[This is preliminary documentation and subject to change.]
The following table presents some common problems that can occur in using the Event Log Provider and offers possible causes and solutions:
| Problem | Cause and/or Solution |
|---|---|
| Classes supported by the Event Log Provider do not appear in a namespace. | Only the Root\Cimv2 namespace is supported; check that you are connected to the Root\Cimv2 namespace. |
| Classes supported by the Event Log Provider do not appear in the Root\Cimv2 namespace. | Use the MOF compiler to compile the MOF file that contains the missing classes. The target file is Ntevt.mof; this file can be found in the WBEM installation directory. |
| No instances are returned after enumerating instances of any class. | Windows NT event logs are empty. |
| No instances are returned after enumerating instances of the Win32_NTLogEventUser class. | Not all Windows NT event log records contain user information. Typically only security event log records contain user information. |
| Enumerating instances takes a long time. | Reasonable behavior if any of your event log files are large because the instance provider is enumerating all of the event logs and passing the results using COM. |
When there is a total of 2000 or more events in the event logs, it is possible to observe a decline in the performance of the Event Log Provider. Under those conditions, viewing events with the standard Windows NT user interface can be faster.
To compile the Ntevt.mof file at the command prompt, type:
C:\> c:\winnt\system32\wbem\mofcomp c:\winnt\system32\wbem\ntevt.mof