How to Delete Corrupt Event Viewer Log Files

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

If you launch Windows NT Event Viewer and one of the following error messages occurs

       The handle is invalid 

       Dr. Watson Services.exe
       Exception: Access Violation (0xc0000005), Address: 0x76e073d4 
One of the .evt files is corrupt. You will not be able to rename or delete Sysevent.evt, Appevent.evt, or Secevent.evt since they are always in use by the system. The EventLog service cannot be stopped because it is required by other services. If you can start a registry editor locally or if you have remote registry access, change the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Start value from 0x02 to 0x04 and reboot. Various services will fail at reboot. Delete the event logs, %SystemRoot%\system32\config\*.evt. Change the Start value back to 0x02 and reboot. The system will automatically generate new, clear logs.

If the PC system is on a FAT partition, one could boot with DOS and delete the %SystemRoot%\system32\config\*.evt file using DOS. This ability to boot to another operating system and make such changes is valuable. One does not have to use FAT and DOS to achieve this effect. Installing an alternative version of NT in a different directory would give you the same flexibility without weakening security concerns. Boot to the secondary copy of NT and delete the .evt file of the primary copy of NT.

Event Log Tips:

Archiving Event Logs
Event Log explained
How to Delete Corrupt Event Viewer Log Files
Forensics: CrashOnAuditFail
Restrict access to Application and System event logs
Security Event Descriptions
Security Events Logon Type Definitions
Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List

Frank Heyne has made available a Windows NT Eventlog FAQ .

See Also

Featured Links