EventViewer service not starting

Techshan 216 Reputation points
2021-08-17T05:38:41.117+00:00

Hello all,

EventViewer service not starting for particular 2 Windows Server 2012 R2.

Found a solution from below website

http://klevster.com/fix/windows-event-log-service-error-13-the-data-is-invalid/

First, try to clear out the existing logs from: %SystemRoot%\System32\Winevt\Logs and make sure the permissions on the folder were ok.

If it doesn't work, the last recommendation is that deleted the Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog then tried to start the Windows Event Log service

In my case , deletion of the registry entry is the solution but the same issue appears after couple of weeks after.

Any help for a permanent fix is greatly appreciated.....

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,366 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. MotoX80 34,686 Reputation points
    2021-08-17T22:29:24.047+00:00

    I think that your problem might be the Retention value on the Security eventlog. I don't have a Server 2012 machine to test with so I used a Win10 Pro VM.

    If I set the log to "Overwrite events as needed", the retention value is 0. If I set it to "Archive the log when full" it got set to 0xffffffff.

    124101-capture.jpg

    Run regedit and set Retention to 0 in both:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security

    Try to start the eventlog service. If it won't start then reboot.

    When it comes back up, set the retention to "Archive the log when full" and then examine the value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

    If it's 0x00ffffff then you've still got some other problem. If it's 0xffffffff then tell your AD administrator that his policy is bad and to remove that Retention setting. It may be that older versions like Server2003 or 32 bit Server versions used 0x00ffffff

    1 person found this answer helpful.
    0 comments No comments

  2. MotoX80 34,686 Reputation points
    2021-08-17T13:05:35.2+00:00

    Sounds like a group policy problem. Who supports Active Directory in your organization? Talk to them and verify that the 2 servers are in the correct OU and getting the correct policies assigned.

    From an admin command prompt you can review policies and look at those registry entries to see what it's changing.

    gpresult /r
    reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog /s
    

    Rsop.msc will show you a GUI version of policies.

    0 comments No comments

  3. Techshan 216 Reputation points
    2021-08-17T20:41:21.603+00:00

    Hi,

    I checked the RSOP.MSC output and found the security eventlogs retention is set for 90 days in both the servers , they are in the same OU.

    When I checked for other 2012 R2 server which is having the same problem in test OU not applied with that GPO also , having the same issue.

    Any inputs where the issue stems from?


  4. Techshan 216 Reputation points
    2021-08-17T23:23:08.44+00:00

    Thanks for your inputs, I will keep posted on the updates on the proceedings further to resolve

    0 comments No comments

  5. Techshan 216 Reputation points
    2021-09-15T18:16:01.827+00:00

    Hi all,

    Finally found that the issue arose from bad GPO

    Thanks for the help MotoX80

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.