DOCUMENT:Q173210 09-AUG-2001 [winnt] TITLE :How to Troubleshoot Event 2000 in System Event Log PRODUCT :Microsoft Windows NT PROD/VER:WinNT:3.5,3.51,4.0 OPER/SYS: KEYWORDS:kbtshoot kbhowto ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0 - Microsoft Windows NT Server versions 3.5, 3.51, 4.0 ------------------------------------------------------------------------------- SYMPTOMS ======== An event ID 2000 may appear in the System Event log of a computer running Windows NT server when a remote network command fails. The following error message may appear as well: STATUS_NO_SUCH_FILE CAUSE ===== An event 2000 may appear when a network application sends a Delete File command to the shared network drive of a computer running Windows NT Server if the file it is trying to delete does not exist on that server. A "STATUS_NO_SUCH_FILE" event ID 2000 with the following data will appear in the System Event Log: 0000: 00040000 00540001 00000000 c00007d0 0010: 00000000 c000000f 00000000 00000000 0020: 00000000 00000000 05180bc5 MORE INFORMATION ================ When you review an event 2000, pay particular attention to the second word in the second line of the event data (in this case, c000000f). The event that corresponds to c000000f is the one connected with the STATUS_NO_SUCH_FILE message. If your computer is running Windows NT Server 4.0, you can determine the cause of the event by installing the Network Monitor Tools and Agent. You can do this in Control Panel, by double-clicking Network, clicking Services, and then clicking Add. For instructions on setting up Network Monitor, see the following Microsoft Knowledge Base article: Q148942 How to Capture Network Traffic with Network Monitor If you need to monitor the network from an alternate platform, contact Microsoft Technical Support; or obtain Network Monitor from the Systems Management Server installation, if it is available. RESOLUTION ========== The System.evt file can be monitored in the same time window to determine the time interval that may contain an event 2000 in the trace. Filtering event 2000s in Network Monitor makes reviewing the capture easier to read. To filter in Network Monitor, use the following steps: 1. Open a capture file; use any name ending in .cap. 2. Click the Capture menu, and then click Display Captured Data, and then press F8 to show the Display Filter window. 3. In the Display Filter window, double click the second line under AND where it reads ANY<->ANY. 4. Click the Property tab. 5. Click +SMB in the Protocol:Property window. 6. Click Command, and then select Delete File from the Value column on the right. 7. Click OK twice. Network Monitor displays frames containing filtered data. Traces similar to the ones below will be displayed: 4207 SMB C delete file, File = \APPS\EIS\APL\PCDM\PCDMNNI\PCDMNNI.TAF 134.131.3.62 134.131.51.1 IP 4217 SMB R delete file - DOS Error, (2) FILE_NOT_FOUND 134.131.51.1 134.131.3.62 IP 5031 SMB C delete file, File = \APPS\EIS\APL\PCDM\PCDMNNI\PCDMNNI.ILM 134.131.3.62 134.131.51.1 IP 5040 SMB R delete file 134.131.51.1 134.131.3.62 IP Frame 4207 shows that a computer with the address 134.131.3.62 is sending the Delete File command to delete the file Pcdmnni.taf. Frame 4217 shows that the computer running Windows NT Server with the address 134.131.51.1 responds with the message FILE_NOT_FOUND; this frame will correspond with the event 2000 listed in System.evt. Frame 5031 shows that the file has been renamed to Pcdmnni.ilm and that the command Delete File is sent again. Finally, frame 5040 shows that the file has been deleted successfully. ====================================================================== Keywords : kbtshoot kbhowto Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT351search kbWinNT350search kbWinNT400search kbWinNTW350 kbWinNTW350search kbWinNTW351search kbWinNTW351 kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS350 kbWinNTS351search kbWinNTS350search Version : WinNT:3.5,3.51,4.0 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.