Key Management Service – Interpretting the Event Logs

At first glance, you may think the event logs on the KMS client are simple, but they actually provide a wealth of information, if you know what to look for.

A successful client to host communication will result in two events being recorded on the KMS client:

  • 12288
  • 12289

If you see these two events, you’re looking good, content notwithstanding.

Filter the Application log, for ease of use:

lots of events - make it easier to find what you want.

lots of events – make it easier to find what you want.

Okay, so you’ll know hopefully have a few entries which are entirely relevant to what we’re looking for. Let’s start with 12288. 12288 is the KMS client sending a request off the a KMS host. If you examine the log, it will detail the FQDN of the host it has attempted to contact.

The screenshot below, although redacted, demonstrates this. The red highlight is the FQDN of the host, and the associated port. The preceding hex-decimal strings  are where to look for any errors.

The string to the right of the port, in yellow, is the CMID.

The circled number in green indicates the machine is currently licensed.

The number circled in purple is the time to license expiration.

The final number at the far side, circled in brown, indicates how many activations are needed for this particular KMS host to be active. Windows tends to be 25, with Office being 5.

The 12288 log.

The 12288 log.

So assuming the KMS does and can respond, you’ll get a corresponding 12289 log on the KMS client. However this does not always mean you’ve had a successful activation, so it is important to check both logs.

In the screenshot below, the blue circled number represents the state of the attempt. In this case, a returned number 1 indicates a success.

The number circled in red indicates how many are pooled on the KMS. This needs to be over the threshold activation.

The 12280 log.

The 12280 log.

That’s it for today o/


Flame on xD

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s