ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Performance Monitor dashboard displaying system metrics and event logs in an IT operations center
Event ID 1023ErrorPerflibWindows

Windows Event ID 1023 – Perflib: Performance Counter Registry Corruption

Event ID 1023 indicates performance counter registry corruption in Windows. This error affects system monitoring tools and performance data collection, requiring registry repair or counter rebuilding.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 1023Perflib 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 1023 represents a critical failure in the Performance Library subsystem, specifically indicating corruption within the performance counter registry structure. The Perflib service maintains a comprehensive database of performance counters that applications and system tools use to monitor Windows performance metrics in real-time.

When this event occurs, Windows has detected inconsistencies or corruption in the performance counter registry entries, rendering some or all performance counters unusable. The corruption can manifest in several ways: missing counter definitions, invalid counter indexes, corrupted counter names, or broken relationships between counter categories and their associated performance data.

The impact extends beyond simple monitoring failures. Applications that rely on performance counters for operational decisions may malfunction or crash. System monitoring tools like Performance Monitor (PerfMon), Task Manager's performance tabs, and third-party monitoring solutions lose access to critical metrics. Additionally, automated performance logging services may fail, creating gaps in historical performance data.

The corruption typically affects the Windows Performance Toolkit infrastructure, which includes the Performance Data Helper (PDH) library and Windows Management Instrumentation (WMI) performance providers. Recovery requires rebuilding the performance counter registry structure, which involves stopping dependent services, clearing corrupted entries, and allowing Windows to regenerate the counter database from system defaults and installed application manifests.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Improper application uninstallation leaving orphaned performance counter entries
  • Registry corruption due to unexpected system shutdowns or power failures
  • Malware or security software interfering with performance counter registry keys
  • Manual registry modifications affecting Perflib entries
  • Failed Windows updates corrupting performance counter definitions
  • Third-party software incorrectly registering or unregistering performance counters
  • Disk errors affecting registry hive files containing performance counter data
  • System file corruption impacting performance library components
Resolution Methods

Troubleshooting Steps

01

Verify Event Details and Impact Assessment

Start by examining the specific error details and assessing the scope of performance counter corruption.

  1. Open Event ViewerWindows LogsApplication
  2. Filter for Event ID 1023 from source Perflib:
    Get-WinEvent -FilterHashtable @{LogName='Application'; Id=1023; ProviderName='Perflib'} -MaxEvents 20 | Format-Table TimeCreated, LevelDisplayName, Message -Wrap
  3. Check Performance Monitor functionality by running perfmon.exe and attempting to add counters
  4. Test basic performance counter access:
    Get-Counter "\Processor(_Total)\% Processor Time" -MaxSamples 1
  5. Verify WMI performance provider status:
    Get-WmiObject -Class Win32_PerfRawData_PerfOS_Processor | Select-Object Name, PercentProcessorTime
Pro tip: If basic counters like Processor Time fail, the corruption is extensive and requires immediate rebuilding.
02

Rebuild Performance Counters Using Lodctr

Use the built-in Lodctr utility to rebuild corrupted performance counter registry entries.

  1. Open Command Prompt as Administrator
  2. Stop dependent services that might interfere with counter rebuilding:
    Stop-Service -Name "WinRM", "WMI", "PerfHost" -Force -ErrorAction SilentlyContinue
  3. Rebuild all performance counters from system manifests:
    lodctr /R
  4. If the rebuild fails, force recreation of the performance registry:
    cd /d %windir%\system32
lodctr /R
cd /d %windir%\sysWOW64
lodctr /R
  5. Restart the system and verify counter functionality:
    Restart-Computer -Force
  6. After restart, test performance counter access:
    Get-Counter "\Memory\Available MBytes", "\Processor(_Total)\% Processor Time" -MaxSamples 3
Warning: The /R switch rebuilds all counters, which may take several minutes and temporarily disable performance monitoring.
03

Manual Registry Cleanup and Counter Restoration

Perform manual registry cleanup when automated rebuilding fails to resolve persistent corruption.

  1. Create a registry backup before making changes:
    reg export "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib" C:\Backup\Perflib_backup.reg
  2. Stop all performance-related services:
    $services = @('WinRM', 'WMI', 'PerfHost', 'PLA', 'WdiServiceHost')
$services | ForEach-Object { Stop-Service -Name $_ -Force -ErrorAction SilentlyContinue }
  3. Navigate to the performance library registry key and examine corruption:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009
  4. Check for invalid or missing Counter and Help values:
    Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009" -Name "Counter", "Help" | Format-List
  5. If Counter or Help values are corrupted, restore from a known good system or use system file checker:
    sfc /scannow
Dism /Online /Cleanup-Image /RestoreHealth
  6. Rebuild counters after registry cleanup:
    lodctr /R
Pro tip: Compare registry values with a working system to identify specific corruption patterns.
04

Advanced WMI Repository Rebuild

Rebuild the WMI repository when performance counter corruption extends to WMI performance providers.

  1. Stop WMI and dependent services:
    Stop-Service -Name "Winmgmt" -Force
Stop-Service -Name "WMI*" -Force -ErrorAction SilentlyContinue
  2. Reset WMI repository to default state:
    winmgmt /resetrepository
  3. If repository reset fails, manually rebuild it:
    cd /d %windir%\system32\wbem
for /f %s in ('dir /b *.dll') do regsvr32 /s %s
for /f %s in ('dir /b *.exe') do call :FixSrv %s
wmiprvse /regserver
winmgmt /regserver
  4. Recompile MOF files for performance providers:
    mofcomp cimwin32.mof
mofcomp rsop.mof
mofcomp wmipcima.mof
  5. Restart WMI service and verify performance provider functionality:
    Start-Service -Name "Winmgmt"
Get-WmiObject -Class Win32_OperatingSystem | Select-Object TotalVisibleMemorySize, FreePhysicalMemory
  6. Rebuild performance counters after WMI restoration:
    lodctr /R
Warning: WMI repository rebuilding affects all WMI-dependent applications and may require application-specific reconfigurations.
05

System File Restoration and Component Repair

Perform comprehensive system file restoration when corruption affects core Windows performance components.

  1. Run comprehensive system file checker with component store repair:
    Dism /Online /Cleanup-Image /CheckHealth
Dism /Online /Cleanup-Image /ScanHealth
Dism /Online /Cleanup-Image /RestoreHealth
  2. Execute system file checker to repair corrupted performance library files:
    sfc /scannow
  3. Check for specific performance library file corruption:
    $perfFiles = @('perflib.dll', 'perfdisk.dll', 'perfnet.dll', 'perfos.dll', 'perfproc.dll')
$perfFiles | ForEach-Object {
    $file = Get-Item "$env:SystemRoot\System32\$_" -ErrorAction SilentlyContinue
    if ($file) { Write-Host "$_ - Version: $($file.VersionInfo.FileVersion)" }
    else { Write-Host "$_ - MISSING" -ForegroundColor Red }
}
  4. Reset Windows performance toolkit components:
    regsvr32 /s pdh.dll
regsvr32 /s perfmon.exe
regsvr32 /s wmiprvse.exe
  5. Rebuild performance infrastructure from scratch:
    lodctr /R
winmgmt /resyncperf
wmiadap /f
  6. Verify complete restoration with comprehensive counter test:
    $testCounters = @(
    "\Processor(_Total)\% Processor Time",
    "\Memory\Available MBytes",
    "\PhysicalDisk(_Total)\Disk Reads/sec",
    "\Network Interface(*)\Bytes Total/sec"
)
$testCounters | ForEach-Object {
    try {
        $result = Get-Counter $_ -MaxSamples 1 -ErrorAction Stop
        Write-Host "✓ $_ - Working" -ForegroundColor Green
    } catch {
        Write-Host "✗ $_ - Failed: $($_.Exception.Message)" -ForegroundColor Red
    }
}
Pro tip: Document which counters fail before and after each repair step to track restoration progress.

Overview

Event ID 1023 from the Perflib source signals critical performance counter registry corruption in Windows systems. This event fires when the Performance Library (Perflib) service encounters damaged or inconsistent performance counter registry entries, preventing proper system monitoring and data collection. The error typically manifests during system startup, when performance monitoring tools attempt to access counters, or during automated performance data gathering processes.

Performance counters are essential Windows components that provide real-time system metrics for CPU usage, memory consumption, disk activity, and network statistics. When these counters become corrupted, system administrators lose visibility into critical performance metrics, and monitoring applications may fail to function correctly. The corruption often stems from improper application uninstalls, registry modifications, or system crashes during counter updates.

This event requires immediate attention as it affects system monitoring capabilities and can impact performance troubleshooting efforts. The corruption typically involves the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib registry hive, where Windows stores performance counter definitions and configurations.

Frequently Asked Questions

What exactly does Windows Event ID 1023 indicate about my system?+
Event ID 1023 from Perflib indicates that Windows has detected corruption in the performance counter registry database. This means the system's ability to collect and report performance metrics is compromised. The corruption affects the registry entries that define how performance counters work, including their names, descriptions, and data collection methods. When this happens, monitoring tools like Performance Monitor, Task Manager's performance tabs, and third-party monitoring software may display errors or missing data. The event signals that the Performance Library service cannot properly initialize or access the counter definitions stored in the registry.
Can I continue using my computer normally with Event ID 1023 errors?+
Yes, you can continue normal computer operations, but with significant limitations in performance monitoring capabilities. The core Windows functions like file operations, networking, and applications will work normally. However, you'll lose access to real-time performance data, which affects system troubleshooting and monitoring. Performance Monitor will show errors, Task Manager's performance tabs may display incomplete information, and automated monitoring scripts will fail. System administrators should prioritize fixing this issue because performance monitoring is crucial for identifying bottlenecks, capacity planning, and troubleshooting system problems. The longer you delay repairs, the more performance history data you'll lose.
How long does it take to rebuild performance counters using lodctr /R?+
The lodctr /R command typically takes 2-10 minutes to complete, depending on your system's performance and the number of installed applications with custom performance counters. On modern systems with SSDs, the process usually completes in 3-5 minutes. However, on older systems with traditional hard drives or systems with many third-party applications that register performance counters, it can take up to 15 minutes. During this process, performance monitoring will be unavailable, and some services may temporarily stop responding. The command rebuilds the entire performance counter registry from scratch, reading counter definitions from system files and installed application manifests. Plan for a brief system restart after the rebuild to ensure all services properly recognize the new counter structure.
Will rebuilding performance counters affect my installed applications?+
Rebuilding performance counters generally doesn't affect application functionality, but it may impact applications that heavily rely on performance monitoring. Most standard applications will continue working normally because they don't depend on performance counters for core operations. However, monitoring applications, system management tools, and some enterprise software may need reconfiguration after counter rebuilding. Custom performance counters created by third-party applications will be restored from their installation manifests, but any custom configurations or thresholds you've set in monitoring tools will need to be reconfigured. Database management systems, virtualization platforms, and enterprise monitoring solutions may require service restarts to recognize the rebuilt counters. Always test critical monitoring applications after performing counter rebuilds.
What should I do if lodctr /R fails to fix Event ID 1023?+
If lodctr /R fails, the corruption is likely deeper than just performance counter definitions. First, check the command output for specific error messages that indicate which counters failed to rebuild. Run System File Checker (sfc /scannow) to repair corrupted system files that may be preventing proper counter registration. If SFC finds corruption, follow up with DISM commands to repair the Windows component store. Next, try rebuilding the WMI repository using 'winmgmt /resetrepository' since WMI and performance counters are interconnected. For persistent issues, manually examine the Perflib registry keys for obvious corruption and consider restoring from a registry backup. In extreme cases, you may need to perform an in-place Windows upgrade or system restore to a point before the corruption occurred.
Documentation

References (2)

1
Microsoft Learn - Performance CountersComprehensive documentation on Windows Performance Counters architecture and troubleshootinghttps://learn.microsoft.com/en-us/windows/win32/perfctrs/performance-counters-portal
2
Windows Performance Toolkit DocumentationOfficial guide to Windows Performance Toolkit components and performance monitoring toolshttps://learn.microsoft.com/en-us/windows-hardware/test/wpt/
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-1023#performance-counters#registry-corruption

Related Windows Events

Windows Performance Monitor displaying system performance counters and metrics on a monitoring dashboard
Event 1008
Perflib
Windows EventWarning

Windows Event ID 1008 – Perflib: Performance Counter Provider Load Failure

Event ID 1008 indicates a performance counter provider failed to load or initialize properly. This warning typically affects system monitoring tools and performance data collection without impacting core functionality.

March 189 min
Windows Performance Monitor displaying system performance counters and metrics on multiple monitors
Event 2004
Perflib
Windows EventError

Windows Event ID 2004 – Perflib: Performance Counter Provider Registration Failed

Event ID 2004 indicates a performance counter provider failed to register with the Windows Performance Toolkit. This typically occurs when performance counter DLLs are corrupted, missing, or incompatible with the current system.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...