Unable to Start Windows Event log Service

We have issues after MS Patching on Win 2008 R2 -Windows Event Log Service not started  

When trying to start manually giving Error:

"Windows Could not start Windows event log service on local computer
Error 13 :The data is invalid
"

How can we start this as due to this unable to start  other service and cant view logs as well for issue ?
LVL 1
patronAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Larry Struckmeyer MVPCommented:
First, restart the server to see in that fixes it.  Second, what relevant errors are in the event viewer that may give more clues?
0
patronAuthor Commented:
cant see event logs..as even log service not started

Server rebooted 3-4 times -no luck

firewall stopped/disabled no luck

EMET -reinstalled n removed -no luck

Please advice..as its bot urgent coming for so many boxes .
0
patronAuthor Commented:
first error coming when rebooting Server is for EMET[attached]

 And then we try start event log [error snap attach]

getting issue for most of ms boxes recently patched

removed patches but.still same issue
event1.jpg
emet.jpg
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Rob MinersCommented:
There is a hotfix to prevent this problem.

Error message when you use Event Viewer to open an event log on a Windows Vista or a Windows Server 2008-based computer: "Event Viewer cannot open the event log or custom view"

http://support2.microsoft.com/kb/972999
0
patronAuthor Commented:
great, thanks, but what about event log service not started ?
0
patronAuthor Commented:
and above update fix not applicable for win 2008 R2.

please confirm if we have some other way to get hotfix/solution?
0
Rob MinersCommented:
You can try this at your own discression as I am not familiar with the outcome.
As the .evtx file is corrupted, I would be inclined to try the Wevtutil command, to clear and back up the log to the System.evtx file. Then restart the system to check.

wevtutil cl System /bu: C:\system.evtx
0
patronAuthor Commented:
Tried but no luck ?

 any other way to sort this out.
0
Rob MinersCommented:
Not that I am aware of, someone else may have experienced this problem, and may come online later. Sorry that I can't be of further help at the moment. I will keep looking for a solution though.
0
patronAuthor Commented:
i have this problem with all my win 2008 boxes approx 30+ after patching, would be great help if someone please can help us @urgently.
Thanks a lot.
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
Fix the Permissions for RtBackup Folder in Windows 7 and Windows Vista
1. Start Windows in Safe mode

2. Open the "C:\Windows\System32\LogFiles\WMI" folder

3. Right-click on the RtBackup folder and choose Properties
4. go to security tab , select add , then add SYSTEM , give it full permission

reboot and try
0
patronAuthor Commented:
tried that as well no luck .
0
Rob MinersCommented:
Check the exit code to see if it is of any help
Run this commandline
sc query state= all > 0 & notepad 0
Find eventlog
Check for the code under the
EXIT_CODE :
Type net helpmsg

eXample:
WIN32_EXIT_CODE    : 1077  (0x435)
SERVICE_EXIT_CODE  : 0  (0x0)

C:\>net helpmsg 1077
No attempts to start the service have been made since the last boot.
ref:      http://www.techsupportforum.com/forums/f217/solved-windows-eventlog-cannot-be-opened-652266.html
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
if so then i think the report database is full , try to clear it
image48.png
0
McKnifeCommented:
You wrote it's on 30 machines? Then tell us, what is the common factor? Probably EMET.
Of course the first thing to try is to uninstall the latest patches. If that however does not help:
To repair windows problems as deep as this, usually you succeed with doing an inplace upgrade aka repair installation. Insert the setup DVD or USB and start setup, then select "upgrade". Files settings and programs will be kept. Best would be to use a DVD with SP1 already included.
0
patronAuthor Commented:
yes it was on 30+ machines just rebooted after Pathcing, so earlier we thought it was due to Patching..but
Great thanks mate, tried with all way no luck.....

It all occurred due to wrong Log retention policy configured @path:
HKLM/Software/Policies/Microsoft/Windows/Event Log - then there were 3 entries for Application/System and security logs-removed them manually - and was able to start service.

right Path was different ?

this policy was changed 4-5 days back but applied only  today after server reboot

need to confirm... if gpupdate or gpupdate/force will apply policy at same time or we have few policies applied only after reboot?

here we removed entries manually..as gpupdate didnt work here..even after we removed gpo link?
0
McKnifeCommented:
Good to see you solved it.

About the GPOs: those settings will only become effective (with the service failing as effect), when the eventlog service restarts. That's why you didn't see the effect earlier.
If after undoing, the registry keys still remain, then you might have a policy that tattoos the registry. Please read http://sdmsoftware.com/gpoguy/whitepapers/understanding-policy-tattooing/ - following that article however, it should be removed automatically.
0
patronAuthor Commented:
Great and Thanks a lot..have few queries- still need to understand..
>Why This Policy applied only after reboot of Server ..as Domain Level it has been applied 3-4 days back ?
>Applied on Win 2008 Boxes only not on 2003 and 2012 ?
>it is not applied/reverted using gpupdate or gpupdate /force -any difference ?
>Is there any Way to test and verify if now same has been unlinked/removed ?
>Any  Time difference for different OS to populate update using gpupdate  or if we simply apply Policy @domain[abc.com] /OS level?
> is there some policies which only reflect after reboot ?
>Can we check for all Machines using any utility/scripting solution that particular reg entry has been removed..as we have 1200+ Boxes in domain?
> What could be the  worst impact on Server and other applications running on Server ..If event log Service not started ?

Thanks in Advance..
0
McKnifeCommented:
Half of your additional questions is already answered, at least my last posting should answer those. For the rest:
>Applied on Win 2008 Boxes only not on 2003 and 2012 ?
You mean on 2003 and 12 you didn't get any problem? Well, the results may differ from OS to OS, maybe only 2008 has a problem with those settings, others ignore it.
> Is there any Way to test and verify if now same has been unlinked/removed ?
the command
gpresult /h c:\test\outputfile.html
creates a website with all current settings. But it won't tell you about tattooing (read my link about tattooing).
> Any  Time difference for different OS to populate update using gpupdate  or if we simply apply Policy @domain[abc.com] /OS level?
No time difference.
> is there some policies which only reflect after reboot ?
I gave an example: if you reconfigure a service via GPO, the result will not take place until that service is restarted.
> Can we check for all Machines using any utility/scripting solution that particular reg entry has been removed..as we have 1200+ Boxes in domain?
Sure, use a startup script with reg.exe /query
> What could be the  worst impact on Server and other applications running on Server ..If event log Service not started ?
That service is for diagnosis, nothing else. That maybe needed or not. Of course you would want to have it running if you monitor security events, service failures and so on.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
patronAuthor Commented:
Great help by All.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.