VBScript ; Event ID 36 IWAM IIS Monitor

VBScript ; Event Log Monitor – Event ID36 W3SVCS and DCOM 10004 Errors

IIS IWAM accounts usually automatically sync every 7 days. This process was causing chaos on our AD domain with a variety of different IIS servers; from Citrix Web Interface servers to VMWare management pages.

Page Cannot Be Displayed Errors are accompanied by DCOM 10004 errors and W3SVC 36 errors in the System Event log. The problems can be resolved by running the ‘syniwam.vbs’ script. In order to both detect and eliminate this problem whilst we troubleshooted the root cause I wrote a script that would detect these errors in the event log and automatically run the synciwam.vbs script.

The vbscript file must be configured to run every 5 minutes on the server you wish to protect. The script will establish the local time difference from UTC (which is required when searching the event log). Once found it will check the System Event Log for any event code 36 errors in the last 5 minutes. If there are any the script will call the synciwam.vbs script file. The script will then send an email to the desired user via a mail server of choice. I have highlighted the code that you must change in bold.

You can change the search period and increase it from 5 minutes if required. I have made the text red on this part of the script. Remember if you do this to change the frequency of the scheduled task to match your required time period.

‘Event Log checker to protect IIS Web Sites

‘Contact Chris Bradford for details.

‘Option Explicit
Const ForReading = 1
Const ForWriting = 8

Dim objFso, objFolder, objWMI, objEvent ‘ Objects
Dim strFile, strComputer, strFolder, strFileName, strPath ‘ Strings
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents, arrHistory, Compare

For Each LocalTimeZone in GetObject(“winmgmts:”).InstancesOf(“Win32_ComputerSystem”)
TimeZoneOffset = LocalTimeZone.CurrentTimeZone

Wscript.Echo “The current time difference is ” & TimeZoneOffset & ” minutes (” & TimeZoneOffset/60 & ” hrs)”

DateToCheck = CDATE(DateAdd(“n”,-5,Now))

If TimeZoneOffset > 0 Then
UTCDate = DateAdd(“n”, -ABS(TimeZoneOffset), DateToCheck)
UTCDate = DateAdd(“n”, ABS(TimeZoneOffset), DateToCheck)
End if

WScript.Echo “UTC Date/Time: ” & UTCDate

Set objNetwork = CreateObject(“Wscript.Network”)
strComputerName = objNetwork.ComputerName

‘ ——————————————–
‘ Set your variables
intNumberID = 36 ‘ Event ID Number
intRecordNum = 0

strComputer = “.”

Set objWMI = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)

WScript.Echo “Looking for events newer than: ” & UTCDate & “(UTC Date) and event ID: ” & intNumberID

Set colLoggedEvents = objWMI.ExecQuery(“Select * from Win32_NTLogEvent Where Logfile = ‘System’ AND TimeWritten > ‘” & UTCDate & “‘ and EventCode = ’36′”)

intEvent = 0
For Each objEvent in colLoggedEvents
IntEvent = intEvent +1

WScript.Echo “Number of errors: ” & IntEvent

If intEvent > 0 Then
WScript.Echo “Error detected”
Set objShell = CreateObject(“WScript.Shell”)

command = “cscript.exe “
command_arg1 = “D:\Inetpub\AdminScripts\synciwam.vbs” ‘Location of synicwam AdminScript
objShell.Run command & command_arg1
End If

Sub SendEMail
Set objMessage = CreateObject(“CDO.Message”)

‘==This section provides the configuration information for the remote SMTP server.
‘==Normally you will only change the server name or IP.

objMessage.Configuration.Fields.Item _
(“http://schemas.microsoft.com/cdo/configuration/sendusing”) = 2

‘Name or IP of Remote SMTP Server
objMessage.Configuration.Fields.Item _
(“http://schemas.microsoft.com/cdo/configuration/smtpserver”) = “mailserver”

‘Server port (typically 25)
objMessage.Configuration.Fields.Item _
(“http://schemas.microsoft.com/cdo/configuration/smtpserverport”) = 25


‘==End remote SMTP server configuration section==

objMessage.Subject = strComputerName & “: W3SVC Error.”
objMessage.From = strComputerName & “@yourdomain.com”
objMessage.To = [email protected]
objMessage.TextBody = “W3SVC error detected on ” & ServerName & vbCr & vbCr & “synciwam.vbs automatically script run.”
End Sub