JSI Tip 1487. How do I recover from a corrupt Event log?

Jerold Schulman

July 28, 1999

1 Min Read
ITPro Today logo in a gray background | ITPro Today


When you run the Event Viewer, any of the following messages usually indicate a currupt event log:

The handle is invalid Dr. Watson Services.exeException: Access Violation (0xc0000005), Address: 0x76e073d4

When you click OK or cancel on the Dr. Watson error message, you may also receive the following error message:

Event ViewerRemote Procedure Call failed.

The Event Logs (Sysevent.evt, Appevent.evt, Secevent.evt) are always in use, so you can not delete or rename them. Use any of the following methods:

Alternate Install

Boot the alternate install, delete the Evcent logs from the %Orig_SystemRoot%system32config folder.

You can logon Locally

Use Control Panel / Services / Eventlog to configure Startup as Disabled. Shutdown / Restart Windows NT. Delete the Event logs from %SystemRoot%system32config. Use Control Panel / Services / Eventlog to configure Startup as Automatic. Shutdown / Restart Windows NT.

You can connect remotely

Use Regedt32 to alter the Start of the EventLog service to 0x4 (Disabled). Use Shutdown from the Resource Kit to restart the computer. Delete the Event logs (remotely or locally). Use Regedt32 to alter the Start of the EventLog service to 0x2 (Automatic). Shutdown / Restart Windows NT.


Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like