How To Delete Corrupt Event Viewer Log Files

ID: Q172156

The information in this article applies to:

Microsoft Windows NT Workstation versions 3.51, 4.0
Microsoft Windows NT Server versions 3.51, 4.0

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SYMPTOMS

When you launch Windows NT Event Viewer, one of the following error messages may occur if one of the *.evt files is corrupt:

The handle is invalid

Dr. Watson Services.exe
Exception: Access Violation (0xc0000005), Address: 0x76e073d4

When you click OK or cancel on the Dr. Watson error message, you may also receive the following error message:

Event Viewer
Remote Procedure Call failed

CAUSE

The Event Viewer Log files (Sysevent.evt, Appevent.evt, Secevent.evt) are always in use by the system, preventing the files from being deleted or renamed. The EventLog service cannot be stopped because it is required by other services, thus the files are always open. This article describes a method to rename or move these files for trouble-shooting purposes.

RESOLUTION

WARNING: Using Registry Editor incorrectly can cause serous problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it.

NTFS Partition

Click the Start button, point to Settings, click Control Panel, and then double-click Services.

Select the EventLog service and click Startup. Change the Startup Type to Disabled, and then click OK. If you are unable to log on to the computer but can access the registry remotely, you can change the Startup value in the following registry key to 0x4:
```
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog 
```

Restart Windows NT.

NOTE: When the system starts up, several services may fail; a message informing the user to use Event Viewer to review errors may appear.

Rename or move the corrupt *.evt file from the following location:
```
      %SystemRoot%\system32\config 
```

In Control Panel Services tool, reenable the EventLog service by setting it back to the default of Automatic startup, or change the registry Startup value back to 0x2.

FAT partition (Alternative method)

Boot to a MS-DOS prompt using a DOS bootable disk.

Rename or move the corrupt *.evt file from the following location:
```
   %SystemRoot%\system32\config 
```

Remove the disk and restart Windows NT.

When Windows NT is restarted, the Event Log file will be recreated.

Additional query words: regedt32 evt rpc error (rpc)


Keywords          : ntregistry NTSrvWkst 
Version           : WinNT:3.51,4.0
Platform          : winnt 
Issue type        : kbprb

Last Reviewed: February 24, 1999