If you launch Windows NT Event Viewer and one of the following error messages
occurs
The handle is invalidOne of the .evt files is corrupt. You will not be able to rename or deleteDr. Watson Services.exe
Exception: Access Violation (0xc0000005), Address: 0x76e073d4
Sysevent.evt, Appevent.evt, or Secevent.evt since they
are always in use by the system. The EventLog service cannot be stopped because
it is required by other services. If you can start a registry editor locally or
if you have remote registry access, change the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Start
value from 0x02 to 0x04 and reboot. Various services will fail at reboot. Delete
the event logs, %SystemRoot%\system32\config\*.evt.
Change the Start value back to 0x02 and reboot. The system will automatically
generate new, clear logs.
If the PC system is on a FAT partition, one could boot with DOS and delete
the %SystemRoot%\system32\config\*.evt file using DOS. This ability to boot to
another operating system and make such changes is valuable. One does not have to
use FAT and DOS to achieve this effect. Installing an alternative version of NT
in a different directory would give you the same flexibility without weakening
security concerns. Boot to the secondary copy of NT and delete the .evt file of
the primary copy of NT.
Event Log Tips:
Archiving Event Logs
Event Log explained
How to Delete
Corrupt Event Viewer Log Files
Forensics:
CrashOnAuditFail
Restrict access to Application
and System event logs
Security Event
Descriptions
Security Events Logon Type
Definitions
Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List
Frank Heyne has made
available a Windows NT Eventlog FAQ .