoft\Event Viewer\Views" -Filter *.xml | % { select-xml -Path $_.FullName -xpath "//Name" } | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty InnerXml
 
                Write-Output ""
                $view_name = Read-Host "Enter the name of custom view to execute"
 
 
                # Get the file name of the view
                $ViewFile = Get-ChildItem "C:\ProgramData\Microsoft\Event Viewer\Views" -Filter *.xml | where-object { (Select-Xml -Path $_.FullName -xpath "//Name").Node.InnerXml -eq $view_name }
 
                Get-WinEvent -FilterXml ([xml]((Select-Xml -Path $ViewFile.FullName -XPath "//QueryList").node.OuterXml))
}

These Updates are affected

Microsoft has confirmed the issue within this support article. Affected are the following updates and Windows versions:

  • KB4503293 LCU for Windows 10, version 1903.
  • KB4503327 LCU for Windows 10, version 1809 and Windows Server 2019.
  • KB4503286 LCU for Windows 10, version 1803.
  • KB4503284 LCU for Windows 10, version 1709.
  • KB4503279 LCU for Windows 10, version 1703.
  • KB4503267 LCU for Windows 10, version 1607 and Windows Server 2016.
  • KB4503291 LCU for Windows 10, version 1507.
  • KB4503276 Monthly Rollup for Windows 8.1 and Windows Server 2012 R2.
  • KB4503290 Security-only update for Windows 8.1 and Windows Server 2012 R2.
  • KB4503285 Monthly Rollup for Windows Server 2012 and Windows Embedded 8 Standard
  • KB4503263 Security-only update for Windows Server 2012 and Windows Embedded 8 Standard-
  • KB4503292 Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • KB4503269 Security-only update for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • KB4503273 Monthly Rollup for Windows Server 2008 SP2
  • KB4503287 Security-only update for Windows Server 2008 SP2

Advertising


This entry was posted in issue, Update and tagged , , , , . Bookmark the permalink.

1 Response to Windows 10: Updates KB4503293/KB4503327 kills event viewer

  1. Longjohn119 says:

    This worked for me and complicating the issue for me was I had updated to 1903 Sunday and kept getting BSOD crashes (Page fault in non paged area) occasionally during the day and every time I put it to sleep so I did a roll back to 1809 at which time it also downloaded this update which in turn borked the Event Viewer. Cripes I didn’t know if it had something to do with 1903 or the rollback to 1809 (Which seems stable otherwise) but Microsoft had to throw me a curve with a borked update ….

    You saved me countless hours of hair pulling troubleshooting ….. Seems like nearly every Error Message thrown up by Windows can be caused by nearly anything and are pretty much worthless for troubleshooting …..

Leave a Reply

Your email address will not be published. Required fields are marked *