How to enable Event Viewer? Tutorial already Tried

AlexRD · Mar 13, 2009

How do i enable the event viewer service?
I already followed closely that tutorial Brink made, to boot on safe mode disable
WinMGMT, etc and it didn't work. I need Event Viewer to work so that Diskeeper works.

The following error i receive when trying to start the service by Services.MSC

Windows could not start the the Windows Event Log service on local Computer.

Error 4201: The instance name passed was not recognized as valid by a WMI Data Provider. (The service is set to Automatic, tho)

Help!

H2SO4 · Mar 13, 2009

The event log service is enabled by default, so the question is more about what was done previously on your machine to DISable it.

Do you have any idea how it got into this state to begin with? Nobody's going to be judgmental here - we just need to understand the technical history of the problem

AlexRD · Mar 13, 2009

H2SO4 said:
The event log service is enabled by default, so the question is more about what was done previously on your machine to DISable it.

Do you have any idea how it got into this state to begin with? Nobody's going to be judgmental here - we just need to understand the technical history of the problem

Well, what happened is that i installed Diskeeper and it alerted me that Event Viewer was off, i would never actually notice if it was on or off. And i can't remember tweaking up services lately, since this is a fresh install of Vista x64 Ultimate. So, i guess could it be a Virus or something to keep me away from viewing my Logs?

H2SO4 · Mar 14, 2009

I suspect that you've got a permissions problem - something has messed up the access lists on either the registry or the operating system files. I've seen this happen before due to an audio driver installation utility mangling the permissions on folders under \Windows, but the root cause could be fundamentally different in your case.

If you want to apply the "shotgun" principle, run this from an elevated (admin) CMD prompt:

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb

Those files contain the "base" access control lists which are put in place during Windows install, and running that secedit command will reapply them, which may help with your issue.

If you want to troubleshoot:

1) Download "Process Monitor" from Sysinternals.microsoft.com. It's the greatest thing since Nutella on bread, and it can reveal "access denied" messages (and other errors) while the EventLog service is starting. Of course, it'll tell you what can't be accessed so that you can go and change permissions accordingly.

2) Fire up a CMD prompt and type TASKLIST /SVC. The EventLog service runs in a shared SVCHOST instance with a whole bunch of other services (AudioSrv, Dhcp, lmhosts...). Note the current Process ID (PID) of that process on your machine.

3) Back in Process Monitor, set up a filter so that ONLY activity pertaining to that PID is visible. Otherwise, you'll get overwhelmed with junk process activity spew and it'll be like looking for a needle in a haystack (it's bad enough even with just one process!).

4) Try to start the EventLog service again.

5) Stop the PM logging and look for anything that looks like an error, most likely an "access denied", or even multiple such messages.

It's not really difficult, but it takes a bit of playing around with those tools when you're trying to get the hang of it

AlexRD · Mar 14, 2009

I did everything from step 1-4, but i don't know how to do step 5.
I can't find the log file.
And i looks like, its acess denied message really, because in the log i attached there are like (Acess is denied, Acess is Denied)

Thanks in Advance,
Alex.

AlexRD · Mar 14, 2009

H2SO4 · Mar 14, 2009

Please accept my many and humble apologies for letting the side down by going to sleep. It will not happen again

Re the ProcMon log, it logs to a buffer first, the contents of which you should be able to see in the ProcMon UI. A log file is only generated if you specifically choose "File | Save..." once you've collected the data. Have a play with it.

Re the secedit output, it certainly doesn't look promising. "Warning 1336: The access control list (ACL) structure is invalid" - I suspect that borked ACLs are what's causing your EventLog problem, and possibly other issues too. Two things spring to mind:

1) Run the same secedit command again but this time in a SYSTEM account context. To do that, grab the PSExec tool from sysinternals and type this on an elevated (admin) CMD prompt:

psexec -s -i cmd.exe

That should cause another CMD window to open up, this time running in the system account context (when you type WHOAMI it should respond with "system"). Type the same secedit command into the system CMD window and see whether you get different results.

2) Uninstall all of your antivirus stuff temporarily and run the secedit command. There's a chance that your AV is doing all of this.

pacinitaly · Mar 14, 2009

check out these links:

My event viewer flew away at one point.

Cannot start event log service on Vista Ultimate : Windows Vista Applications : Windows Vista IT Pro : Microsoft TechNet Forums

Event log error 4201 - ERROR_WMI_INSTANCE_NOT_FOUND : Application Compatibility for Windows Development : Software Development for Windows Client : MSDN Forums

H2SO4 · Mar 14, 2009

Excellent links. Entirely deserving of a rep top-up.

AlexRD, you'd do well to look at these in detail.

Cyberwolf · Mar 14, 2009

I found the link provided for "Process Monitor" was dead...So for anyone referencing this article in the future...Visit :

Process Monitor

pacinitaly · Mar 15, 2009

thanks H2So4,

being out of work, I read alot now :cry:

rive0108 · Mar 15, 2009

pacinitaly said:
thanks H2So4,

being out of work, I read alot now

I know the feeling... :shock:

H2SO4 · Mar 15, 2009

At least at this rate the econopanicalypse can't last long. Either there'll be some recovery within a few months, or by the end of the year the entire IT sector will have collapsed and we'll all be tending our little veggie patches.

rive0108 · Mar 15, 2009

H2SO4 said:
At least at this rate the econopanicalypse can't last long. Either there'll be some recovery within a few months, or by the end of the year the entire IT sector will have collapsed and we'll all be tending our little veggie patches.

I am not even in IT (I am an enthusiast)- I am actually a NICET II certified fire protections systems Inspector/Installer. But an IT job doing what I do here sure would be sweet! :cool:

H2SO4 · Mar 15, 2009

Well, you certainly seem to have a huge amount of knowledge.

Careful what you wish for though, or you might really end up working in IT, and then you'll have nobody to blame but yourself

rive0108 · Mar 15, 2009

H2SO4 said:
Well, you certainly seem to have a huge amount of knowledge.

Careful what you wish for though, or you might really end up working in IT, and then you'll have nobody to blame but yourself

lol, well When you buy OEM system builder software you have to become your own tech support!

How to enable Event Viewer? Tutorial already Tried

My Computer

A bit of a numpty

My Computer

My Computer

A bit of a numpty

My Computer

Attachments

My Computer

My Computer

A bit of a numpty

My Computer

HappyGuru Lovin2Help

My Computer

A bit of a numpty

My Computer

My Computer

HappyGuru Lovin2Help

My Computer

My Computer

A bit of a numpty

My Computer

My Computer

A bit of a numpty

My Computer

My Computer