EventTriggers revisited - Who stole my catalog!

  • Article

EventTriggers is my new best friend.

Many moons ago, I blogged about using EventTriggers in my Troubleshooting WSS Event 1000 DB Connectivity Problems post. (Speaking about that problem, expect an updated posting on it soon).

Another scenario came up where I saw how I could utilize it again to determine a problem I'm researching in regards to Search Propagation.

Here's the problem event:

Event Type: Error
Event Source: Microsoft SharePointPS Search Service
Event Category: Search service
Event ID: 7051
Date: X/XX/2006
Time: 12:00:00 AM
User: N/A
Computer: SERVER
Description:
Index propagation to search server <SERVER (IP xxx.xxx.xxx.xxx)> was not accepted.
Context: https://portalserver/ Application, Portal_Content Catalog
Details:
The process cannot access the file because it is being used by another process. (0x80070020)
For more information visit https://www.microsoft.com/servers/redirect/contentredirect2.asp
For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.

The event tells us that search propagation was not expected specifically because The process cannot access the file because it is being used by another process.

Some of the typical things you want to rule out first of course are,

  • File Level Antivirus scanning
  • File level backups that may lock those files

If any of those are active, disable them. If they lock the file, then MSSearch cannot open/write/delete them if necessary to propagate, load, etc

If you can't tell specifically what is opening those files outside of MSSearch, then a combination of EventTriggers and the handle tool written by Mark Russinovish can easily determine who is doing what :).

  • First, create a script to execute the handle tool on every file in the catalog folders:

doit.cmd

REM Use for to enumerate over every file in the data directory and issue handle on. Append the output to handle_output.txt on the root of C:\for /R "C:\Program Files\SharePoint Portal Server\DATA" %%f in (*.*) do handle "%%f" >> C\handle_output.txt
  • Then create an event trigger to monitor for the event and then run the command.
eventtriggers /Create /TR "7051 Trigger" /EID 7051 /T "ERROR"/SO "Microsoft SharePointPS Search Service" /TK C:\doit.cmd

Note: It's important to specify the exact path to the script file so that when the event occurs, the script will be run.

The next time the event occurs, the handle_output.txt file will contain a list of processes which have open handles on the file.

Note: You're not limited to just hooking off of event ID 7051, there are other search related events where it might be helpful to do something like this.

See the documentation on EventTriggers to delete the trigger when you are done!

HTH

Keith

For more information on EventTriggers:
https://technet2.microsoft.com/WindowsServer/en/Library/e33bcf4c-dece-4b47-9bb7-31ecfcbc76d51033.mspx

For more information on For:
https://technet2.microsoft.com/WindowsServer/en/Library/7a2c7d08-bf35-414a-8a04-7e870559c82d1033.mspx

For more information on handle:
https://www.sysinternals.com/Utilities/Handle.html