Topic Last Modified: 2009-02-25

This topic provides information about how to determine the names of users who run the Get-MessageTrackingLog cmdlet in the Exchange Management Shell. 

After you enable the LogPipeLineExecutionDetails registry entry to see who has accessed the message tracking logs, event ID 800 is logged in the Powershell log every time that a user runs the Get-MessageTrackingLog cmdlet in the Exchange Management Shell. However, event ID 800 does include the name of the user who ran the Get-MessageTrackingLog cmdlet. Event ID 800 information resembles the following:

Event Type: Information

Event Source:PowerShell

Event Category: (8)

Event ID: 800

Description: The description for Event ID ( 800 ) in Source ( PowerShell ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details.

To resolve this issue, install Update Rollup 5 for Exchange 2007 Service Pack 1. For more information about Update Rollup 5 for Exchange 2007 Service Pack 1, see Microsoft Knowledge Base article 953467, Description of Update Rollup 5 for Exchange Server 2007 Service Pack 1

After you install Update Rollup 5 for Exchange 2007 Service Pack 1, create a 2 Client Monitoring registry entry on the Exchange Hub Transport server. After you install the update and create the registry entry, user information appears in event ID 7020. However, user information is still not included in event ID 800.

Event ID 7020 is logged in the Application log, and it resembles the following:

Event Type: Information

Event Source: MSExchangeTransportLogSearch

Event Category: Client Monitoring

Event ID: 7020

Description: Client <domain\user> issued the following transport log search request: <?xml version="1.0" encoding="utf-8"?>
To create a 2 Client Monitoring registry entry on the Exchange Hub Transport server

  1. Start Registry Editor.

  2. Expand the following subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeTransportLogSearch

  3. Right-click MSExchangeTransportLogSearch, point to New, and then click DWORD Value.

  4. Type 2 Client Monitoring, and then press ENTER to name the new value.

  5. Right-click 2 Client Monitoring, and then click Modify.

  6. In the Edit DWORD Value dialog box, click Decimal under Base.

  7. In the Value data box, type 1, and then click OK.

  8. Exit Registry Editor.