Windows 10: Event Viewer error after installing KB4503293 and KB4503327
Windows administrators who open the local Even Viewer after installation of KB4503293 or KB4503327 may receive an error message when they select Custom Views in the Event Viewer.
Microsoft released cumulative updates for all supported versions of Windows 10 (and other Microsoft operating systems) on yesterday's Patch Day.
KB4503293 for Windows 10 version 1903 and KB4503327 for Windows 10 version 1809 were among those patches. The cumulative updates closed several security vulnerabilities -- some of which rated with a critical severity -- and introduced other changes on devices running these versions of Windows.
Updates may introduce errors and issues, and that appears to be the case with KB4503293 and KB4503327.
Windows users who open the Event Viewer, e.g. by using the Windows-X menu or searching for Event Viewer in the Start Menu, may receive the error "MMC has detected an error in a snap-in and will unload it" on start when custom views are selected.
The only options provided by the dialog are to "report this error to Microsoft, and then shut down MMC", or to "Unload the snap-in and continue running".
Selecting the latter throws an "unhandled exception in Managed Code Snap-In" which causes quite the chaos in the Event Viewer.
The only option left at that point is to restart the Event Viewer. Problem is: the error is thrown again once you select custom views in the application.
Update: Microsoft confirmed the issue and published a workaround to resolve the issue. Admins need to run the following command using PowerShell:
function get-EventViewer {
Write-Output "List of custom views on the machine"
Write-Output ""
Get-ChildItem "C:\ProgramData\Microsoft\Event Viewer\Views" -Filter *.xml | % { select-xml -Path $_.FullName -xpath "//Name" } | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty InnerXmlWrite-Output ""
$view_name = Read-Host "Enter the name of custom view to execute"# Get the file name of the view
$ViewFile = Get-ChildItem "C:\ProgramData\Microsoft\Event Viewer\Views" -Filter *.xml | where-object { (Select-Xml -Path $_.FullName -xpath "//Name").Node.InnerXml -eq $view_name }Get-WinEvent -FilterXml ([xml]((Select-Xml -Path $ViewFile.FullName -XPath "//QueryList").node.OuterXml))
}
End
Our colleagues over at Deskmodder found a solution that fixes the issue. Here is what you need to do:
- Open File Explorer on the device.
- Navigate to the following path: C:\ProgramData\Microsoft\Event Viewer\Views
- Backup the content of the folder. The next step deletes the custom views and you may want the backup to restore the views when Microsoft fixes the issues.
- Delete all View_X.xml files in the folder (it starts with View_0.xml and increments the number by 1 for each file).
- Start the Event Viewer after deleting the files.
The error should be gone after the deletion. A restart is not required to fix the issue.
you are the best!!!!! solution n° 2. i delete the files and work!
This fix nailed it. Thank you!!
Microsoft released KB4503288, which fixes the problem.
Just successfully installed on my notebook and reimported my custom view in eventviewer :-)
hth
workaholic
Had the same problem, after june patchday.
Just installed KB4503288 on my Windows 10 v1803 and performed the required reboot.
After that, I imported bei custom view and voilà – problem solved!
As I can confirm that KB4503277 mentioned in the June 21 gHacks post fixes the Event Viewer crash on my old Windows 7 box. I moved my View_*.xml files back and the custom views work just as before.
Solution works on Windows Server 2008 R2 too. Crash of Event Viewer is dissapeared. Many thanks to Martin!
@Martin: Just a few add to your article.
1. All June 2019 updates breaks custom views in Event Viewer of all Windows version.
2. The solution outlined by deskmodder.de fixes the Event Viewer crash, when selecting a custom view. But you are no more able to creat a custom view (Event Viewer will crash again).
3. The PowerShell code fragment from Microsoft you published above is just the function – but that need to be called within the PowerShell console.
I’ve written an article, that outlines how to use the PowerShell fragment for Microsoft’s workaround, mentioned within the above text. And I outlines how to use Event Viewer and also execute custom views with a modified PowerShell script (downloadable from my site). Maybe helpful for admins, until Microsoft fixes the bug.
https://borncity.com/win/2019/06/16/tip-powershell-workarounds-for-june-bug-in-windows-event-viewer/
I was able to create a custom view AND stop event viewer from crashing by changing the owner and permissions for the custom view file.
1. Create a custom view in event viewer and then close event viewer.
2. Go to the C:\ProgramData\Microsoft\Event Viewer\Views folder. The default name of the view’s file should be something like “View_0.xml”.
3. Right-click on the file and click on the Security tab.
4. All Application Packages (local), System, Administrators (local), Users (local) should be in the “Group or User Names” list. If not, add the missing groups and assign “Read & Execute” and “Read” permissions. (local) means you need to select your computer’s name for the Location when adding the user.
5. Add the user “NT Service\TrustedInstaller” (local) and assign “Full Control” permissions.
6. Click on the Advanced button in the Security tab in the View Properties dialog.
7. Click on the “Change” link located to the right of the Owner name.
8. Change the owner to “NT Service\TrustedInstaller” (local).
9. Close all the dialogs by clicking on OK.
Reopen event viewer and you should be able to click on Custom Views without it crashing. In case you’re wondering how I came about this solution, I checked the permissions and owner on the views (remote desktop, terminal services, etc.) in the “ServerRoles” folder in the Views folder. You may not have any Server Roles views on your computer.
NOTE: You cannot modify the view once you apply the permission and owner changes above. You need to create a new view and follow the steps above.
Windows 8.1 encounters the same error. W-T-F !!!
Microsoft have released a support bulletin on this issue and say they will release a fix later in June.
https://support.microsoft.com/en-ph/help/4508640/event-viewer-may-close-or-you-may-receive-an-error-when-using-custom-v
Worked for me, Thanks Martin. solved a bit of head scratching! Backed up the xml files just in case.
Only one out of three PC’s affected here all on same build of 1903.
MS has now acknowledged the problem. I think. https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1809-and-windows-server-2019#493msgdesc
BLESS YOU !!!!
That’s not a fix, I can’t use my custom views or create new ones, same error occur
thank you, it works!
Mic
Glad to see mention of this as it was driving me nuts yesterday. Deleting the .xml file allowed the Event Viewer to open, but, of course, my one custom view had been removed. Attempting to recreate it produced the same event viewer crash as before.
Suspecting it was a problem with critical updates, I ran a system restore point from the prior day and then re-ran the updates. After doing that, the problem did not recur, and the custom view created normally.
Wish I had seen this first; perhaps all that was needed was to uninstall KB4503327 and then rerun updates.
Well, I was wrong. MS Updates offered up KB4503327 again. Was hoping it was a fix, but when installed, the same error occurred. So, System Restore (or uninstall) to the rescue. That leaves my system somewhat less secure, but I need the custom view to work properly.
Right now, Windows Update is installing 1903, so will see what happens with KB4503293. Hopefully the fix suggested above will work.
I did as suggested, removed the View_0.xml, view_1.xml and View_2.xml. I was able to expand the Custom Views drop down. However, because my previous custom views are not gone, I created a new one. As soon as I completed the process, I can see the new custom view in the drop down, but I get the same MMC error as noted above. I then repeated the process, and rebooted before adding the new custom view. The same thing happened. After removing the .xml file, I can view the Application Server, Web Server (IIS) and Administrative Events, but if I create a new custom view, upon completing the view, I get the error. I really want my custom views, is their any hope or suggestions?
I have updated the instructions to better reflect that. Microsoft will probably fix the issue in the near future.
Ok, I have it fixed (for now). I had copied my View_0.xml, View_1.xml and view_2 xml files to a separate folder. I uninstalled the KB4503292 update. Moved my xml files back to the views folder, and reopened the Event Viewer.
All is back to normal. My three custom views are working just fine. I hope they fix the update in the next round of updates.
Yes, this is the same thing for me… nothing worked, so I un-installed the latest security patch (KB4503276) which had this bug and won’t be fixed till later this month: https://support.microsoft.com/en-ph/help/4508640/event-viewer-may-close-or-you-may-receive-an-error-when-using-custom-v.
I tried putting my custom view in a new folder, which worked. However, now I can access the Custom Views, and I see my new folder, but when I click on the new folder, the error is thrown :(
I meant to say …. However, because my previous custom views are NOW gone….
I’ve encountered exactly the same error in Windows 7 today. I wasn’t sure whether it was due to sysmon update or the MS updates, so thanks for this.
Hi, Martin. i need your help.
i want to create CUSTOM Groups on Windows 10 Like DOWNLOADS Folder. i have more folders and i want them to be grouped under custom-made labels like “2019”, “Chinese”, “korea”, “New” and …
please help me about this.
Maybe . . . the following:
https://www.howto-connect.com/windows-10-create-local-user-account-group-view/
What you want I can’t imagine is possible. You have to create reguIar folders for that.
I myself is having trouble disabling the date grouping view in the file download view after upgrading to 1903. Anyone knows how to do that?
Hi, what do you mean by custom groups?
hi.
i want something like this:
http://s11.imgs.to/share/image/4FFzjmr19I_windows.PNG
you can find date grouping view in Downloads folder but i want to change it to custom Groups like picture in any Folder.
Thanks.
Came across this error yesterday after patching kb4503276 and resovled the issue in the same manner although this was on Win8.1 x64
https://www.askwoody.com/forums/topic/june-2019-patch-tuesday-is-rolling-out/#post-1836464
I don’t have this problem on either LTSB1607 or LTSC1809. That folder is empty though, save for another empty folder inside it: imgur.com/YGc0naC
There’s no such path on Win 1903.
C:\ProgramData\Microsoft\Event Viewer\Views
It does not exist.
Thanks heaps, worked like a charm first time, also after restart. I run Win 10 Pro x64 1809 and am 67 years old ;-)
I was affected by this bug as well. You also need to look in
C:\Users\%USERNAME%\AppData\Local\Microsoft\Event Viewer\Views
If you have any custom views you want to keep, I would suggest moving the View_*.xml files instead of deleting them. Presumably Microsoft will eventually fix the bug and you could then put them back.
Also, at least for me, the bug also affects any new custom views. In other words, the only way to keep Event Viewer from crashing is to delete all custom views and not create any new ones.
You need to open Event Viewer at least once so that the folder is created. Can you try that?