How to Troubleshoot Event 2000 in System Event Log (173210)


The information in this article applies to:

  • Microsoft Windows NT Workstation 3.5
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 3.5
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0
This article was previously published under Q173210

SYMPTOMS

An event ID 2000 may appear in the System Event log of a computer running Windows NT server when a remote network command fails. The following error message may appear as well:
STATUS_NO_SUCH_FILE

CAUSE

An event 2000 may appear when a network application sends a Delete File command to the shared network drive of a computer running Windows NT Server if the file it is trying to delete does not exist on that server. A "STATUS_NO_SUCH_FILE" event ID 2000 with the following data will appear in the System Event Log: 
   0000: 00040000 00540001 00000000 c00007d0
   0010: 00000000 c000000f 00000000 00000000
   0020: 00000000 00000000 05180bc5

MORE INFORMATION

When you review an event 2000, pay particular attention to the second word in the second line of the event data (in this case, c000000f). The event that corresponds to c000000f is the one connected with the STATUS_NO_SUCH_FILE message.

If your computer is running Windows NT Server 4.0, you can determine the cause of the event by installing the Network Monitor Tools and Agent. You can do this in Control Panel, by double-clicking Network, clicking Services, and then clicking Add.

For instructions on setting up Network Monitor, see the following Microsoft Knowledge Base article:

148942 How to Capture Network Traffic with Network Monitor

If you need to monitor the network from an alternate platform, contact Microsoft Technical Support; or obtain Network Monitor from the Systems Management Server installation, if it is available.

RESOLUTION

The System.evt file can be monitored in the same time window to determine the time interval that may contain an event 2000 in the trace. Filtering event 2000s in Network Monitor makes reviewing the capture easier to read.

To filter in Network Monitor, use the following steps:
  1. Open a capture file; use any name ending in .cap.
  2. Click the Capture menu, and then click Display Captured Data, and then press F8 to show the Display Filter window.
  3. In the Display Filter window, double click the second line under AND where it reads ANY<->ANY.
  4. Click the Property tab.
  5. Click +SMB in the Protocol:Property window.
  6. Click Command, and then select Delete File from the Value column on the right.
  7. Click OK twice.
Network Monitor displays frames containing filtered data. Traces similar to the ones below will be displayed: 
   4207 SMB C delete file, File = \APPS\EIS\APL\PCDM\PCDMNNI\PCDMNNI.TAF
      134.131.3.62 134.131.51.1 IP

   4217 SMB R delete file - DOS Error, (2) FILE_NOT_FOUND 134.131.51.1
      134.131.3.62 IP

   5031 SMB C delete file, File = \APPS\EIS\APL\PCDM\PCDMNNI\PCDMNNI.ILM
      134.131.3.62 134.131.51.1 IP

   5040 SMB R delete file 134.131.51.1 134.131.3.62 IP
Frame 4207 shows that a computer with the address 134.131.3.62 is sending the Delete File command to delete the file Pcdmnni.taf. Frame 4217 shows that the computer running Windows NT Server with the address 134.131.51.1 responds with the message FILE_NOT_FOUND; this frame will correspond with the event 2000 listed in System.evt. Frame 5031 shows that the file has been renamed to Pcdmnni.ilm and that the command Delete File is sent again. Finally, frame 5040 shows that the file has been deleted successfully.
Modification Type:MajorLast Reviewed:5/14/2003
Keywords:kbhowto kbprb kbtshoot KB173210
©2002 Microsoft Corporation. All rights reserved.