Eventlog Registry workaround for 64bit Opsmgr 2007R2 clients

A workaround to correct the eventlog path for 64 bit Opsmgr agents so that TSM system state backups function on these systems.  Issue documented by Microsoft here: http://support.microsoft.com/kb/970219
After getting advice that a fix for this was unlikely to be shipped with the next cumulative update for Opsmgr 2007 R2, I’ve put together a workaround for the eventlog path issue that is a big annoyance for users of TSM backup software.  Hopefully this will help someone else out.
We have quite a few 64bit servers and manually tracking and resolving this issue has become unworkable.
Essentially the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Operations Manager\File path on 64 bit agents is set to an invalid value: ”Config\MOMLog.evt”
Reinstalling, upgrading or repairing the agent will also revert the registry key back to this value.
There are 3 parts to the workaround,
  • The Script: 64bitagentcheck.vbs (see below)
  • The Opsmgr Rule: A timed script that runs the above script every 7 days
  • The Opsmgr View: An Event View in the monitoring pane to let me review changes made by the script
The Script
'AJ.Schmiede - 9-March-2010
'temporary workaround for http://support.microsoft.com/kb/970219
On Error Resume Next
'read value of regkey
Set objShell = CreateObject("WScript.Shell")
strRegKey =  objShell.RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Operations Manager\File")
strValue = "C:\Windows\System32\Config\MOMLog.evt"
'Check values and take action
If strRegKey = "Config\MOMLog.evt" Then
 'Below is what will happen if the regkey value is "config\MOMLog.evt"
 objShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Operations Manager\File",strValue
 strRegKeyNew =  objShell.RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Operations Manager\File")
 Set objShell = CreateObject("Wscript.Shell")
 objShell.LogEvent 2, _
     "Operations Manager Eventlog path was incorrectly set to " & strRegKey &" and has been changed to " & strRegKeyNew
End If
This script will check the registry key, modify it if it is wrong and write an event to the application log of the affected server (Source: WSH, Event Number: 2). 
Note that our standard %systemroot% path is C:\Windows, if yours is different you should adjust strValue in the script to suit.  Microsoft has indicated that use of the system variable “%systemroot%” is not supported in the eventlog path and may cause problems.
The Opsmgr Rule
Open up the Authoring Pane in the Opsmgr Console
Right Click Rules –> Create New Rule
Select Timed Commands –> Execute a Script
Change the Management Pack to an existing or new custom management pack that you’ve created. 
I’ve created one of these for each Operating System version we run and stored them in the corresponding custom management pack for each OS.  I’ve based this example around the Windows 2003 rule.
Click Next
Enter your Rule name and a description
For my Windows 2003 rule I’ve used the “Custom” rule category and have targeted Windows Server 2003 Operating Systems
If you have an alternate group that just has your 64bit Windows Server 2003 Operating Systems you could use that instead.
Tick “Rule is enabled
Click Next
Setup a fixed simple recurring schedule of 7 days.
This keeps the impact of running the script across your server fleet nice and low but should be frequent enough to pick things up before they become a huge problem, Opsmgr agent updates and reinstalls, after all, should be relatively infrequent.
Click Next
Enter script file name 64bitagentcheck.vbs (I keep a repository of these on my Root Management Server in a \scripts folder for later reference)
Set timeout to something between 1 and 5 minutes, the script should run very quickly.
Paste the Script into the Script field
Click Create
If you wish you can add a knowledge article to the new rule by viewing properties, going to it’s Product Knowledge tab and clicking Edit. I’ve used the following:
Operations Manager Event Log entry check for 64 bit servers
Checks for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Operations Manager\File value of “config\MOMLog.evt”. If found, the value is corrected and a warning is written to the application log of that server. (WSH Warning)
64 bit Operations Manager Agent has an invalid File path. This path is updated every time the agent is refreshed or reinstalled. The invalid path causes failures in system state backups performed by TSM.
Change path to C:\Windows\System32\Config\MOMLog.evt. %systemroot% paths are not supported and may cause errors.
External Knowledge Sources
The Opsmgr View
In the monitoring view, Right Click the folder you want to put the new view in.
I’ve created a folder with the stuff I check regularly in a custom management pack. This is where I’ve added the view to keep an eye on this workaround’s activity.
New –> Event View
Show data related to “Windows Computer(or a specific OS if you want to create a view for each OS like I have above)
Tick “with a specific event number” and enter 2 in the event number list
Tick “from a specific source” and enter WSH in the Source Name list
Tick “generated in a specific time period” and set Date and Time generated to within the last 10 Days.   As we run the timed script once every 7 days, this should pick up everything from the last run.


Writing to the event log and creating the view to check everything out aren’t absolutely necessary but they keep everything neat and easy to keep an eye on.  I’ll try uploading the accompanying screenshots for this when I get to a more upload-friendly internet connection.

0 thoughts on “Eventlog Registry workaround for 64bit Opsmgr 2007R2 clients

  1. Henrik.M.Andersen

    Regarding the %systemroot% You could pick up the %systenroot% value and concat it with ‘Config\MOMLog.evt’ into the strValue.

  2. Alicia Schmiede Post author

    good idea Henrik, you could do this by substituting in the following line for the current line 14 of the script “strvalue = …”
        strValue = objShell.ExpandEnvironmentStrings(“%systemroot%”) & “\System32\Config\MOMLog.evt”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.