Event ID 4021 — Security Performance Counter Availability

Security Performance Counters are collected and used by services and applications. If they are installed incorrectly or with improper permissions, those services or applications cannot collect or interpret the data.

Event Details

Diagnose

This error might be caused by one of the following conditions:

• The list of counters is corrupted.
• The Remote Registry service is not running on a remote computer.
• The application is running as a user with insufficient privileges.

If a Windows system error code containing four or five digits is included, you can find the explanation of the error code at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=83027). This information can help you identify the correct resolution.

The list of counters is corrupted

If the performance counter cannot unload the strings for the specified service, the registry might be corrupted. To correct this problem, follow the steps in "Rebuild the list of available counters."

The Remote Registry service is not running on a remote computer

In order to collect performance counters remotely, the Remote Registry service must be running on the destination computer.

You must be a member of the local Administrators group for the destination computer to change the service settings.

To check if the Remote Registry service is running

1. On the destination computer, click Start.
2. In the Start Search text box, type compmgmt.msc, and then press ENTER. Microsoft Management Console (MMC) starts.
3. In the navigation tree, expand Services and Applications, and then click Services.
4. In the Services list, scroll to and then click Remote Registry.
5. Ensure that the status of the Remote Registry service is Started. If it is not, follow the steps in "Start the Remote Registry service."

The application is running as a user with insufficient privileges

To view performance counters, a user account must belong to the local Performance Monitor Users group, Performance Log Users group, Administrators group, or equivalent. Applications that run as a user or system account with insufficient privileges may not be able to load performance counters correctly. Follow the steps in "Run the application as a user with sufficient privileges" to correct this problem.

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Rebuild the list of available counters

To resolve this issue, rebuild the list of available counters.

To rebuild the list of counters in the registry

1. On the computer where performance data cannot be collected, click Start, expand All Programs, and then expand Accessories.
2. Right-click Command Prompt, and then click Run as administrator.
3. At the command prompt, type lodctr /r, and then press ENTER.

Start the Remote Registry service

To resolve this issue, start the Remote Registry service.

You must be a member of the local Administrators group to change service settings.

To start the Remote Registry service

1. On the computer where performance data cannot be collected, click Start.
2. In the Start Search text box, type compmgmt.msc, and then press ENTER. Microsoft Management Console starts.
3. In the navigation tree, expand Services and Applications, and then click Services.
4. In the Services list, right-click Remote Registry, and then click Properties.
5. In the Startup type list, click Automatic, and then click OK.
6. If the service does not start automatically, right-click Remote Registry in the services list, and then click Start.

Run the application as a user with sufficient privileges

To resolve this issue, run the appplication as a user with sufficient privileges.

By default, an application runs with the same privileges as the user who started it. You can configure services to run as the local system account or as a specific user. You can also start an application as Administrator, but, with User Account Control enabled, you must confirm that you want to start the application each time it runs if it is configured to run as Administrator.

Consider running services that collect performance counter data as the local system account to resolve privilege issues.

If for security reasons you do not want to run the application or service as the local system account, you can add the user that the application runs as to the Performance Log Users group and assign the group the Log on as a Batch Job user right to enable performance counter collection each time the application runs.

You must be a member of the local Administrators group of the destination computer to complete these procedures.

To add a user to the Performance Log Users group

1. Click Start, in the Start Search box type compmgmt.msc, and then press ENTER.
2. Expand System Tools, expand Local Users and Groups, and click Groups.
3. In the list of groups, right-click Performance Log Users, and then click Add to Group.
4. On the General tab, click Add.
5. Type the name of the user who you want to add, or click Advanced to search the directory for a user.
6. When you finish adding users, click OK, and then click OK again to close the Performance Log Users property page.

Assign the Log on as a batch job user right to the Performance Log Users group

In order for members of the Performance Log Users group to initiate data logging or to modify Data Collector Sets, the group must first be assigned the Log on as a batch job user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console (MMC).

To assign the Log on as a batch job user right to the Performance Log Users group

1. Click Start, in the Start Search box type secpol.msc, and then press ENTER. The Local Security Policy snap-in opens in Microsoft Management Console.
2. In the navigation pane, expand Local Policies, and then click User Rights Assignment.
3. In the console pane, right-click Log on as a batch job and then click Properties.
4. On the Properties page, click Add User or Group.
5. In the Select Users or Groups dialog box, click Object Types. Select Groups, and then click OK.
6. Type Performance Log Users in the Select Users or Groups dialog box, and then click OK.
7. Click OK again to close the property page.

Verify

You can use Windows Reliability and Performance Monitor to verify that security performance counters are properly collected and are displayed in a Performance Monitor graph. In addition, you can use the typeperf command to get a list of the available counters on the local system.

You must be a member of the local Administrators group to complete these procedures.

To view counters in Performance Monitor

1. On the Management Server, click Start. In the Start Search text box, type perfmon.exe, and then press ENTER.
2. In the navigation pane, expand Monitoring Tools, and then click Performance Monitor.
3. Click Add to open a list of available performance counters.
4. In the Add Counters dialog box, you can click Help for more information about adding counters. When you finish adding counters to the list, click OK.
5. Verify that the performance counters you selected are displayed in the Performance Monitor graph.

To view a list of counters at the command prompt

1. Click Start, click All Programs, and then click Accessories.
2. Right-click Command Prompt, and then click Run as administrator.
3. At the command prompt, type typeperf -qx and then press ENTER. Verify that the performance counter list contains the expected values.

Related Management Information

Security Performance Counter Availability

Windows EBS