[HOWTO] Fix EventLog Invalid Handle and Powershell Invalid Class
Lately I have been busy with upgrading a lot of servers from Windows 2012R2 and Windows 2016 to Windows Server 2019. The majority of these upgrades have gone through without a hitch. But of course, some breakage is to be expected when you perform tasks like these, and this is no exception.
During the upgrade two servers seemed to be OK as the console showed that they were up, and the Network & Internet settings icon showed that the network was connected and OK. However when I tried to connect to them via Remote Desktop, the connection failed with the error message Internal Error. They both responded to ping, and one of the servers had the Internet Information Services roles enabled which it happily responded to both over HTTP as well as HTTPS.
Luckily I was able to use Powershell on another computer and create a remote PS session using Enter-PSSession, and I was also able to connect to both servers using Event Viewer to examine the logs on both machines.
When I examined the Windows Event Logs, absolutely all entries no matter which log, contained the text Invalid Handle and the formatting of the text in the Event Log entries were malformed. Also when using certain commands over the PS session, many commands failed with an error message containing Invalid Class.
Both these errors pointed towards corruption in the WMI layer (Windows Management Instrumentation). It was likely that the WMI repository was broken after the upgrade, but thankfully this is rather easy to fix, especially seeing as we were able to connect to the server using both Enter-PSSession and Sysinternal’s psexec.
In this case, I opted to use psexec to connect to the servers and fix the WMI repository. The process was the following:
1) Connect to the server: psexec /h <computername> cmd.exe (this connects with elevated permissions required to fix)
2) Disable and stop the WMI service
sc config winmgmt start= disabled net stop winmgmt
3) Run the following commands to restore the WMI repository
Winmgmt /salvagerepository %windir%\System32\wbem Winmgmt /resetrepository %windir%\System32\wbem
4) Re-enable the WMI service and reboot
sc config winmgmt start= auto
If the above does not work, you might have to delete the WMI repository completely. The repository is located in %windir%\System32\wbem\repository and you can use for instance rd /s %windir%\System32\wbem\repository to delete the folder, using the same steps as above but replacing point 3 with deleting the repository.
If you are still having issues, try running the following tools:
- sfc /scannow
Best of luck! 🙂