Solved

Unable to Start Windows Event log Service

Posted on 2014-09-27
20
854 Views
Last Modified: 2014-10-03
We have issues after MS Patching on Win 2008 R2 -Windows Event Log Service not started  

When trying to start manually giving Error:

"Windows Could not start Windows event log service on local computer
Error 13 :The data is invalid
"

How can we start this as due to this unable to start  other service and cant view logs as well for issue ?
0
Comment
Question by:patron
  • 10
  • 4
  • 3
  • +2
20 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 40348183
First, restart the server to see in that fixes it.  Second, what relevant errors are in the event viewer that may give more clues?
0
 
LVL 1

Author Comment

by:patron
ID: 40348187
cant see event logs..as even log service not started

Server rebooted 3-4 times -no luck

firewall stopped/disabled no luck

EMET -reinstalled n removed -no luck

Please advice..as its bot urgent coming for so many boxes .
0
 
LVL 1

Author Comment

by:patron
ID: 40348201
first error coming when rebooting Server is for EMET[attached]

 And then we try start event log [error snap attach]

getting issue for most of ms boxes recently patched

removed patches but.still same issue
event1.jpg
emet.jpg
0
 
LVL 14

Expert Comment

by:Rob Miners
ID: 40348206
There is a hotfix to prevent this problem.

Error message when you use Event Viewer to open an event log on a Windows Vista or a Windows Server 2008-based computer: "Event Viewer cannot open the event log or custom view"

http://support2.microsoft.com/kb/972999
0
 
LVL 1

Author Comment

by:patron
ID: 40348234
great, thanks, but what about event log service not started ?
0
 
LVL 1

Author Comment

by:patron
ID: 40348237
and above update fix not applicable for win 2008 R2.

please confirm if we have some other way to get hotfix/solution?
0
 
LVL 14

Assisted Solution

by:Rob Miners
Rob Miners earned 250 total points
ID: 40348249
You can try this at your own discression as I am not familiar with the outcome.
As the .evtx file is corrupted, I would be inclined to try the Wevtutil command, to clear and back up the log to the System.evtx file. Then restart the system to check.

wevtutil cl System /bu: C:\system.evtx
0
 
LVL 1

Author Comment

by:patron
ID: 40348256
Tried but no luck ?

 any other way to sort this out.
0
 
LVL 14

Expert Comment

by:Rob Miners
ID: 40348259
Not that I am aware of, someone else may have experienced this problem, and may come online later. Sorry that I can't be of further help at the moment. I will keep looking for a solution though.
0
 
LVL 1

Author Comment

by:patron
ID: 40348261
i have this problem with all my win 2008 boxes approx 30+ after patching, would be great help if someone please can help us @urgently.
Thanks a lot.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 17

Expert Comment

by:jordannet
ID: 40348262
Fix the Permissions for RtBackup Folder in Windows 7 and Windows Vista
1. Start Windows in Safe mode

2. Open the "C:\Windows\System32\LogFiles\WMI" folder

3. Right-click on the RtBackup folder and choose Properties
4. go to security tab , select add , then add SYSTEM , give it full permission

reboot and try
0
 
LVL 1

Author Comment

by:patron
ID: 40348266
tried that as well no luck .
0
 
LVL 14

Assisted Solution

by:Rob Miners
Rob Miners earned 250 total points
ID: 40348278
Check the exit code to see if it is of any help
Run this commandline
sc query state= all > 0 & notepad 0
Find eventlog
Check for the code under the
EXIT_CODE :
Type net helpmsg

eXample:
WIN32_EXIT_CODE    : 1077  (0x435)
SERVICE_EXIT_CODE  : 0  (0x0)

C:\>net helpmsg 1077
No attempts to start the service have been made since the last boot.
ref:      http://www.techsupportforum.com/forums/f217/solved-windows-eventlog-cannot-be-opened-652266.html
0
 
LVL 17

Expert Comment

by:jordannet
ID: 40348288
if so then i think the report database is full , try to clear it
image48.png
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40348437
You wrote it's on 30 machines? Then tell us, what is the common factor? Probably EMET.
Of course the first thing to try is to uninstall the latest patches. If that however does not help:
To repair windows problems as deep as this, usually you succeed with doing an inplace upgrade aka repair installation. Insert the setup DVD or USB and start setup, then select "upgrade". Files settings and programs will be kept. Best would be to use a DVD with SP1 already included.
0
 
LVL 1

Assisted Solution

by:patron
patron earned 0 total points
ID: 40348565
yes it was on 30+ machines just rebooted after Pathcing, so earlier we thought it was due to Patching..but
Great thanks mate, tried with all way no luck.....

It all occurred due to wrong Log retention policy configured @path:
HKLM/Software/Policies/Microsoft/Windows/Event Log - then there were 3 entries for Application/System and security logs-removed them manually - and was able to start service.

right Path was different ?

this policy was changed 4-5 days back but applied only  today after server reboot

need to confirm... if gpupdate or gpupdate/force will apply policy at same time or we have few policies applied only after reboot?

here we removed entries manually..as gpupdate didnt work here..even after we removed gpo link?
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 40348761
Good to see you solved it.

About the GPOs: those settings will only become effective (with the service failing as effect), when the eventlog service restarts. That's why you didn't see the effect earlier.
If after undoing, the registry keys still remain, then you might have a policy that tattoos the registry. Please read http://sdmsoftware.com/gpoguy/whitepapers/understanding-policy-tattooing/ - following that article however, it should be removed automatically.
0
 
LVL 1

Author Comment

by:patron
ID: 40349116
Great and Thanks a lot..have few queries- still need to understand..
>Why This Policy applied only after reboot of Server ..as Domain Level it has been applied 3-4 days back ?
>Applied on Win 2008 Boxes only not on 2003 and 2012 ?
>it is not applied/reverted using gpupdate or gpupdate /force -any difference ?
>Is there any Way to test and verify if now same has been unlinked/removed ?
>Any  Time difference for different OS to populate update using gpupdate  or if we simply apply Policy @domain[abc.com] /OS level?
> is there some policies which only reflect after reboot ?
>Can we check for all Machines using any utility/scripting solution that particular reg entry has been removed..as we have 1200+ Boxes in domain?
> What could be the  worst impact on Server and other applications running on Server ..If event log Service not started ?

Thanks in Advance..
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 40349330
Half of your additional questions is already answered, at least my last posting should answer those. For the rest:
>Applied on Win 2008 Boxes only not on 2003 and 2012 ?
You mean on 2003 and 12 you didn't get any problem? Well, the results may differ from OS to OS, maybe only 2008 has a problem with those settings, others ignore it.
> Is there any Way to test and verify if now same has been unlinked/removed ?
the command
gpresult /h c:\test\outputfile.html
creates a website with all current settings. But it won't tell you about tattooing (read my link about tattooing).
> Any  Time difference for different OS to populate update using gpupdate  or if we simply apply Policy @domain[abc.com] /OS level?
No time difference.
> is there some policies which only reflect after reboot ?
I gave an example: if you reconfigure a service via GPO, the result will not take place until that service is restarted.
> Can we check for all Machines using any utility/scripting solution that particular reg entry has been removed..as we have 1200+ Boxes in domain?
Sure, use a startup script with reg.exe /query
> What could be the  worst impact on Server and other applications running on Server ..If event log Service not started ?
That service is for diagnosis, nothing else. That maybe needed or not. Of course you would want to have it running if you monitor security events, service failures and so on.
0
 
LVL 1

Author Closing Comment

by:patron
ID: 40359029
Great help by All.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now