Sorry for the delay, I wanted to run the updated configuration for long enough to validate the change.

Updating the input from "MonitorNoHandle://$WINDIR\System32\Dns\dns.log" to "MonitorNoHandle://C:\Windows\System32\Dns\dns.log" does indeed resolve the issue. What's really odd though is the $WINDIR variable seems to be working in other inputs. For example, "monitor://$WINDIR\WindowsUpdate.log" being enabled does not generate the error.

My guess is that the issue is something specific to the resolution of environment variables by the MonitorNoHandle process. While all of our systems do have C: for the OS drive, it would be more ideal to use the environment variable to protect against edge cases. Is there any thing else we can do to troubleshoot further, or is it time for a bug report?

Good to know. Have you tried 8.0.0 of the Splunk Add-on for Microsoft Windows and seen if the issue persists there with the variable substitution?

Can confirm the issue persists for the [MonitorNoHandle://$WINDIR\System32\Dns\dns.log] input in v8.2.0 of the Windows TA.
This input resolves $WINDIR fine [monitor://$WINDIR\debug\netlogon.log] but as per the OP this input does not  [MonitorNoHandle://$WINDIR\System32\Dns\dns.log].

We have not. I'll get that and updating the Windows Server 2012 forwarders to 7.3.5 onto our patching schedule to see if either resolves the issue. Given that will not be a swift process due to some bureaucracy, would it be best to mark this question as resolved with removing the environmental variable as a work around solution?

I would try to test it on at least one test server and see if it resolves the problem. I don't see anything in the release notes about it fixing an issue with the monitor-nohandle but that doesn't necessarily mean anything.

The quickest thing to do is to open a support case with the information and see if they are aware of the issue. It definitely sounds like a bug.

Just a thought - what if the $WINDIR resolves correctly in all cases, but the file or folder is actually missing, and the error message is misleading? 

Has it been checked that both $WINDIR\debug\netlogon.log and $WINDIR\syetem32\dns\dns.log exist and are readable?