A Step-by-Step Guide to Deleting Corrupt Event Viewer Log Files in Windows Server

If you find yourself grappling with corrupted *.evt files in your Windows Server or Windows 11/10 system, it’s crucial to address the issue to prevent error messages such as "The handle is invalid" or "Remote Procedure Call failed." Corruption of Event Viewer log files can stem from unexpected shutdowns, malware, hardware failures, or improper configurations. To rectify the situation, you’ll need to delete these corrupted logs to eliminate the resultant errors.

Deleting Corrupt Event Viewer Log Files in Windows Server

Event Viewer logs may become corrupted for various reasons, leading to potential malfunctions. Here’s how you can successfully delete these files based on your partition type.

For NTFS Partition

  1. Backup the Registry: Before making any changes, backup your registry. To do this, open the Registry Editor, navigate to File > Export, and save the backup to a secure location.

  2. Stop the Event Log Service:

    • Open Run by pressing Win + R, type services.msc, and hit OK.
    • Locate the Event Log service, right-click on it, and select Properties. Change the Startup type to Disabled and click Stop.

    Alternatively, you can directly modify the registry:

    • Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlog, double-click on the Start value, and set it to 4.

  3. Reboot Your Computer: Restart your system. It’s normal to receive messages about stopped services; proceed with the following steps.

  4. Access the Config Directory: Open File Explorer and navigate to %SystemRoot%System32Config. Here, you will find the corrupted *.evt files.

  5. Delete or Move the Files: Remove or relocate the files that are corrupted.

  6. Restart the Event Log Service: Once you’ve cleared the corrupted files, go back to Services Manager, find the Event Log service, change its Startup type back to Automatic, and start the service.

For FAT Partition

  1. Create a DOS Bootable Disk: Use tools like Rufus to create a bootable disk. Insert a USB, select FreeDOS as the boot option, and create the disk.

  2. Boot From USB Drive: Configure BIOS to boot from the USB drive.

  3. Access the Corrupt Event Files: Once in DOS, navigate to the directory containing the corrupt logs using the command cd %SystemRoot%System32Config.

  4. Identify and Rename/Move the Corrupted Files: Find the corrupted files (e.g., Sysevent.evt) and rename or move them with commands like:

    rename Sysevent.evt Sysevent.old

    or

    move Sysevent.evt C:\CorruptedFiles

Resolving the ERROR_CORRUPT_LOG_CLEARED

If you encounter the ERROR_CORRUPT_LOG_CLEARED, proceed with the following steps:

  • Run chkdsk C: /f /r /x in Command Prompt to check for disk corruption and restart your PC.
  • Verify the SMART status of your drives with wmic diskdrive get status. Replace any failing drives.
  • Repair system files using the command sfc /scannow.
  • Optionally, run DISM /Online /Cleanup-Image /RestoreHealth.
  • Finally, review the Event Viewer logs for any disk-related errors and troubleshoot them.

Deleting Corrupted Log Files

To delete corrupted log files:

  1. Open the folder where logs are located, like %SystemRoot%System32Config.
  2. Identify the corrupted *.evt files.
  3. Utilize Command Prompt or File Explorer to rename or delete them.

By meticulously following these processes, you can effectively resolve issues with corrupted Event Viewer log files in your system.

Posted

in

by

Tags: