Windows Server 2012 : Event source "ESENT" with event ID "327" and "326" occur in large amounts.

Symptoms
While using Windows Server 2012, events as shown below are logged in the application event log at high frequency (about 5 times/sec) regarding SystemIdentity.mdb.
------------------------------------------------------------------------------
Source: ESENT
Event ID: 327
Task category: General
Level: Information
Keyword: Classic
Description:
svchost (2576) database engine has attached database (2, C:\Windows\system32\LogFiles\Sum\SystemIdentity.mdb). (Time=0 sec)
 
Internal timing sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.032, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.015. 
Recovery cache: 0
------------------------------------------------------------------------------ 
Source: ESENT
Event ID: 326
Task category: General
Level: Information
Keyword: Classic
Description:
svchost (2576) database engine has attached database (2, C:\Windows\system32\LogFiles\Sum\SystemIdentity.mdb). (Time=0 sec)
 
Internal timing sequence: [1] 0.000, [2] 0.000, [3] 0.281, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.
Storage cache: 1
------------------------------------------------------------------------------ 

As a result, the application event log will be filled up and other events may be difficult to confirm.
Cause
This issue occurs when there is a problem with the data in the SystemIdentity.mdb database file.


Resolution
To stop the occurrence of this event, stop the "User Access Logging" service.
After stopping the service, do one of the following.

<Database File Deletion and Regeneration>
Delete and regenerate the damaged database file. 
After stopping the service, delete all files in the folder "%SystemRoot%\system32\LogFiles\Sum\".
After that, launch the "User Access Logging" service.The database will be newly generated.

<Stopping "User Access Logging" Service>
If not using the "User Access Logging" service, disable it.
After stopping the service, disable "Startup Type" for "User Access Logging" at the "Service" item of the maintenance tool.
References
For details on "User Access Logging" service, please refer to the following.
User Access Logging Overview
https://technet.microsoft.com/en-us/library/hh849634.aspx
User Access Log Management
https://technet.microsoft.com/en-us/library/jj574126.aspx
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2900773 - Last Review: 06/30/2016 21:37:00 - Revision: 2.0

Windows Server 2012 Standard, Windows Server 2012 Datacenter

  • kbmt KB2900773 KbMten
Feedback