I have one server environment which seems to be generating quite a lot of these events, mostly from Win2k3 SP2 machines:
Event Type: Warning Event Source: Srv Event Category: None Event ID: 2012 Date: 27/08/2011 Time: 07:05:25 User: N/A Computer: WIN2K3WEB Description: While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration. The error status code is contained within the returned data (formatted as Words) and may point you towards the problem. Data: 0000: 00040000 00540001 00000000 800007dc 0010: 00000000 c0000184 00000000 00000000 0020: 00000000 00000000 0000097b
I'm 99% sure this is down to some Riverbed CIFS devices, which are making it appear that a connection is still open for business when it has in fact already been closed at the remote end.
Anyhow - I know that the c0000184 signified STATUS_INVALID_DEVICE_STATE, and I've worked out that 800007dc actually just means 'this is event ID 2012'.
What I'm wondering about is what the 00040000 00540001, and the 0000097b mean. Sometimes, instead of 0000097b, it is 0000097a. This doesn't appear to be a Win32 error code, and it looks nothing like an HRESULT or NTSTATUS value.
Any pointers on what these values mean?