ESENT Event ID 327 and 326 fill up the Application log

Gælder for: Windows Server, version 1903Windows Server 2012 StandardWindows Server 2012 Datacenter

Symptoms


While using Windows Server 2012 and later versions, events as shown below are logged in the application event log at high frequency (about 5 times/sec) regarding SystemIdentity.mdb.
------------------------------------------------------------------------------
Source: ESENT
Event ID: 327
Task category: General
Level: Information
Keyword: Classic
Description:
svchost (2576) database engine has attached database (2, C:\Windows\system32\LogFiles\Sum\SystemIdentity.mdb). (Time=0 sec)
 
Internal timing sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.032, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.015. 
Recovery cache: 0
------------------------------------------------------------------------------ 
Source: ESENT
Event ID: 326
Task category: General
Level: Information
Keyword: Classic
Description:
svchost (2576) database engine has attached database (2, C:\Windows\system32\LogFiles\Sum\SystemIdentity.mdb). (Time=0 sec)
 
Internal timing sequence: [1] 0.000, [2] 0.000, [3] 0.281, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.
Storage cache: 1
------------------------------------------------------------------------------ 

As a result, the application event log will be filled up and other events may be difficult to confirm.

Cause


This issue occurs when there is a problem with the data in the SystemIdentity.mdb database file.


Resolution


To stop the occurrence of this event, stop the "User Access Logging" service.
After stopping the service, do one of the following.

<Database File Deletion and Regeneration>
Delete and regenerate the damaged database file. 
After stopping the service, delete all files in the folder "%SystemRoot%\system32\LogFiles\Sum\".
After that, launch the "User Access Logging" service.The database will be newly generated.

<Stopping "User Access Logging" Service>
If not using the "User Access Logging" service, disable it.
After stopping the service, disable "Startup Type" for "User Access Logging" at the "Service" item of the maintenance tool.

References


For details on "User Access Logging" service, please refer to the following.
User Access Logging Overview
https://technet.microsoft.com/en-us/library/hh849634.aspx
User Access Log Management
https://technet.microsoft.com/en-us/library/jj574126.aspx