Help and Support
 

powered byLive Search

How to Delete Corrupt Event Viewer Log Files

View products that this article applies to.
Article ID:172156
Last Review:February 23, 2007
Revision:2.5
This article was previously published under Q172156
On This Page

SYMPTOMS

When you launch Windows Event Viewer, one of the following error messages may occur if one of the *.evt files is corrupt:
The handle is invalid
Dr. Watson Services.exe
Exception: Access Violation (0xc0000005), Address: 0x76e073d4
When you click OK or cancel on the Dr. Watson error message, you may also receive the following error message:
Event Viewer
Remote Procedure Call failed
The services.exe process may consume a high percentage of CPU utilization.

Back to the top

CAUSE

The Event Viewer Log files (Sysevent.evt, Appevent.evt, Secevent.evt) are always in use by the system, preventing the files from being deleted or renamed. The EventLog service cannot be stopped because it is required by other services, thus the files are always open. This article describes a method to rename or move these files for troubleshooting purposes.

Back to the top

RESOLUTION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows

Back to the top

NTFS Partition

1.Click the Start button, point to Settings, click Control Panel, and then double-click Services.
2.Select the EventLog service and click Startup. Change the Startup Type to Disabled, and then click OK. If you are unable to log on to the computer but can access the registry remotely, you can change the Startup value in the following registry key to 0x4:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
3.Restart Windows.

NOTE: When the system starts up, several services may fail; a message informing the user to use Event Viewer to review errors may appear.
4.Rename or move the corrupt *.evt file from the following location:
%SystemRoot%\System32\Config
5.In Control Panel Services tool, re-enable the EventLog service by setting it back to the default of Automatic startup, or change the registry Startup value back to 0x2.

Back to the top

FAT partition (Alternative method)

1.Boot to a MS-DOS prompt using a DOS bootable disk.
2.Rename or move the corrupt *.evt file from the following location:
%SystemRoot%\System32\Config
3.Remove the disk and restart Windows.
When Windows is restarted, the Event Log file will be recreated.

Back to the top

APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Datacenter Server
Microsoft Windows NT Workstation 3.51
Microsoft Windows NT Workstation 4.0 Developer Edition
Microsoft Windows NT Server 3.51
Microsoft Windows NT Server 4.0 Standard Edition
Microsoft Windows XP Professional
Microsoft Windows XP Home Edition
Microsoft Windows XP Media Center Edition
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Standard Edition (32-bit x86)

Back to the top

Keywords: 
kbprb KB172156

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.