I’ve now seen this on two machines running Windows Server 2012 R2 Essentials: after installing the June 2018 Windows updates, the server suddenly raises Microsoft-Windows-Eventlog event ID 30 regarding the ShimEngine.
Log Name: System
Source: Microsoft-Windows-Eventlog
Event ID: 30
Task Category: Service startup
Level: Error
Keywords: Service availability
User: LOCAL SERVICE
Description:
The event logging service encountered an error (5) while enabling publisher {0bf2fb94-7b60-4b4d-9766-e82f658df540} to channel Microsoft-Windows-Kernel-ShimEngine/Operational. This does not affect channel operation, but does affect the ability of the publisher to raise events to the channel. One common reason for this error is that the Provider is using ETW Provider Security and has not granted enable permissions to the Event Log service identity.
You can duplicate the error by disabling and re-enabling a specific event log: Microsoft-Windows-Kernel-ShimEngine/Operational.
Fortunately, the fix was very well documented over a year ago in this article:
https://p0w3rsh3ll.wordpress.com/2017/03/20/etw-provider-security-fix-event-id-30
I won’t duplicate the steps here, but in summary, you need to run Performance Monitor (perfmon.exe) as Administrator, go to Data Collector Sets > Event Trace Sessions > EventLog-System > Properties > Trace Providers > Microsoft-Windows-Kernel-ShimEngine > Security, then grant LOCAL SERVICE permission on TRACELOG_GUID_ENABLE (uncheck all other permissions for LOCAL SERVICE).
Important Do click Apply and OK on the Security Settings dialog (right side above). Then click Cancel in the EventLog-SystemProperties dialog (left side above)—if you click OK, you’ll get an “Access Denied” message, but that doesn’t affect this fix.
Test the fix by disabling and re-enabling the Microsoft-Windows-Kernel-ShimEngine/Operational event log. No error should appear in the System event log.