Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM/JSA] How to troubleshoot WinCollect Error code 0x0005: Access denied



Article ID: KB29332 KB Last Updated: 01 Feb 2021Version: 2.0

This article describes how to troubleshoot WinCollect error code 0x0005: Access denied.



For WinCollect agents V7.1.2 and below

The message below is displayed in the device log on the remote Windows host in C:\Program Files(x86)\IBM\WinCollect\logs:

ERROR Device.WindowsLog.EventLogMonitor : Failed to open event log IP address [\\IP address:System]; will try again in approx 60 seconds. Reason: Error code 0x0005: Access is denied.

For WinCollect agents V7.2.0 and above

For WinCollect 7.2.0, agents send Syslog messages that can be viewed from the Log Activity tab.

To filter events by WinCollect agents 7.2.0 and above:

  1. Click the Admin tab.

  2. Click the WinCollect icon.

  3. Select an agent from the list.

  4. Click Show Events.

The Log Activity tab is displayed and filtered by the log sources associated with the selected agent.

The sample Syslog events below can be displayed or can be associated with the Access Denied error:

LEEF:1.0|IBM|WinCollect|7.2|4|src=Hostname dst=IP address sev=3 log=Code.RegistryCacheInfo.\\IPaddress.InitializeRegistryInfo msg=Failed to query installation language on \\ IP address (Error: Error code 0x0005: Access is denied.). Defaulting to US English.

LEEF:1.0|IBM|WinCollect|7.2|4|src=Hostname dst=IP address sev=4 log=Device.WindowsLog.RegistryCacheInfo.\\IPaddress.InitializeEnvironmentInfo msg=Couldn't retrieve environment on machine \\IP address.

LEEF:1.0|IBM|WinCollect|7.2|4|src=Hostname dst=IP address sev=4 log=Device.WindowsLog.RemoteMessageFormatter::GetMessageA.IPaddress msg=We can retrieve logs for this machine (\\IP address) but we can't seem to access the machine's registry. This means that the 'Message=' portion of the payload will contain only the insertion values (no formatting will be present). This could adversely affect the parsing of the log by the receiver.



Error code 0x0005: Access denied can be caused by the following:

  1. The user configured in the log source does not have permission to read the remote registry for the system that the user is trying to poll for events.

  2. The Remote Registry service is disabled on the Windows host that the user is trying to poll for events.



WinCollect agents that remotely poll other systems for events use the remote registry to determine the operating system of the remote event source.

These agents read the remote registry to collect information on how to format events into name=value pairs (event formats have changed on Windows operating system versions over the years).

When a WinCollect agent cannot retrieve this information, the Error code 0x0005: Access denied message is displayed.

If you receive the Error code 0x0005: Access Denied message: Test that the user configured in your log source can display the remote registry of another Windows host.

If you are remotely polling another Windows host for events, remotely open the event viewer from the system running the WinCollect agent:

  1. Log on to the Windows host that has the WinCollect agent locally installed.

  2. Select Start > Programs > Administrative Tools, and then click Event Viewer.

  3. Click Action > Connect to another computer.

  4. Select the Another computer option and type the IP address or host name of the server you want to remotely poll for events.

  5. Click the Connect as another user check box.

  6. Click Set User.

  7. In the User name field, type the domain/username for the user specified in your log source configuration.

  8. Type the password for the user and click OK.

If this test fails, review permissions or verify that the remote registry permission and services are enabled.

1. Verify that user in your log source includes correct user rights assignment.

  • The user defined in your log source must be able to read the remote registry of the Windows host that you are polling for events.

  • The access denied error message is common when administrators create a specific user to remotely poll for events, but do not give the user permission to read the remote registry.

  • This issue can be resolved by updating the Group Policy Object or local policy on the remote system to give the user permission o read the remote registry.

  • For additional information on managing remote access to the registry on Windows systems, see the following Microsoft Support article: How to Manage Remote Access to the Registry

2. Verify that remote registry service is enabled on remote system. (If the remote registry service is disabled, access denied error can generate 0x0005 error messages.)

  • Log into the remote system.

  • Select Start > Programs > Administrative Tools, and then click Services.

  • In the Status column, the Remote Registry service must display Started.

Note: If the remote operating system is Windows 2003, verify that the error is not an operating system issue.


Modification History:

2021-02-01: Article reviewed for accuracy; article found to be relevant and valid


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search