How to Delete Corrupt Event Viewer Log Files


If you launch Windows NT Event Viewer and one of the following error messages
occurs

       The handle is invalid 

Dr. Watson Services.exe
Exception: Access Violation (0xc0000005), Address: 0x76e073d4

One of the .evt files is corrupt. You will not be able to rename or delete
Sysevent.evt, Appevent.evt, or Secevent.evt since they
are always in use by the system. The EventLog service cannot be stopped because
it is required by other services. If you can start a registry editor locally or
if you have remote registry access, change the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Start
value from 0x02 to 0x04 and reboot. Various services will fail at reboot. Delete
the event logs, %SystemRoot%\system32\config\*.evt.
Change the Start value back to 0x02 and reboot. The system will automatically
generate new, clear logs.

If the PC system is on a FAT partition, one could boot with DOS and delete
the %SystemRoot%\system32\config\*.evt file using DOS. This ability to boot to
another operating system and make such changes is valuable. One does not have to
use FAT and DOS to achieve this effect. Installing an alternative version of NT
in a different directory would give you the same flexibility without weakening
security concerns. Boot to the secondary copy of NT and delete the .evt file of
the primary copy of NT.

Event Log Tips:

Archiving Event Logs
Event Log explained
How to Delete
Corrupt Event Viewer Log Files

Forensics:
CrashOnAuditFail

Restrict access to Application
and System event logs

Security Event
Descriptions

Security Events Logon Type
Definitions

Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List

Frank Heyne has made
available a Windows NT Eventlog FAQ .

Leave a Comment

Your email address will not be published.

Scroll to Top