How to Delete Corrupt Event Viewer Log Files (172156)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0
This article was previously published under Q172156

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

When you launch Windows Event Viewer, one of the following error messages may occur if one of the *.evt files is corrupt:
The handle is invalid
Dr. Watson Services.exe
Exception: Access Violation (0xc0000005), Address: 0x76e073d4
When you click OK or cancel on the Dr. Watson error message, you may also receive the following error message:
Event Viewer
Remote Procedure Call failed
The services.exe process may consume a high percentage of CPU utilization.

CAUSE

The Event Viewer Log files (Sysevent.evt, Appevent.evt, Secevent.evt) are always in use by the system, preventing the files from being deleted or renamed. The EventLog service cannot be stopped because it is required by other services, thus the files are always open. This article describes a method to rename or move these files for troubleshooting purposes.

RESOLUTION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

NTFS Partition

  1. Click the Start button, point to Settings, click Control Panel, and then double-click Services.
  2. Select the EventLog service and click Startup. Change the Startup Type to Disabled, and then click OK. If you are unable to log on to the computer but can access the registry remotely, you can change the Startup value in the following registry key to 0x4:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog

  3. Restart Windows.

    NOTE: When the system starts up, several services may fail; a message informing the user to use Event Viewer to review errors may appear.
  4. Rename or move the corrupt *.evt file from the following location:

    %SystemRoot%\System32\Config

  5. In Control Panel Services tool, re-enable the EventLog service by setting it back to the default of Automatic startup, or change the registry Startup value back to 0x2.

FAT partition (Alternative method)

  1. Boot to a MS-DOS prompt using a DOS bootable disk.
  2. Rename or move the corrupt *.evt file from the following location:

    %SystemRoot%\System32\Config

  3. Remove the disk and restart Windows.
When Windows is restarted, the Event Log file will be recreated.
Modification Type:MajorLast Reviewed:6/3/2003
Keywords:kbprb KB172156
©2002 Microsoft Corporation. All rights reserved.