Tracing Events Reference

Applies To: Windows Server 2003, Windows Server 2003 with SP1

This reference describes the events that can be recorded in the trace log when using request-based tracing or IIS Admin tracing. When applicable, an event description may include troubleshooting steps. The events listed here are organized by tracing provider:

  • Active Server Pages (ASP)

  • IIS Admin Service

  • IIS:SSL Filter

  • World Wide Web Service Global Tracing Events

  • IIS: WWW ISAPI Extensions

  • IIS: WWW Server

    • IIS: CGI

    • IIS: Cache

    • IIS: Compression

    • IIS: Filter

    • IIS: General

    • IIS: ISAPI

    • IIS: Security

If you are searching for information on a specific event, press CTRL+F and search for the desired event description.

Active Server Pages (ASP)

Event Description

ASP_DEQUEUE_REQUEST

The ASP request was removed from the ASP request queue for processing/execution.

ASP_DONE_PROCESSING

The ASP engine finished executing the request, but ASP may still have to send request data back to the client. ASP is done with the request when the ASP_END_REQUEST event is triggered.

ASP_END_REQUEST

ASP finished processing the request and has sent all associated response data.

ASP_START_REQUEST

ASP received a new request from IIS.

ASP_APPLICATION_ONSTART_ERROR

ASP encountered an error when trying to execute the Application_OnStart function in the Global.asa file. The ASP execution was aborted. Look at the error response sent back to the client to help determine the source of the error.

ASP_CLIENT_DISCONNECTED

The client disconnected while the request was on the ASP queue.

ASP_COMPILE_FAILED

ASP could not compile the ASP file successfully. Look at other events between ASP_START_COMPILE and ASP_END_COMPILE in the trace log to determine why the compile failed. Or look at the error response sent back to the client to help determine why the compile failed.

ASP_FILE_ACCESS_DENIED

ASP tried to read the file but failed because of insufficient permissions. The user may not have the appropriate permissions. Check the NTFS permissions on the file. Enable the IIS authentication tracing provider, request the file, and check the trace log for more information about the problem.

ASP_FILE_NOT_FOUND

The requested ASP file does not exist at the specified location. Verify the URL of the path. Also look at the data in the ASP_READ_FILE event to determine the file that ASP is trying to read. You may need to run the trace again with verbosity set to level four.

ASP_GLOBAL_ASA_ACCESS_DENIED

ASP tried to read the Global.asa file but failed because of insufficient permissions. The user does have the appropriate permissions. Check the NTFS permissions on the Global.asa file for the specified application. Check the ASP_START_GLOBAL_ASA_CHECK event which specifies the location of the Global.asa file it is trying to access. If you do not see the ASP_START_GLOBAL_ASA_CHECK event run the trace again with verbosity set to level four.

ASP_INIT_FAILURE

ASP failed to initialize. There are four possible reasons why ASP failed to initialize:

  1. IIS could not read the MetaBase.xml configuration file. This is a fatal error meaning IIS will not be able to process requests. This error may be the result of invalid metabase configuration or an invalid access control list (ACL) on the MetaBase.xml file. This is a level two error.

To remedy this problem:

  1. Verify that the MetaBase.xml file exists in the %windir%\system32\inetsrv directory.

  2. Check the permissions on the MetaBase.xml file and ensure that System has Full Control.

  3. If necessary, restart IIS and all associated services using the IISReset command. From a command prompt, type iisreset and press ENTER.

  4. If ASP fails to initialize after restarting all IIS services, contact Microsoft Product Support Services.

  1. ASP could not initialize the ASP disk cache. This is not a fatal error meaning IIS and ASP will continue to process requests, but you may see significant performance degradation because ASP will not be able to use the disk cache.

To remedy this problem:

  1. Ensure that the ASP Templates Cache directory exists. It is located in the %windir%\system32 directory by default.

  2. Check access control lists (ACLs) on the directory and ensure that the IIS_WPG group is listed. The IIS_WPG group must have Read and Write permissions on the ASP Templates Cache directory.

  3. Ensure that the user identity that the process is running as is a member of the IIS_WPG group. In the Computer Management console, expand Local Users and Groups, right-click the IIS_WPG group, and select Properties.

  1. ASP could not initialize the Component Object Model (COM). This is a fatal error meaning IIS will not be able to process requests.

To remedy this problem, look at the Windows NT Event Log for COM errors. Debug any COM errors.

  1. ASP could not initialize the metabase change notification listener. This is a fatal error meaning IIS will not be able to process requests.

To remedy this problem:

  1. Recycle the application pool. Right-click the application pool and click Recycle.

  2. If the problem persists, restart IIS and all associated services using the IISReset command. From a command prompt, type iisreset and press ENTER.

  3. If the problem persists, contact Microsoft Product Support Services.

ASP_QUEUE_REQUEST_FAILED

ASP failed to put a request in the request queue. The queue may be full or another request may be blocking further queue processing. If this failure was preceded by the ASP_SERVER_TOO_BUSY_TOO_QUEUE event, then the queue is full.

In this situation, ASP should report itself as not healthy and the Windows NT Application Event log should contain an event from W3svc_WP. If Worker Processes Health Monitoring is enabled, the ping to the worker process should fail and the application pool should recycle once IIS detects that the ping failed.

To remedy this problem

  1. Ensure that the AspRequestQueueMax Metabase Property was not changed from its default value (500). If AspRequestQueueMax was not changed, use Currently Executing Requests Tracing to determine which requests were executing when the failure occurred.

  2. Once you have found which requests are executing, trace the requests to the indicated URL to find where the blockage is occurring.

ASP_REQUEST_TIMEOUT

The ASP request spent too much time on the queue. The queue may be full or another request may be blocking further queue processing. Recycle the application pool or use Currently Executing Requests Tracing to understand which requests were executing when the failure occurred.

To remedy this problem

  1. Ensure that the AspQueueTimeout Metabase Property was not changed from its default value. The default value is an unlimited number, represented by 4294967295.

  2. If AspQueueTimeout was not changed, use Currently-Executing Requests Tracing to determine which requests were executing when the failure occurred.

  3. Once you have determined which requests were executing, trace the requests to the indicated URL to find where the blockage is occurring.

ASP_SERVER_TOO_BUSY_TO_QUEUE

ASP cannot queue the request. The server may be running out of memory.

To remedy this problem

  1. Recycle the application pool. Right-click the application pool and click Recycle.

  2. If the problem persists, restart IIS and all associated services using the IISReset command. From a command prompt, type iisreset and press ENTER.

  3. If the problem persists, contact Microsoft Product Support Services.

ASP_SESSION_ONSTART_ERROR

ASP encountered an error when trying to execute the Session_OnStart function in the Global.asa file. Look at the error response sent back to the client to help determine the source of the error. The ASP execution was aborted.

ASP_TRANSACTION_ABORTED

The ASP transaction aborted. Transactions in this case are Microsoft Transaction System (MTS) transactions. Work with the developer of the ASP file to debug the application.

ASP_UNHEALTHY_FAILURE

ASP is not healthy and could not continue to execute requests. The Reason field for this event shows either DEADLOCK_DETECTED or OUT_OF_MEMORY. If you are running IIS 6.0 in worker process isolation mode and you see this event, the application pool hosting the application will be recycled if Worker Process Health Monitoring is enabled. If this failure happens repeatedly, your application may have a memory leak. If you are running IIS 6.0 in IIS 5.0 isolation mode, you will see an ASP error in the Windows NT Event Log, but no action will be taken. With IIS 6.0 running in IIS 5.0 isolation mode, you must restart the World Wide Web Publishing Service and then look at the Web site logs for all executed requests to understand why ASP is not healthy. Trace a request using Currently Executing Requests Tracing to understand which requests where executing when the failure occurred.

noteNote
If IIS 6.0 is running in worker process isolation mode and a worker process does not shut down within the time limit configured by the ShutdownTimeLimit Metabase Property, IIS will forcefully shut down the process. If IIS forcefully shuts down the process, all requests executing in that process are logged in the HTTPERR log.

ASP_GLOBAL_ASA_DOES_NOT_EXIST

ASP could not find the Global.asa file. If your application uses a Global.asa file, determine why the file does not exist in the specified location. If your application does not use a Global.asa file, then you can ignore this event.

ASP_APPLICATION_ONSTART_SUCCESS

ASP successfully executed the Application_Onstart function.

ASP_CURRENT_SESSION

This event tells you the session ID for the current session.

ASP_END_APPLICATION_ONSTART

ASP finished executing the Application_Onstart function.

ASP_END_CACHE_ACCESS

ASP finished checking the cache. Check the Reason field in the trace log for one of the following:

NOT_SERVED: The file was not found or not served. The file may not have been served because of improper permissions on the file. The file may not exist or there could be a larger problem with the server, for example, a hard disk crash.

SERVED_CACHE_MISS: The file did not exist in the cache. ASP retrieved the file from disk and tried to load it into the cache.

SERVED_CACHE_HIT_CHANGENOTIF: The file was found in the cache and served from the cache. Change notification was used to maintain cache consistency.

SERVED_CACHE_HIT_LASTMOD: The file was found in the cache and served from the cache. ASP polled the last-modified timestamp on the file to maintain cache consistency.

SERVED_CACHE_HIT_LASTMOD_NOACCESS: The connection between the IIS server and a Universal Naming Connection (UNC) file share is down. ASP cannot check the timestamp on the requested file. However, the requested file exists in the cache so it was served from the cache. The content may be stale.

ASP_END_COMPILE

ASP finished generating the ASP template.

ASP_END_GLOBAL_ASA_CHECK

ASP finished checking for the Global.asa file.

ASP_END_SCRIPTLESS_SEND

The requested ASP page did not contain any script tags. ASP did not need to compile the page before sending it.

Note

ASP files that do not contain scripts should be renamed with the .htm or .html extension. Script-less .asp files are not processed as efficiently as static .htm or .html files. Responses for static files can be returned by the HTTP.sys kernel cache, which can significantly increase performance.

ASP_END_SCRIPT_EXECUTION

ASP finished executing the script code. ASP may not be finished processing the request.

ASP_END_SESSION_ONSTART

ASP finished executing the Session_Onstart function.

ASP_FIRST_REQUEST_FOR_APPLICATION

ASP received the first request for this application. ASP_APPLICATION_ONSTART and GLOBAL.ASA_CHECK events should follow.

ASP_FIRST_REQUEST_FOR_ASP

The ASP.dll received its first request. Part of ASP initialization takes place on the first request.

ASP_GLOBAL_ASA_ACCESS_SUCCESS

ASP successfully read the Global.asa file.

ASP_NEW_SESSION_CREATED

ASP accepted the first request for a new session and created a session ID for this session.

ASP_QUEUE_REQUEST

ASP put the request on the queue. This event should be followed by the ASP_DEQUEUE_REQUEST event when the request is pulled off the queue for execution.

ASP_READ_FILE

ASP is trying to read the file. The trace log will show one of these events for each included file.

ASP_SECURE_SESSION_ID_SET

ASP made a transition to a secure state. This event marks the session ID of the secure session.

ASP_SESSION_ONSTART_SUCCESS

ASP successfully executed the Session_Onstart function.

ASP_START_APPLICATION_ONSTART

ASP is about to call the Application_Onstart function.

ASP_START_CACHE_ACCESS

ASP is about to check for the file template in the ASP File Template Cache.

ASP_START_COMPILE

ASP is about to compile the specified file.

ASP_START_GLOBAL_ASA_CHECK

ASP is about to check for the existence of a Global.asa at the specified location.

ASP_START_SCRIPTLESS_SEND

The requested page does not contain any script tags. ASP will not need to compile the page before sending it.

ASP_START_SCRIPT_EXECUTION

ASP started executing the script code.

ASP_START_SESSION_ONSTART

ASP started executing the Session_Onstart function.

ASP_TRANSACTION_COMMITTED

The ASP transaction was committed. Transactions in this case are Microsoft Transaction System (MTS) transactions.

ASP_SCRIPT_TRACE_COM_CALL_END

The ASP script engine finished calling into a COM object, other than the response object, as indicated by your script.

ASP_SCRIPT_TRACE_COM_CALL_START

The ASP script engine is making a call into a COM object other than the response object, as indicated by your script.

ASP_SCRIPT_TRACE_CREATE_OBJECT_END

The ASP script engine finished creating a COM object as indicated by your script.

ASP_SCRIPT_TRACE_CREATE_OBJECT_START

The ASP script engine is creating a COM object as indicated by your script.

ASP_SCRIPT_TRACE_END

The script engine has finished executing. This event shows where the script engine finished executing. For example, the execution could end in an include file.

ASP_SCRIPT_TRACE_GET_OBJECT_END

The script engine finished calling the GetObject function.

ASP_SCRIPT_TRACE_GET_OBJECT_START

The script engine started calling the GetObject function.

ASP_SCRIPT_TRACE_START

The script engine started executing. This event shows where the execution is starting. For example, the execution could start in an include file.

IIS Admin Service

Event Description

IISADMIN_END

The IIS Admin service finished shutting down.

START

The IIS Admin service has started shutting down. The service may be shutting down because of administrator action, for example, the administrator may have executed the IISreset.exe command or the net stop IIS Admin command.

ABO_DISCONNECT_END

The IIS Admin service finished disconnecting metabase COM client connections (as indicated by the process ID).

ABO_DISCONNECT_START

The IIS Admin service is about to disconnect metabase COM client connections (as indicated by the process ID) before shutting down.

COUNINITIALIZE_END

The IIS Admin service finished calling the CoUninitialize function to shutdown all COM activity in the process. All COM activity in the process was successfully shutdown.

COUNINITIALIZE_START

The IIS Admin service is about to call the CoUninitialize function to shutdown all COM activity in the process.

EWR_SHUTDOWN_END

The IIS Admin service successfully shutdown the Edit-While-Running mechanism, which monitors the MetaBase.xml file for changes.

EWR_SHUTDOWN_START

The IIS Admin service is about to shutdown the Edit-While-Running mechanism, which monitors the MetaBase.xml file for changes.

LISTENER_SHUTDOWN_END

The IIS Admin service successfully shutdown the listener that monitors change notification in the metabase. This means the IIS Admin service has stopped publishing IIS metabase change notifications.

noteNote
All processes listening for change notification, as indicated by the process ID (PID), will no longer receive IIS metabase change notification.

LISTENER_SHUTDOWN_START

The IIS Admin service is about to shutdown the listener that monitors change notification in the metabase. This means the IIS Admin service will no longer publish IIS metabase change notifications.

Note

All processes listening for change notification, as indicated by the PID, no longer receive IIS metabase change notification.

METADATA_SHUTDOWN_END

The IIS Admin service successfully shutdown the in-memory metabase.

METADATA_SHUTDOWN_START

The IIS Admin service is about to shutdown the in-memory metabase.

SVCEXT_SHUTDOWN_END

The IIS Admin service successfully shut down the service extensions.

SVCEXT_SHUTDOWN_START

The IIS Admin service is about to shutdown the service extensions.

END

The IIS Admin service successfully started.

IISADMIN_START

The IIS Admin service is starting up. This should be the first published IIS Admin service event. If you do not see this event in the trace log, check the NT System event log for service control manager events with the IIS Admin service.

ABO_REGISTER_FAILURE

The IIS Admin service could not register the metabase ABO interface in COM, an indication that there is a problem in COM. Look at the error code published with this event and take the action described by the error code. If the problem persists, call Microsoft Product Support Services.

COM_SECURITY_FAILURE

The IIS Admin service could not set the permissions on the ABO interface in COM. Look at the error code published with this event and take the action described by the error code. If the problem persists, call Microsoft Product Support Services.

DCPROMO_FAILURE

The IIS Admin service could not register the IIS accounts in Active Directory after the machine was promoted to a domain controller. The problem probably resides in Active Directory. Once Active Directory is back online, stop and restart the IIS Admin service. By its very nature, this failure can only happen one time. Look at the error code published with this event and take the action described by the error code. If the problem persists, call Microsoft Product Support Services.

Note

When you see this event in the trace log, the IIS Admin service is still running. However, all IIS accounts may have shut down, including the default anonymous user account.

MBSCHEMA_PARSE_FAILURE

The IIS Admin service failed to parse the MBSchema.xml file. Look at the error code published with this event and take the action described by the error code. You can also look in the NT System event log for errors in the IIS Admin service. These errors may provide more information about this failure. If the errors do not provide you with the necessary information, role back to an earlier version of the MBSchema.xml file if you have one. You can also open the MBSchema.xml file in an XML editor to ensure that the file is properly formatted. If the problem persists, call Microsoft Product Support Services.

METABASE_PARSE_FAILURE_MB_XML

The IIS Admin service failed to parse the MetaBase.xml file. Look at the error code published with this event and take the action described by the error code. You can also check the NT System event log for errors in the IIS Admin service. If the errors do not provide you with the necessary information, role back to an earlier version of the MetaBase.xml file. If the problem persists, call Microsoft Product Support Services.

METABASE_PARSE_FAILURE_SESSION_KEY

The IIS Admin Service failed to decrypt the encrypted session key in the metabase, which means IIS cannot read the metabase. The machine key IIS has stored does not match the machine key used to encrypt the session key. This is a critical failure. As a result, IIS will not run. Stop and restart the IIS Admin service. If the problem persists, rollback to an earlier version of the MetaBase.xml file and MBSchema.xml file from the History folder and restart the IIS Admin service. If the problem persists, uninstall IIS, reinstall IIS, and restore a known-good backup from an IIS 6.0 server that was backed up with a password (the password is used in the encryption process). If the problem persists, contact Microsoft Product Support Services.

SVCEXT_STARTUP_FAILURE

The IIS Admin service attempted to start a service extension and the startup failed. Restart the IIS Admin service. If the problem persists, contact Microsoft Product Support Services.

COM_CATALOG_FAILURE

The IIS Admin service attempted to start the COM catalog and failed. There is probably an error in the COM catalog.

VSS_FAILURE

The IIS Admin service attempted to register with the Volume Snapshot Service (VSS), but failed. The IIS Admin service will continue to run, but if any system-wide backups are performed using the Windows Server backup utility, then IIS may not be able to get the MetaBase.xml file ready for backup.

DCPROMO_END

The IIS Admin service finished updating the user accounts in the case where the IIS server was promoted to a domain controller.

DCPROMO_START

The IIS Admin service is about to check if the machine has been promoted to a domain controller. If the machine has been updated to a domain controller, the IIS Admin service will begin updating the user accounts.

METABASE_PARSE_FAILURE_SETTING

The IIS Admin service failed to read one or more of the property settings in the metabase. The IIS Admin service will still run, but will ignore the settings that failed. Check the Windows NT System Event log to determine which properties were ignored.

ABO_REGISTER_END

The IIS Admin service finished registering the ABO interface with COM.

ABO_REGISTER_START

The IIS Admin service is about to register the ABO interface with COM.

COM_CATALOG_START

The IIS Admin service is about to start using the COM catalog.

COM_CATALOG_END

The IIS Admin service successfully started and is using the COM catalog.

COM_SECURITY_END

The IIS Admin service successfully setup the permissions in COM on the ABO interface.

COM_SECURITY_START

The IIS Admin service is about to setup the permissions in COM on the ABO interface.

MBSCHEMA_PARSE_END

The IIS Admin service successfully parsed the MBSchema.xml file.

MBSCHEMA_PARSE_START

The IIS admin service is about to parse the MBSchema.xml file.

METABASE_PARSE_END

The IIS Admin service successfully parsed the MetaBase.xml file.

METABASE_PARSE_START

The IIS Admin service is about to parse the MetaBase.xml file.

SVCEXT_STARTUP_END

The IIS Admin service successfully started a service extension.

SVCEXT_STARTUP_START

The IIS Admin service is about to start a service extension.

VSS_END

The IIS Admin service successfully registered with the Volume Snapshot Service (VSS).

VSS_START

The IIS Admin service is about to register with the Volume Snapshot Service (VSS).

IIS: SSL Filter

Event Description

SSLERROR_DECRYPT

The HTTP Filter service failed while decrypting Secure Sockets Layer (SSL) data. This is a fatal error. The request was rejected as a result of this error. This error may be the result of a change in the encrypted data on the client side or on the transport layer. Because this error is the result of a change on the client side, this error does not require any action on the part of the administrator

SSLERROR_ENCRYPT

The HTTP Filter service failed while encrypting SSL data. This is a fatal error. This error could be the result of a low-memory condition on the server. The Windows NT Event logs should contain more information about this error. If the problem persists, contact Microsoft Product Support Services.

SSLERROR_HANDSHAKE

The HTTP Filter service failed during the SSL handshake. This is a fatal error. The request was rejected. This error could be the result of a low-memory condition on the server. Also, the server may not support the SSL protocol and/or cipher requested by the client. This error most likely resides with the client computer. The client computer may be using the SSL 2.0 protocol and the server may be configured to use client certificates, as indicated by following error in the trace log: SEC_E_ALGORITHM_MISMATCH. This error does not require any action on the part of the administrator.

SSLERROR_INTERNALINCONSISTENCY

The HTTP Filter service failed because the SSL filter detected an internal error. This is a fatal error. The request was rejected. This error can happen during the SSL handshake. This error does not require any action on the part of the administrator.

SSLERROR_INVALIDCONTEXT

The HTTP Filter service failed because the SSL filter detected an internal error. This is a fatal error. The request was rejected. This error can happen during the SSL handshake. This error does not require any action on the part of the administrator.

SSLERROR_RENEGOTIATION

The HTTP Filter service failed while the client certificate was being renegotiated. This is a fatal error. The request was rejected. The source of this problem may be in the secure channel (Schannel) call or an internal error. This error can happen during the SSL handshake. This error does not require any action on the part of the administrator.

SSLERROR_USERDATADURINGRENEGOTIATION

The HTTP Filter service failed during the SSL renegotiation handshake. This is a fatal error. The request was rejected. This is an internal error. This error does not require any action on the part of the administrator.

ENDCONNECTION

The HTTP Filter service closed the connection and all data has been sent.

SSLCLIENTCERTINFO

This event tells you the details of the client certificate that was negotiated during the SSL handshake.

SSLCREDENTIALINFO

This event tells you the credentials that will be used during the SSL handshake.

SSLDECRYPTEDDATA

The HTTP Filter service successfully decrypted the client data and wrote the data as clear text into the ETW log. The HTTP Filter service may limit the amount of decrypted data going into the ETW log to 32K.

SSLENDHANDSHAKE

The HTTP Filter service successfully completed the SSL handshake.

SSLSCHANNELCALL

The HTTP Filter service is monitoring calls into the Schannel, which implements the SSL protocol handling.

SSLSTARTHANDSHAKE

The HTTP Filter service started an SSL handshake on a secure connection. This event can be triggered in two situations:

  • This is a new connection to the secure port.

  • This is a renegotiation when client-certificate authentication is requested, but the initial SSL handshake did not include the request for client authentication.

SSLTOBEENCRYPTEDDATA

The HTTP Filter service received the clear-text data and is preparing to encrypt that data.

STARTCLOSECONNECTION

The HTTP Filter service has started to shut down the client connection. The connection may still contain data.

STARTCONNECTION

The HTTP Filter service was notified by HTTP.sys that a client has connected to a secure port.

World Wide Web Service Global Tracing Events

These events describe WWW service actions but exclude request-processing events.

Event Description

FILTER_UNLOAD_END

A worker process finished unloading an Internet Server API (ISAPI) filter. A worker process will unload an ISAPI filter during normal shutdown. The name of the unloaded filter is identified by the Filter Name property in the trace log.

FILTER_UNLOAD_START

A worker process started unloading an ISAPI filter. A worker process will unload an ISAPI filter during normal shutdown. The name of the unloaded filter is identified by the Filter Name property in the trace log.

GLOBAL_PROCESS_SHUTDOWN_MODE

A worker process was told by the WWW Service to stop listening for new requests and to shutdown. This can happen for a variety of reasons, including a process recycle. This is not a crash. If a worker process was instructed to shutdown immediately, then the worker process also shutdown all Common Gateway Interface (CGI) scripts. This event is followed by the GLOBAL_W3_SERVER_SHUTDOWN_START event.

GLOBAL_W3_SERVER_SHUTDOWN_END

A worker process finished shutting down and finished cleaning up after its objects.

GLOBAL_W3_SERVER_SHUTDOWN_START

A worker process is preparing to shutdown and preparing to clean up after its objects.

GLOBAL_W3_SERVER_INIT_ERROR

This is an internal error. A worker process failed one of its initialization routines. The INITSTATUS event indicates how far the worker process got in its initialization routine. The ERROR CODE event indicates the Win32 error received when trying to execute the initialization routine. Recycle the application pool. If the problem persists, contact Microsoft Product Support Services. Tell the support engineer the value of the INITSTATUS and ERROR CODE properties.

FILTER_LOAD_END

A worker process finished loading an ISAPI filter. If the ERROR CODE event for this event is zero, the filter loaded successfully. If the ERROR CODE event is a numeric value other than zero, the filter did not load. The Windows NT Event log will contain more information explaining why the filter did not load. If the problem persists, contact Microsoft Product Support Services.

FILTER_LOAD_START

A worker process is attempting to load an ISAPI filter. The Filter Name property indicates the name of the filter the worker process is attempting to load.

GLOBAL_PROCESS_START_INFO

A worker process is starting up. This event records the parameters passed to the worker process during startup, including command-line arguments, which mode the worker process is running in, the identity under which the process is running, and the processor affinity mask for that process.

GLOBAL_ULATQ_START_LISTENING

A worker process started listening for requests from HTTP.sys.

GLOBAL_W3_SERVER_END

A worker process finished initializing. The worker process is ready to process requests.

GLOBAL_W3_SERVER_START

A worker process has started up and is beginning initialization.

GLOBAL_CACHE_START

The worker process caches are about to be initialized. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_CERTIFICATE_START

A worker process is about to initialize the certificate object wrapper. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_CGI_RESTRICTION_LIST_START

A worker process is about to initialize the CGI restriction list. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_COMPRESSION_START

A worker process is about to initialize HTTP compression. Failure to initialize HTTP compression does not result in a failure to initialize the worker process. The worker process will continue to run, but will not be able to compress files. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_FILTER_START

A worker process is about to initialize global ISAPI filters. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_IISUTIL_START

A worker process is about to initialize the IISUTIL (a set of common utility routines). If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_ISAPI_RESTRICTION_LIST_START

A worker process is about to initialize the ISAPI restriction list. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_LOGGING_START

A worker process is about to initialize logging. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_METABASE_LISTENER_START

A worker process is about to initialize the metabase listener, which monitors the metabase for changes. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_METABASE_START

A worker process is about to initialize the metabase. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_MIME_MAP_START

A worker process is about to initialize the Multipurpose Internet Mail Extensions (MIME) map. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_RAW_CONNECTION_START

A worker process running in IIS 5.0 isolation mode is about to initialize stream filter support. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_RESOURCE_DLL_START

A worker process is about to load its resource DLL. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_SERVER_VARIABLE_START

A worker process is about to initialize the global server variables. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_SITE_LIST_START

A worker process is about to initialize the site list. This means the objects that will store the list of sites have been initialized by the worker process. This does not mean the list of sites have been completely loaded into the worker process. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_ULATQ_START

A worker process is about to initialize communication to HTTP.sys and the World Wide Web Publishing Service (WWW service). If the worker process initializes communication, this event will be followed with a GLOBAL_FILTER_START event. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_W3_CONNECTION_START

A worker process is about to initialize the connection table. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_W3_CONTEXT_START

A worker process is about to initialize its World Wide Web context. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_W3_REQUEST_START

A worker process is about to initialize the request object. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_W3_RESPONSE_START

A worker process is about to initialize the response object. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_W3_SITE_START

A worker process is about to initialize the World Wide Web site object. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

GLOBAL_W3_WINSOCK_START

A worker process is about to initialize Winsock for network address translation. In IIS 6.0, Winsock is not used as the transport layer. The kernel-mode driver, HTTP.sys, is the request/response transport layer. If the action fails, the GLOBAL_W3_SERVER_INIT_ERROR will be written to the trace log.

IIS: WWW ISAPI Extensions

Event Description

CALL_ISAPI_EXTENSION

A worker process is about to pass a request to the ISAPI extension.

ISAPI_EXTENSION_DONE

The client computer received the final response from the ISAPI extension or disconnected. The ISAPI context for this request has been reclaimed. When tracing for capacity planning purposes, calculate the delta between the NOTIFY_ISAPI_COMPLETION event and this event to determine how long it took to send the last bit of the response.

NOTIFY_ISAPI_COMPLETION

The ISAPI extension sent the last segment of the response. The ISAPI extension is done with the request.

IIS: WWW Server

Event Description

AUTH_ANON_PASSWD_CHANGE_NEEDED

The virtual directory is configured for anonymous authentication. The password for the anonymous user ID has expired or needs to be changed per policy. To resolve this issue, reset the anonymous user password in two places:

  • The IIS metabase

  • The Local Users and Groups node of the Computer Management MMC snap-in

To reset the anonymous user password in the IIS metabase:

  1. Enter the following command at a command prompt: cscript.exe adsutil.vbs set w3svc/site number/AnonymousUserPass new password

  2. Press ENTER.

or

  1. Open IIS Manager, expand the Local Computer, right-click the Web site or virtual directory where you want to change the Anonymous Authentication password and click Properties.

  2. Click the Directory Security tab.

  3. In the Authentication and access control section, click Edit.

  4. Change the password in the Password text box.

  5. Click OK.

To reset the anonymous user password in the Local Users and Groups node of the Computer Management MMC snap-in

  1. Right-click My Computer and click Manage.

  2. Expand the Local Users and Groups node and click Users.

  3. Right-click the anonymous user account (IUSR_machine name) and click Set password.

  4. Click OK.

AUTH_INVALID_ANON_ACCOUNT

The virtual directory is configured for anonymous authentication. The anonymous user name for this virtual directory does not exist or is an invalid account. To resolve this issue, ensure that the user name stored in the AnonymousUserName Metabase Property exists on the computer or is available to the computer in the case of a domain account.

AUTH_BAD_BASIC_HEADER

The server computer requires Basic authentication to access the requested URL. The client computer supplied an invalid basic header or failed to supply a basic header. The request failed. This server sent an HTTP 401: Unauthorized response.

AUTH_BASIC_LOGON_FAILED

The client attempted to authenticate using basic authentication. The client supplied an invalid user name and/or password. The request failed. This server sent an HTTP 401: Unauthorized response.

AUTH_IISDIGEST_LOGON_FAILED

The client attempted to authenticate using digest authentication. The client supplied an invalid user name and/or password. The request failed. This server sent an HTTP 401: Unauthorized response.

AUTH_NTLM_NULL_SESSION

The virtual directory is configured for NTLM authentication. The client computer did not provide a user name and/or password during authentication. The request failed. This server sent an HTTP 401: Unauthorized response.

AUTH_PASSPORT_LOGON_FAILED

The virtual directory is configured for Passport authentication. The client computer provided an invalid user name and/or password during authentication. The request failed. This server sent an HTTP 401: Unauthorized response.

AUTH_PASSWD_CHANGE_DISABLED

The authenticated user’s password is about to expire and the server is not configured for password change according to the PasswordChangeFlags metabase property. Configure the IIS 6.0 server for password change. For more information, see the PasswordChangeFlags Metabase Property.

AUTH_PASSWD_CHANGE_NEEDED

The user's password needs to be changed. IIS is about to change the user's password as configured by the PasswordChangeFlags metabase property. For more information, see the PasswordChangeFlags Metabase Property.

AUTH_SSPI_LOGON_FAILED

IIS attempted to logon to the user with the credentials supplied in the client request. The logon failed due to invalid credentials. Logon was denied.

AUTH_TYPE_NOT SUPPORTED

The client requested an authentication type that is not configured on the IIS server in the metabase. The server is not configured for the authentication type requested by the client.

AUTH_WDIGEST_LOGON_FAILED

IIS attempted to logon the user using Windows Digest Authentication (Advanced Digest Authentication). The authorization attempt failed.

AUTH_END

IIS finished the logon attempt. Authentication for this request is finished.

AUTH_REQUEST_AUTH_TYPE

IIS determined the authentication type requested by the client computer. This authentication type is included in the trace log with this event.

AUTH_SSPI_CONTINUE_NEEDED

The server needs to continue the authentication handshake between the client and the server. The server sent an HTTP 401: Bad Logon response. The response included the WWW authenticate header.

AUTH_START

IIS started authenticating the request.

AUTH_SUCCEEDED

The request was successfully authenticated. This event includes the following information:

  • The requested authentication type

  • The remote user's name

  • The local user name

  • The impersonation level

IIS: CGI

Event Description

CGI_END

IIS finished processing the CGI. IIS may still be processing the request.

CGI_START

IIS started executing a CGI.

CGI_HEADERS_RECIEVED

IIS received the complete set of HTTP response headers generated by the CGI.

CGI_LAUNCH

The CGI executable process has been created and launched.

CGI_PREMATURE_TERMINATION

A CGI terminated unexpectedly. The server sent an HTTP 502: Premature Exit error code to the client. Investigate why the CGI failed or debug the CGI executable.

CGI_REQUEST_ENTITY_SENT

The CGI sent the complete request-entity body.

CGI_TIMEOUT

The CGI timed out. The server sent an HTTP 502: Timeout error to the client. Investigate why the CGI timed out or debug the CGI executable.

IIS: CACHE

Event Description

FILE_CACHE_ACCESS_END

IIS finished checking the file cache for the requested file. The trace log for this event includes the following information:

  • Whether the file was found in the cache

  • Whether the file was added to the cache

  • Whether the directory where the file resides is being monitored for changes

  • Whether IIS encountered an error when checking the last-modified date stamp on the file

  • Whether IIS ignored the error for the last-modified date stamp on the file

FILE_CACHE_ACCESS_START

IIS started to check the file cache for the requested file.

HTTPSYS_CACHEABLE

IIS checked to see if a response could be cached in the HTTP.sys response cache. For information about the HTTP.sys response cache and why a response was not cached, see Events and Conditions That Disable HTTP.sys Response Caching.

URL_CACHE_ACCESS_END

IIS finished checking the URL metadata configuration cache for the requested URL. The trace log details for this event indicate whether or not the URL was added to the cache.

URL_CACHE_ACCESS_START

IIS started checking the metadata cache for the URL metadata.

IIS: Compression

Event Description

DYNAMIC_COMPRESSION_NOT_SUCCESS

IIS could not compress the dynamic response. Ensure that dynamic compression is enabled.

DYNAMIC_COMPRESSION_START

IIS attempted to compress a dynamic response (any request that is not static).

DYNAMIC_COMPRESSION_SUCCESS

IIS verified various criteria for dynamic compression, including whether the client can accept compressed responses and whether the server is configured for dynamic compression. IIS is ready to start compressing the entity body for the dynamic response.

STATIC_COMPRESSION_CREATE_END

IIS attempted to compress a static file and store the compressed response in the IIS Temporary Compressed Files directory (by default). The trace log for this event indicates the error code, if any. If the trace log for this event shows a zero, the response was successfully compressed. The trace log also indicates the original file name and size and the compressed file name and size. Use this information to determine how much the static file was compressed.

STATIC_COMPRESSION_CREATE_START

IIS started compressing a static file. IIS will attempt to store the compressed response in the IIS Temporary Compressed Files directory (by default).

STATIC_COMPRESSSION_NOT_SUCCESS

IIS attempted to compress a static file but failed. The trace log for this event contains details about the error. IIS will attempt to compress the file again on the next request.

STATIC_COMPRESSION_START

IIS started compressing the static file.

STATIC_COMPRESSION_SUCCESS

IIS found the requested file in the IIS Temporary Compressed Files directory (the default directory) and is preparing to send it.

DYNAMIC_COMPRESSION_DO

IIS dynamically compressed a portion of the response.

IIS: Filter

Event Description

FILTER_END

An ISAPI filter finished processing a request.

FILTER_START

An ISAPI filter started processing a request. The filter name is indicated in the event.

FILTER_ERROR

An ISAPI filter returned an error after processing a request. The error number is indicated in the event.

FILTER_ACCESS_DENIED_END

An ISAPI filter that requested SF_NOTIFY_ACCESS_DENIED notification finished processing a request.

FILTER_ACCESS_DENIED_START

An ISAPI filter that registered for the SF_NOTIFY_ACCESS_DENIED notification denied access to a request. The trace log for this event contains the name of the requested URL, the physical path, and the reason why the request was denied access.

FILTER_ADD_REQ_HEADER

An ISAPI filter that has registered for the PREPROC_HEADER notification added additional headers to the request. This event is triggered each time the filter adds a header to the request. The trace log for this event contains the header name and value.

FILTER_ADD_RESP_HEADER

An ISAPI filter that registered for the SEND_RESPONSE notification added additional headers to the response. This event is triggered each time the filter adds a header to the response. The trace log for this event contains the header name and value.

FILTER_AUTHENTICATION_END

The SF_NOTIFY_AUTHENTICATION notification completed. The trace log for this event contains the final user name and whether or not the user name changed.

FILTER_AUTHENTICATION_START

IIS started the SF_NOTIFY_AUTHENTICATION notification. IIS logs this event only if a filter has registered for this notification The trace log for this event contains the original user name.

FILTER_AUTH_COMPLETE_END

The ISAPI filter finished reporting the SF_NOTIFY_AUTHENTICATION event. The trace log for this event includes the final user name (in case the filter changed the user name) and whether or not the password changed.

FILTER_AUTH_COMPLETE_START

The ISAPI filter registered for the SF_NOTIFY_AUTHENTICATION filter event notification and is about to be notified.

FILTER_END_OF_REQUEST_END

The ISAPI filter finished handling the SF_NOTIFY_END_OF_REQUEST filter event notification.

FILTER_END_OF_REQUEST_START

The ISAPI filter is about to handle the SF_NOTIFY_END_OF_REQUEST filter event.

FILTER_LOG_END

The ISAPI filter finished handling the SF_NOTIFY_LOG filter event notification. The trace log for this event contains the final log data parameters.

FILTER_LOG_START

The ISAPI filter is about to handle the SF_NOTIFY_LOG filter event notification. The event contains the original data to be logged.

FILTER_PREPROC_HEADERS_END

The ISAPI filter finished handling the SF_NOTIFY_PREPROC_HEADERS filter event notification.

FILTER_PREPROC_HEADERS_START

The ISAPI filter is about to handle the SF_NOTIFY_PREPROC_HEADERS filter event notification.

FILTER_SEND_RAW_DATA_END

The ISAPI filter handled the SF_NOTIFY_SEND_RAW_DATA filter event notification.

FILTER_SEND_RAW_DATA_START

The ISAPI filter is about to handle the SF_Nofity_Send_Raw_Data filter event notification.

FILTER_SEND_RESPONSE_END

The ISAPI filter handled the SF_NOTIFY_SEND_RESPONSE_START filter event notification.

FILTER_SEND_RESPONSE_START

The ISAPI filter is about to handle the SF_NOTIFY_SEND_RESPONSE_START filter event notification.

FILTER_SET_REQ_HEADER

An ISAPI filter successfully set an HTTP request header. This event is logged each time a request header is set. The trace log for this event contains the header name and header value.

FILTER_SET_RESP_HEADER

An ISAPI filter successfully set an HTTP response header. This event is logged each time a response header that is set. The trace log for this event contains the header name and header value.

FILTER_URL_MAP_END

The ISAPI filter handled the SF_NOTIFY_URL_MAP_START filter event notification. The trace log contains the following information for this event:

  • The original URL

  • The file path

  • Access permission for the URL

  • The number of matching characters in the physical path

  • The number of matching characters in the URL

  • The script map entry for this URL

FILTER_URL_MAP_START

The ISAPI filter is about to handle the SF_NOTIFY_URL_MAP_START filter event notification. The trace log contains the following information for this event:

  • The original URL

  • The file path

  • Access permission for the URL

  • The number of matching characters in the physical path

  • The number of matching characters in the URL

  • The script map entry for this URL

IIS: General

Event Description

GENERAL_CGI_HANDLER

IIS determined that the request was for a CGI and started processing that CGI.

GENERAL_CHILD_REQUEST_END

The child execution completed and the child context was deleted. The trace log for this event contains the response status code, sub-status codes, and the number of bytes sent.

GENERAL_CHILD_REQUEST_START

IIS started to execute the child request.

noteNote
An ISAPI extension can call HSE_REQ_EXECUTE_URL to re-execute a request.

The trace log for this event contains the following:

  • The site id

  • The new URL to execute

  • The new verb to execute

  • The number of times the verb/URL has been re-executed

GENERAL_DAV_HANDLER

IIS determined that the incoming request was a Web Distributed Authoring and Versioning (WebDAV) request.

GENERAL_ISAPI_HANDLER

IIS set up the initial context for the ISAPI, but has yet to determine if the ISAPI extension is enabled.

GENERAL_MAP_HANDLER

IIS started processing a map file request.

GENERAL_OOP_ISAPI_HANDLER

IIS determined that the request was for an ISAPI extension that is Out of Process. This is only applicable in IIS 5.0 Isolation mode.

GENERAL_OPTIONS_HANDLER

IIS started processing the Options request. A client request can use an Options method to determine the options available once it connects to the server.

GENERAL_REDIRECTION_HANDLER

IIS started sending the configured redirect-response to the client.

GENERAL_REQUEST_END

IIS completely finished processing the request and the response. The response was sent to the client.

GENERAL_REQUEST_START

An IIS worker process picked up a request from HTTP.sys and successfully associated that request with a site on the server. This event is logged before any filter notifications are triggered. This event marks the beginning of the request in the worker process.

GENERAL_SEND_CUSTOM_ERROR

The response status and sub-status codes have been generated. The HTTP status code is greater than or equal to 400 (that is, the requested generated an error). The custom error will be sent to the client if one of the following is true:

  • The request and all of its children allow an error body to be sent back to the client

  • The response code is greater than 400.

Note

This event is logged before IIS checks to see if the customer (if configured as a file) exists.

GENERAL_STATIC_FILE_HANDLER

IIS started processing a request for a static file.

GENERAL_TRACE_HANDLER

IIS started processing a request whose method is Trace.

GENERAL_GET_URL_METADATA

IIS found the URL metadata in the cache, or IIS created a new URL metadata cache object for the request.

IIS: ISAPI

Event Description

ISAPI_END

IIS started its cleanup routine after a request was processed by an ISAPI.

ISAPI_START

IIS is about to call into the ISAPI extension.

IIS: Security

Event Description

SECURITY_DENIED_BY_CGI_RESTRICTION

A request was either script-mapped to a CGI or called a CGI directly and that CGI was not enabled in the Web Service Extensions.

SECURITY_DENIED_BY_ISAPI_RESTRICTION

A request was either script-mapped to an ISAPI or called an ISAPI directly and that ISAPI was not enabled in the Web Service Extensions.

SECURITY_DENIED_BY_MIMEMAP

IIS could not locate a MIME map for the requested static file. IIS sent an HTTP 404.3 status code to the client.

SECURITY_FILE_ACCESS_DENIED

A request attempted to load the default file for a virtual directory and the file was either not found (the path was not found) or the requested resource had an invalid name. The trace log for this event contains the requested file system path and the user name (including domain) used to access the requested file. Check the file system ACL on the requested resource and verify that the user name has permission to access the file.

SECURITY_ILLEGAL_SHORT_FILENAME

A requested resource contains a short file name which expands to something other than the actual resource indicated. For example: /~test expands to /testsite/user/filename

SECURITY_REJECTED_HOSTNAME

The client computer's host name is not allowed. IIS rejected the request. For more information, see Securing Sites with IP Address Restrictions.

SECURITY_REJECTED_IP

The originating client IP address is listed in the Web server's IP address restriction list. IIS rejected the request. For more information, see Securing Sites with IP Address Restrictions.

SECURITY _REJECTED_REQUIRED_SSL_128

The requested directory requires 128-bit SSL encryption. IIS rejected the request. For more information, see IIS 6.0 Encryption.