Windows Event Log Service not starting or is unavailable

Windows Event Log service maintains a set of event logs that the system, system components, and applications use to record events. The service exposes functions that allow programs to maintain and manage the event logs and perform operations on the logs, such as archiving and clearing. As such, administrators can maintain event logs and perform administrative tasks requiring administrator privileges.

Windows Event Log Service Not Starting or Running

For some unknown reason, if you find you are having difficulty starting the following, it is quite possible that one of the reasons could be that Windows Event Log Service is Not Running.

• Task Scheduler
• Windows Event Calendar
• Messenger Sharing Folders

In such a scenario, you may get error messages like:

Event Log service is unavailable. Verify that the service is running

Windows could not start the Windows Event Log service on Local Computer

First, reboot your system and see if it helps. Sometimes a simple restart helps reinitialize this service. If the Windows Event Log shows as being started, re-start it from Services Manager.

To check if the Windows Event Log service is started or stopped, Run services.msc and hit Enter to open the Services Manager. Here, again right-click on Windows Event Log Service, check up its Properties.

Ensure that the Startup type is set on Automatic and that the services is Started; and that it runs in the Local Service account.

Also ensure in the Recovery tab, all three drop-down boxes, show the option as ‘Restart the Service’, in case of Failure. Reboot if required.

At times the Windows Event Log Service still will not start, and you may instead get the following error message:

System cannot find the file specified

In this case, open the following folder:

This logs folder contains Event Logs in .evtx format and can only be read with the Event Viewer. Give this logs folder Read-Write access rights and see if it helps.

You might also want to do the following.

Open Registry Editor and navigate to the following key:

Double-click ObjectName and ensure that its value is set at NT AUTHORITY\LocalService. If it is not, then change it.

If it still does not help, run the System File Checker and go through its logs.

«Windows Event Log» service not starting

When I start the «Windows Event Log» service I get the following error:

Windows could not start the Windows Event Log service on Local Computer.

Error 15008: The specified xml text was not well-formed. See Extended Error for more details.

Any suggestion on how to make this sevice work again?

Replies (5) 

The Event Viewer is one of the useful tools within Windows that can help users to diagnose and correct errors. At times, you might encounter errors with the Event Viewer due to corrupted or missing system files. As an initial troubleshooting, we recommend that you Start your PC in safe mode.

If the issue persists, follow the steps provided in this article to use the System File Checker tool to repair missing or corrupted system files. For further troubleshooting, you can also refer to the resolution provided by rung_windows7 in this thread.

Update us with the outcome.

Was this reply helpful?

Sorry this didn’t help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Thanks very much for the quick answer.

I tried to start the PC in safe mode but the «Windows Event Log» gave the same error.

Then I tried the solution in your link (https://answers.microsoft.com/en-us/windows/forum/windows_7-performance/cannot-start-windows-event-log-service-on-windows/e2c218ad-8637-49ee-8023-50eae0e4ddcb) and it didn’t worked too.

Finally I tried the sfc tool, following the instructions in https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system.

It gave the following output:

«Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired
them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not
supported in offline servicing scenarios.»

But unfortunately it didn’t solve the issue.

The Core Technologies Blog

Our Software // Windows Services // 24×7 Operation

How to use the Event Viewer to troubleshoot problems with a Windows Service

A windows service, designed to run “headless” and unattended in the background, cannot easily employ conventional popup windows to report its activities as a user may not even be logged on. Instead, a service is encouraged to send important communication to the Windows Event Log – an administrative utility that collects and stores messages and events. Once recorded, these messages can be very helpful in troubleshooting problems, for example when a service stops unexpectedly or when it fails to start at all.

Viewing Events from Windows Services

Use Microsoft’s Event Viewer to see messages written to the Event Log. Start the application by clicking on the Start button and typing in Event Viewer, or from the Control Panel (search for it by name). The somewhat cluttered window should come up after a few seconds:

The left hand side shows a tree grouping the various logs captured on your machine. The events from Windows Services (and other applications running on your PC) are filed under . Navigate to that section to load the events in the center of the window, with the entire list in the top and details of the highlighted event underneath:

Messages from your windows service will have the display name of the service in the Source column.

Important Components of an Event

The Event Viewer shows over 10 pieces of information associated with each event, including:

Level – How important is this event?

Each event is classified into one of three categories:

Information: An informative yet unimportant event. You will probably see a lot of these, and they can be safely ignored unless you are digging into a specific issue from an application or service.

Warning: A moderately important event. These don’t necessarily signify a failure, and your software will probably limp along, but they should be reviewed regularly to see if anything mentioned can be resolved.

Error: Indicates a critical problem or failure that may deserve your immediate attention!

Date and Time – When did this event occur?

Source – Which application reported this event?

As mentioned before, an event written by a Windows Service will contain the service’s display name as the Source.

Description – Which happened?

The full description shown prominently in the lower pane will (hopefully) provide the relevant details of the event.

For example, this information event is from the Interactive Services detection service (“UI0Detect”) reporting that Notepad is showing itself in Session 0:

Viewing Events about Windows Services

While the Application log keeps track of events from a running service, the area records when services are started, stopped, crash or fail to start. Look for events with the Source set to Service Control Manager (SCM). For example, here is the SCM telling us that the Windows Print Spooler service has crashed:

Viewing Events from AlwaysUp and Service Protector

Both AlwaysUp and Service Protector write messages to the Application section of the event logs ().

For AlwaysUp, events from your application named “My Application” will be logged with Source set to My Application (managed by AlwaysUpService). The Event Log Messages Page lists and explains the events reported.

For Service Protector, events related to your service named “MyService” will have a Source of ServiceProtector: MyService.

And for both applications, events related to the starting and stopping of the underlying services themselves appear in the section. Look there if you have a problem with AlwaysUp itself failing to start at boot.

Start windows event log service

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

I am logged on as administrator. Usin Win7 Ultimate 32 bit. can not start Event Log service. Any suggestions?

Answers

This issue can be caused due to the incorrect permission settings for the administrators group.

I would like to suggest you perform the following steps to troubleshoot the issue.

1. In the «Start» menu, locate «Command Prompt». Right-click and choose «Run as Administrator». If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

2. Type the following commands, then press «Enter» to execute them one by one. Please note the space before the command and its parameter.

takeown /f C:\windows\system32\logfiles\wmi\rtbackup

cacls C:\windows\system32\logfiles\wmi\rtbackup /G administrators:F

3. Restart the computer to check the issue.

What’s the result?

Arthur Li — MSFT

• Marked as answer by Arthur_Li Microsoft contingent staff Monday, March 22, 2010 2:06 AM

All replies

This issue can be caused due to the incorrect permission settings for the administrators group.

I would like to suggest you perform the following steps to troubleshoot the issue.

1. In the «Start» menu, locate «Command Prompt». Right-click and choose «Run as Administrator». If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

2. Type the following commands, then press «Enter» to execute them one by one. Please note the space before the command and its parameter.

takeown /f C:\windows\system32\logfiles\wmi\rtbackup

cacls C:\windows\system32\logfiles\wmi\rtbackup /G administrators:F

3. Restart the computer to check the issue.

What’s the result?

Arthur Li — MSFT

• Marked as answer by Arthur_Li Microsoft contingent staff Monday, March 22, 2010 2:06 AM

Thank you for your help. This did solve my problem. I do not understand what the problem was? What do you mean by incorrect permission settings fot the admin group? I thought that they were all enabled when I checked.

Thanks, Bob Bilmanis

I would like to explain that the administrators group do not have the correct permission on rtbackup folder. It’s hard to say what cause such issue.

Arthur Li — MSFT

This hint did NOT work for me. I have been using Windows 7 RTM Ultimate 32b and without ANY system modification my Event Log service failed to start.
The above and all over the net suggestions for solving this issue did not work in my case.
In my case I had to change NTFS permissions on %WINDIR%\System32\WinEvt\Logs directory for Local Service and Network Service to FULL access.

I’m just curious what kind of software Windows is if it fails to run after half of a year? Viva la Windows XP.

On two occasions, this Windows 7 Ultimate 32-biy system has inexplicably disabled the event viewer with «Error 5: Access is denied» In the first instance, I was able to repair the system by adding SYSTEM permissions to the RTBackup folder. On the recent failure, nothing works. i’ve tried the above fix, the reset repository fx, the permissions fix, the delete and recreate the logfiles fix. No soap.

The startup window on the Services panel is grayed out. If it was assessable, one might be able to find a user account that would work.

So the questions are:

What is the bug in W7 that causes the event service to fail intermittently?

Why is the Log On panel grayed out (I’m running the Services panel as administrator)?

Hi Tedmac did you ever solve this issue? Ive tried everything on every forum to try fix and start my event viewer but nothing has worked.

I was alerted to it whilst trying to install symantec and it kept failing! After more research the failing pointed to event sevice problems. I have been trying ever since to restart service to no avail.

Please help someone!! Im on windows 7 64bit and all else seems normal with my system. Its the same error 4201 when i try start it in services.msc.

Well.. I tried everyhting here without avail. then I ran cmd as Administrator and typed netsh winsock reset

Which worked perfectly.

In my case I had to change NTFS permissions on %WINDIR%\System32\WinEvt\Logs directory for Local Service and Network Service to FULL access.

Even though this thread is over a year old, the trouble still exits.

Checking a machine that was working showed that «Event Log Readers» needed full permission to %WINDIR%\System32\WinEvt\Logs

I have found a solution for my machine. First, let me say that I tried every single suggestion and idea that I could find online/think of and none of them worked, so if you’re in the same shoes then I hope this will fix you right up. The error I was receiving would occur when I manually tried to start the event log service and it would say error 5: access is denied, however this method *may* help (or at least provide some clues) for other errors as well.

2. When you run it, it will start collecting data. Hit Control+E to stop it. Then Control+X to clear the data.

3. Pull up your services snap-in and find the event log service. Fit both on your screen.

4. Press Control+E in Process Monitor to begin data collection then try to start the event log service so that you receive the error. Close the error and return back to Process Monitor, press Control+E to stop collection. Doing this quickly will reduce the amount of data to scroll through.

5. Scroll down and look for any results that say ACCESS DENIED (or use the filter to remove all SUCCESS results). I had a handful of results that didn’t say SUCCESS, but as far as I know, those are not an issue. What you’re looking for is ACCESS DENIED (or perhaps you were getting a different error code, then look for anything out of place or doom-sounding).

6. The field(s) with ACCESS DENIED will tell you which file caused the error. Simply browse to the folder this file is in and right-click -> properties. (Mine was system32/winevt/logs).

(I have a feeling the following steps will require some trial and error, this is what I did)

7. Goto the security tab -> click advanced -> click the owner tab. Set yourself as the owner and return to the security tab.

8. Make sure SYSTEM, yourself and the administrator account all have full access. Click ok.

9. At this point my event viewer service started running when I tested it. Good luck!