Event ID 800 does not include the user name of users who ran the Get-MessageTrackingLog command in an Exchange 2007 environment

Article translations Article translations
Article ID: 949722 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In an Exchange 2007 environment, you may want to know who has accessed the message tracking logs. To do this, you can enable LogPipeLineExecutionDetails registry entry. Then, when a user runs the Get-MessageTrackingLog command in Exchange Management Shell (EMS), an Event ID 800 is logged in the Powershell log. However, the user name is not included the event. Instead, the following Event is logged in the PowerShell log:
Event Type:	Information
Event Source:	PowerShell
Event Category:	(8)
Event ID:	800
Date:		<Date>
Time:		<Time>
User:		N/A
Computer:	<server name>
Description:
The description for Event ID ( 800 ) in Source ( PowerShell ) cannot be found.
		  The local computer may not have the necessary registry information or message
		  DLL files to display messages from a remote computer. You may be able to use
		  the /AUXSOURCE= flag to retrieve this description; see Help and Support for
		  details. The following information is part of the event: get-messagetrackinglog
		  -server 152433m2, 	DetailSequence=1
	DetailTotal=1
	SequenceNumber=75
	
	HostName=ConsoleHost
	HostVersion=1.0.0.0
	HostId=467ed744-9a87-407f-972b-25eca13dec7d
	EngineVersion=1.0.0.0
	RunspaceId=0086a970-acd4-4f80-9167-843f996fd6ec
	PipelineId=8
	ScriptName=
	CommandLine=get-messagetrackinglog <parameter> <value>,
		  ParameterBinding(Get-MessageTrackingLog): name="<parameter>";
		  value="<value>"

Therefore, you cannot obtain any information about the authenticated user who ran the command.

RESOLUTION

To resolve this problem, install Update Rollup 5 for Exchange 2007 Service Pack 1. For more information about Update Rollup 5 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic:
Description of Update Rollup 5 for Exchange Server 2007 Service Pack 1
For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:
How to Obtain the Latest Service Pack or Update Rollup for Exchange 2007
To enable this hotfix, you must create the following registry entry on the Exchange Hub Transport server:
2 Client Monitoring
To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeTransportLogSearch
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. In the details pane, input the new value 2 Client Monitoring, and then press Enter.
  5. Right-click 2 Client Monitoring, and then click Modify.
  6. In the Edit DWORD Value dialog box, under Base, click Decimal.
  7. In the Value data box, type the value 1, and then click OK.
  8. Close Registry Editor.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

User information is not logged in Event ID 800 in the PowerShell log even though the hotfix is installed on the server. In other words, the Event ID 800 user information is the same as before the hotfix is installed. Instead, a message that resembles the following Event ID 7020 message is logged in the Application log after you install the hotfix, and you create the 2 Client Monitoring registry entry.
Event Type: Information
Event Source: MSExchangeTransportLogSearch
Event Category: Client Monitoring 
Event ID: 7020
Date: <date>
Time: <time>
User: N/A
Computer: <ComputerName>
Description:
Client <domain\user> issued the following transport log search request: <?xml version="1.0" encoding="utf-8"?>
<LogQuery xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Beginning>0001-01-01T00:00:00Z</Beginning>
<End>9999-12-31T22:59:59.9999999Z</End>
<Filter xsi:type="And">
<Conditions />
</Filter>
</LogQuery>

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

WORKAROUND

To enable Exchange-related command logging, run the following command:
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns\Microsoft.Exchange.Management.PowerShell.Admin -Name LogpipelineExecutionDetails -value 1
After you run the command, you can use Windows Explorer to access the log files that contain the information about who has accessed the message tracking logs.

Properties

Article ID: 949722 - Last Review: January 5, 2009 - Revision: 2.1
APPLIES TO
  • Microsoft Exchange Server 2007 Service Pack 1, when used with:
    • Microsoft Exchange Server 2007 Enterprise Edition
    • Microsoft Exchange Server 2007 Standard Edition
Keywords: 
kbexpertiseadvanced kbqfe kbhotfixrollup KB949722

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com