MS Shadow Copy Service Not Working

I have a Dell Dimension running Win XP SP3. I tried to clone the hard drive with Macrium recently and got an error which I was able to trace to the MS Shadow Copy Service. I was unable to get it to start, and tried a number of repairs to no avail.

I looked around some more and found a thread online where they claimed that the issue for them was incorrect registry entries related to permissions.
Located at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E
OwnerSID=S-1-5-21-1547161642-682003330-725345543-1003
TypeLib=C:\\Documents and Settings\\Bob\\EVENTCLS.DLL

They replaced the above lines with:
OwnerSID = S-1-5-18
TypeLib = C\Windows\System32\EventsCLS.dll

I checked my other XP machine where the Shadow Copy works and it indeed has the bottom lines as shown in the registry.

So I would like to know if this will work and is it a safe change to make? Will it mess up any software I am running? I have a backup point and exported a copy the registry, but I am anxious about making these types of changes.

It would also be good to understand where the existing lines came from. I would appreciate any insights you can share here.

 

The SID does check out here, and as long as that folder does contain Eventcls.Dll, it appears that it should work.
As to what may have happened, I have these two guesses.
1. When a file appears in the user folder such as here, I immediately suspect malware. But this appears to be something that keeps coming up somewhere so not very likely the case.
2. A mistake in coding. Perhaps using %userprofile%\Eventcls.Dll instead of %windir%\system32\Eventcls.Dll .
BTW, does Eventcls.Dll exist in the "false" location?

 

Here is the entire registry key on the machine with the issue:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"Active "=dword:00000001
"EventClassID "= "{FAF53CC4-BD73-4E36-83F1-2B23F46E513E} "
"EventClassName "= "VssEvent "
"OwnerSID "= "S-1-5-21-1547161642-682003330-725345543-1003 "
"TypeLib "= "C:\\Documents and Settings\\Bob\\EVENTCLS.DLL "
"AllowInprocActivation "=dword:ffffffff
"FireInParallel "=dword:00000000
"EventClassPartitionID "= "{00000000-0000-0000-0000-000000000000} "
"EventClassApplicationID "= "{00000000-0000-0000-0000-000000000000} "
"AllowPerUserInprocActivation "=dword:00000000
"AllowPerUserActivateAsActivator "=dword:00000000
"AllowPerUserMoniker "=dword:00000000

Possibly the result of a repair install?

 

mechanic - I am running a Dell Dimension 9150 from 2005.

Here is what I have in the registry - Hope this helps

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"Active "=dword:00000001
"EventClassID "= "{FAF53CC4-BD73-4E36-83F1-2B23F46E513E} "
"EventClassName "= "VssEvent "
"OwnerSID "= "S-1-5-18 "
"TypeLib "= "C:\\WINDOWS\\system32\\EVENTCLS.DLL "
"AllowInprocActivation "=dword:ffffffff
"FireInParallel "=dword:00000000
"EventClassPartitionID "= "{00000000-0000-0000-0000-000000000000} "
"EventClassApplicationID "= "{00000000-0000-0000-0000-000000000000} "

 

Thanks Barbara-Ann!

Your registry lines look like they are the same as my other machine. and what they are proposing at the other thread I saw.

So I think I can make a change without too much risk. This is the info I need.

 

Most welcome mechanic - glad I could help

 

If you need anything more about your Dell Dimension, send me a message and I will do my best to help