Article ID: 172156 - Last Review: February 23, 2007 - Revision: 2.5

How to Delete Corrupt Event Viewer Log Files

View products that this article applies to.
This article was previously published under Q172156

On This Page

Expand all | Collapse all

SYMPTOMS

When you launch Windows Event Viewer, one of the following error messages may occur if one of the *.evt files is corrupt:
The handle is invalid
Dr. Watson Services.exe
Exception: Access Violation (0xc0000005), Address: 0x76e073d4
When you click OK or cancel on the Dr. Watson error message, you may also receive the following error message:
Event Viewer
Remote Procedure Call failed
The services.exe process may consume a high percentage of CPU utilization.
Back to the top

CAUSE

The Event Viewer Log files (Sysevent.evt, Appevent.evt, Secevent.evt) are always in use by the system, preventing the files from being deleted or renamed. The EventLog service cannot be stopped because it is required by other services, thus the files are always open. This article describes a method to rename or move these files for troubleshooting purposes.
Back to the top

RESOLUTION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
Back to the top

NTFS Partition

  1. Click the Start button, point to Settings, click Control Panel, and then double-click Services.
  2. Select the EventLog service and click Startup. Change the Startup Type to Disabled, and then click OK. If you are unable to log on to the computer but can access the registry remotely, you can change the Startup value in the following registry key to 0x4:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
  3. Restart Windows.

    NOTE: When the system starts up, several services may fail; a message informing the user to use Event Viewer to review errors may appear.
  4. Rename or move the corrupt *.evt file from the following location:
    %SystemRoot%\System32\Config
  5. In Control Panel Services tool, re-enable the EventLog service by setting it back to the default of Automatic startup, or change the registry Startup value back to 0x2.
Back to the top

FAT partition (Alternative method)

  1. Boot to a MS-DOS prompt using a DOS bootable disk.
  2. Rename or move the corrupt *.evt file from the following location:
    %SystemRoot%\System32\Config
  3. Remove the disk and restart Windows.
When Windows is restarted, the Event Log file will be recreated.
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Back to the top
Keywords: 
kbprb KB172156
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations