Disable event viewer service in windows 7

Similar Messages

• My Microsoft WSUS Update Services Issues/Event Viewer Service Issues

  Hello,
  So yesterday I began investigating why my PC's that were pointed to the WSUS weren't recieveing patches for their particular group. I checked to make sure it was approved and the client was in my client group. When I went to continue my troubleshooting today
  Update Services within the WSUS role gives me an Error: Connection Error. My Clients when I force them to check for updates also fail. I went to review my Event Viewer logs and it tells me to start the Event Viewer services. When I try to start the
  services it tells me Error 5 Access Is Denied. I've verfied that the policies allow my domain admin account access to the modify services and I've also rebooted it, still no joy.
  Any help anyone can offer with these series of issues would be greatly appreciated!
  -Russ Engelman
  P.S. I'm not very coinfident with registry edits so if you suggest I try to modify the registry, please make it barney style. Thanks.

  It seems these are two different problems, with Event viewer and with WSUS.
  1. Did this system worked recently (correctly) or it is new one?
  2. Make sure that you are logged as domain administrator (or better as buil-in AD administrator with highest priviledges.)
  3. Generally services can depend on another processes (services). If these processes do no run, then you would not start process that is depending on these services.
  4. WSUS: Clients could not receive (on demand) updates, when there was no initial synchronization.
  5. WSUS: Make sure that GPO and computer group are set correctly
  6. WSUS: Detect and reconnect clients with wuauclt
  7. WSUS: Share your configuration here as well as reports.
  Regards
  Milos

• Managing event viewer remotely in windows 2003

   Same user is configured as administrator on all the servers in one domain at windows 2003 server. However, the account is not
  the domain admin.  Can security logs be managed or cleared remotely from any of these servers? Will this require any specific configuration?
  dhomya

  Hi,
  So you want to give Non-Administrator users access remotely to Event logs if the Servers or DomainControllers they are accessing are Windows 2003?
  If yes, i think you could refer to:
  Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
  http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• When starting a new page "an unknown error has occured" when closing illustrator it creates a crash report. Tried uninstall/reinstall but it wont uninstall. Tried disable startup items, services in windows. No results.

  cs4

  As you can see below, when I right click, I have no such option.  In the User Account Settings, I'm operating as the "System Administrator".
  Any other suggestions?

• Windows is Scanning and repairing drive... (- Errors in Event Viewer)

  Long post, please be patient... :)
  I have a fairly new (purchased 8/2013) Lenovo ThinkPad T431s with Windows 8.1 Pro 64-bit (updated from 8.0 -> 8.1). It has a very tricky error coming basically 8 / 10 boots:
  Windows is Scanning and repairing drive...
  Error details from Windows Event Viewer (a new similar error appears on every boot to event viewer):
  A corruption was discovered in the file system structure on volume \?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984}.
  A file on the volume is no longer reachable from its parent directory. The parent file reference number is 0x2000000000002. The name of the parent directory is "". The parent index attribute is ":$I30:$INDEX_ALLOCATION". The file reference
  number of the file that needs to be reconnected is 0x400000003db80. There may be additional files on the volume that also need to be reconnected to this parent directory.
  What has been done 1st trying to fix that:
  SSD disk has been changed (image from previous SSD copied back) ->
  no solution, error remains
  chkdsk /F /R -> no solution, error remains
  SFC /scannow -> no solution, error remains
  dism /online /cleanup-image /restorehealth -> no solution, error remains after a few boots
  TRIED using Windows 8.1 "Update & Recovery -> Refresh Your PC without affecting your files" -> Inserted the Lenovo "Operating System Recovery Disk Windows 8 Pro (OEM Activation 3.0 Required)" BUT Windows did not accept
  that DVD claiming "The media inserted is not valid"... ???
  Ended up calling Lenovo Support and they instructed me to order the Recovery DVD from
  Lenovorecovery.com -> Unfortunatelly Windows does not recognice the DVD(s)...
  mountvol returns:
  \\?\Volume{4d337687-0033-42f7-8a8e-b6968b533cb3}\
  (This is my C:\ drive where Windows installation resides)
  \\?\Volume{e010cf9d-c04d-4c82-b517-3cda1b647fe7}\
  *** NO MOUNT POINTS ***
  \\?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984}\
  *** NO MOUNT POINTS ***
  \\?\Volume{33f0062f-0aff-4fd2-8402-1c7911d86897}\
  *** NO MOUNT POINTS ***
  Then running fsutil dirty query on each returns:
  Volume - \\?\Volume{4d337687-0033-42f7-8a8e-b6968b533cb3} is NOT Dirty
  Volume - \\?\Volume{e010cf9d-c04d-4c82-b517-3cda1b647fe7} is NOT Dirty
  Volume - \\?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984} is Dirty
  Volume - \\?\Volume{33f0062f-0aff-4fd2-8402-1c7911d86897} is NOT Dirty
  The chkdsk on the dirty volume
  \\?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984}\ returned:
  The type of the file system is NTFS.
  Insufficient storage available to create either the shadow copy storage file or
  other shadow copy data.
  A snapshot error occured while scanning this drive. Run an offline scan and fix.
  Diskpart output on the same volume:
  DISKPART> lis par
  Partition ### Type Size Offset
  Partition 1 Reserved 128 MB 17 KB
  Partition 2 Recovery 1000 MB 129 MB
  Partition 3 System 260 MB 1129 MB
  Partition 4 Primary 146 GB 1389 MB
  Partition 5 Recovery 350 MB 147 GB
  Partition 6 Recovery 19 GB 148 GB
  Questions:
  1) Are my Partitions OK, haven't "touched" anything?
  2) Excluded the dirty volume from boot checking with chkntfs /x
  -> still the Error appears in Event viewer log (but Scanning is skipped/not shown anymore during the boot).
  What is causing the error?
  3) Why do I have three (3) recovery partitions?

  What has happened in the past days:
  A) Lenovo on-site-Support changed the motherboard -> had no impact on the error (which I expected).
  B) I found
  instructions how to manually create USB Flash stick with a booting Custom (OEM) Recovery Image.
  C) Booted with USB and performed "Refresh your PC without affecting your files."
  D) Windows was refreshed but...
  -->>
  Still the error remains (Windows scanning and repairing drive \?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984} on each and every boot.
  1) Related Error in Event viewer (NTFS):
  A corruption was discovered in the file system structure on volume \?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984}.
  A file on the volume is no longer reachable from its parent directory. The parent file reference number is 0x2000000000002. The name of the parent directory is "". The parent index attribute is ":$I30:$INDEX_ALLOCATION". The file reference number of the
  file that needs to be reconnected is 0x400000003db80. There may be additional files on the volume that also need to be reconnected to this parent directory.
  2) Related Error in Event viewer (NTFS - Microsoft Windows NTFS):
  Volume \\?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984} (\Device\HarddiskVolume5) needs to be taken offline to perform a Full Chkdsk.  Please run "CHKDSK /F" locally via the command line, or run "REPAIR-VOLUME <drive:>" locally or remotely via
  PowerShell.
  -->>
  Now Lenovo support is proposing a full re-install (to be performed by myself) of Windows as this is SW issue.
  Summary:
  - Refreshing my T431s with OEM Image does not help
  - The error remains on \?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984} (\Device\HarddiskVolume5; Lenovo Recovery partition) OR at least Windows thinks so...

• Essential event viewer bugs with "Forwarded Events" log in Windows Server 2008 R2 and Windows 7

  To my general experience, Windows event viewer is one of the most problematic, faulty management tools in the case of extensive use of its more sophisticated capabilities. The sole description as well as reproduction of some entangled failures would require
  remarkable effort.
  With the "Forwarded Events" log however, the situation becomes particularly worse in that even simple functionality fails and workarounds are difficult to find. That’s what I’ll describe here in order to share my experience with interested users.
  For precision: I’ve extensively used event viewer on a German Windows Server 2008 R2 SP1 (Windows SBS 2011 Standard SP1). The bugs I found on that system, I could reproduce on a German Windows 7 Professional 64-Bit SP1, too.
  Problem 1: Failure of even simple event filtering
  To reproduce this problem, execute these steps on a test machine with any of the two OS mentioned above:
  (i) To prepare log contents, do either of the following:
  (a) populate some events to your local "Forwarded Events" log (most simply by subscribing events from other logs of the same machine; stop subscription if you have collected some events)
  Or
  (b) copy a non-empty log file "ForwardedEvents.evtx" from another machine (with any of the two OS mentioned above) to your test machine and open the file in event viewer.
  (ii) Navigate to your "Forwarded Events" test log and open the filtering dialog. In the "Includes/Excludes Event IDs" field, type: 1-9000. Click OK.
  (iii) Look at the results pane: Surprise, 0 Events! Do you really have no event IDs between 1 and 9000 in your test log?
  (iv) Another example, if you have forwarded security events in your test log: Clear filter, if any previous filter is in place. Open the filtering dialog. In "Keywords" sub-dialog, choose "Audit Success". Click OK.
  (v) Look at the results pane: Surprise, 0 Events! Do you really have no successful security monitoring events in your test log?
  I’ll finish here. If you have a rich variety of events in your test log available, let your imagination run wild to test around. Finally include some simple manually created or modified XPath filters on the XML tab of the filtering dialog. I promise, you’ll
  find a lot of additional strange results.
  Problem 2: Cannot save manually selected events to .evtx file
  Navigate to your "Forwarded Events" test log. In the results pane, select one or more events by highlighting them by mouse clicks. In context menu, choose "Save selected events". In the "save as" dialog, choose file type *.evtx
  and save your file. Open the newly created file in event viewer. Result: Surprise, no events inside the new file!
  Have more fun with forwarded events
  Helmut

  Did you mean that right click Forwarded Event and select "Filter Current Log..."? Since I can filter correct event vai the "Filter Current Log..." in my Lab environment.
  Hi Justin,
  yes, I mean "Filter Current Log ... " (in my German systems: "Aktuelles Protokoll filtern ... ").
  What do you mean with "my Lab environment" exactly?
  In the meantime, I performed additional tests. I copied the "ForwardedEvents.evtx" test file from Server 2008 R2 resp. Windows 7 to
  (i) German Windows 8 Pro 64-Bit RTM
  (ii) German Windows 8.1 Pro 64-Bit, up-to-date
  in order to view and filter the file there.
  Results: Same event viewer problem on Windows 8 RTM, but correct behavior on Windows 8.1!
  Best regards, Helmut

• Event Viewer type command???

  The answer is probably here somewhere, but it'll probably take an age to trawl through the boards.
  Is there such a thing as an Event Viewer, like in Windows? I know about the one that monitors the hardware side of things, i.e the lens cover, keyboard, back cover etc.
  But is there something that will give a report on software events, i.e This app was started at such a time, that app was started such a time, such an app crashed such a time.
  My phone has been crashing a bit lately and I want to find out which app or service could be causing it, if it's possible?

  The nearest I can think of is the dbus-monitor command.
  Unlike event viewer there is no log, i but it does show you stuff in real time.
  dbus is a message system used by most Linux systems. Processes attach to the "dbus" and listen and send messages.. the dbus acts like a hub, pushing the messages (and responses to messages) back and forth.
  dbus-monitor will show you all the messages as they fly about..
  It's not easy to read..
  You could try running it in an x terminal and sending the output to the emmc
  dbus-monitor > MyDocs/dbuslog
  but it'll get fairly large quite quickly so I wouldn't leave it running for ever
  downside, it doesn't store the time an event happened.. you could pipe it through a nasty awk script to do the same though:
  dbus-monitor | awk '{print strftime()": "$0}' | tee -a MyDocs/dbus.log.txt
  This would write a log to dbus.log.txt on your eMMC and each line would have the time at the start..

• Error in starting nidevldu and nipxirmu services (windows event viewer)

  A computer running Windows XP SP1 and a Visual basic (V6.0) application that I've developped had crashed several times. I've seen lots of errors in the Windows event viewer saying that the nidevldu and nipxirmu services were trying to start (exact french message : Le service nidevldu est en attente de démarrage et Le service nipxirmu est en attente de démarrage). These messages are real errors (not warning or informations).
  I use a 6034E PCI card, Visual basic V6.0 and NI-DAQ 7.4.
  The crashes I've seen may be linked with this problem.
  Is there a solution?

  Hi,
  I think that you are not going to be starting and stopping the devldu service in normal circumstances... due to crashes !
  The firsts steps you have to focus on is to optimize your program in order to avoid crashes, which is not a normal way of work I guess. Then you will be able to avoid these messages!
  Regards,
  David D. - Application Engineer - NI

• Application Nividia Stream error and warning in the Event Viewer Windows 8.1

  Have found the following repeating error and warning  in the Event Viewer Windows 8.1 64 bit reg.the application Nividia Stream:
  1. The error :
  "Can not find the description of event 2001 identification from
  the source NvStreamSvc.
  Either the component causing this issue is not
  installed in the local computer or installation is broken. You can install or
  repair the component in the computer.
  Information to the event :
  NvStreamSvc
  Failed continue stopping [6] "
  2. The warning :
  "Can not find the description of event 2002 identification
  from the source NvStreamSvc.
  Either the component causing this issue is not
  installed in the local computer or installation is broken. You can install or
  repair the component in the computer.
  Information to the event
  NvStreamSvc
  SSAU process ID 7820 did not exit, Termination.
  [6]”
  I would appreciate the advice how to fix it.
  Thanks and best regards,
  Ewa

  Hi,
  Thanks for your reply.
  Have the lastest updated Nividia driver :  version 347.88 - shall I uninstall and install again ?
  Shall I make express installation /as usually/ or advanced ?
  Reg. Nividia Stream service - shall I disable this service in services.msc ?
  The software - now have Nividia GeForce Experience  updated to the version 2.4.1.21 on 30th
  March.                                                                                                                                                 
  Would appreciate your further assistance and help.
  Thanks and best regards, Ewa

• Windows 7 event viewer error after 9.1 update

  *Log Name: Application*
  *Source: Bonjour Service*
  *Date: 4/11/2010 8:06:33 PM*
  *Event ID: 100*
  *Task Category: None*
  *Level: Error*
  *Keywords: Classic*
  *User: N/A*
  *Computer: CHEVYSALES*
  Description:
  *288: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)*
  *Event Xml:*
  *<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">*
  <System>
  *<Provider Name="Bonjour Service" />*
  *<EventID Qualifiers="0">100</EventID>*
  <Level>2</Level>
  <Task>0</Task>
  <Keywords>0x80000000000000</Keywords>
  *<TimeCreated SystemTime="2010-04-12T00:06:33.000000000Z" />*
  <EventRecordID>6692</EventRecordID>
  <Channel>Application</Channel>
  <Computer>CHEVYSALES</Computer>
  *<Security />*
  </System>
  <EventData>
  *<Data>288: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)</Data>*
  </EventData>
  </Event>
  above message in my event viewer since i updated to this lousy release....
  have had bnjour messages before but back with vista last year...new machine running solid and steadt windows 7 64 bit with a reliabilty rating from administrative tools of 10 for past months prior to this update...anyone seeing this and if so is there a fix?
  first few backups took for ever on my iphone 3gs..... most go quickly again now.
  don't sync too many things other than videos.
  tia

  Unfortunately there have been multiple issues with the new version of Bonjour which was distributed with iTunes 9.1. Apple knows & is apparently working on a fix but for now you have a few options which might help.
  1) If you don't need the Bonjour service (i.e. for Apple TV) go into system services (run msconfig from a run command & navigate to the 'services' tab), uncheck Bonjour & reboot. That should disable Bonjour & allow iTunes to run properly.
  If you need Bonjour then either
  1) Disable Bonjour as above, delete it & then download a copy of Bonjour 1.x from the web (you'll have to google for it, last time I posted the link, Apple removed my post). Install that one & all should be well.
  2) Uninstall iTunes 9.1 & Bonjour, get a copy of iTunes 9.0.3 and install that one. That will give you the previous version of Bonjour as well. One warning, if you've opened iTunes since upgrading to 9.1, 9.0.x won't be able to open your library since 9.1 updated the library structure. Check in the iTunes folder for one called "Old libraries" or previous library or something similar & you'll have to open that to get your collection to load.
  Good luck,
  Lil

• Log Entries for Terminal Services in Event Viewer?

  Hello
  I wasn't sure exactly where to post this. Answers.microsoft.com directed me here for an answer.
  I'm running Windows 7 Professional 32 bit. It's a standalone PC, not joined to a domain, never configured as a server. I'm puzzled. When I review entries in the Event Viewer, all logon and logoff entries are located in Event Viewer/Applications and Services
  Logs/Microsoft/ Windows/Terminal Server/Local Session Manager/Operational.  Every logon/logoff event is recorded here, although I have always had Remote Desktop Services disabled in Services. I would think that logon/logoff events would be recorded in
  Applications and Services Logs/Microsoft/Windows/Winlogon. That makes more sense to me. Some of these user entries have Address: LOCAL and some are blank. No major hardware or software changes that might have caused this. The Event Viewer only goes back
  6 months (1 Mb) and then it's overwritten. Can anyone explain this to me? Thanks for your help.

  Hi,
  The path of Event Viewer/Applications and Services Logs/Microsoft/ Windows/Terminal Server/Local Session Manager is used to record Remote Desktop Services activity even through it's disabled.
  Windows logon and logoff activity is recorded in another path: Windows Logs/Security.
  Karen Hu
  TechNet Community Support

• Windows 8.1 - Windows Couldn't connect to the System Event Notification Service service

  I have an issue that has been bothering me for a while on new 8.1 computers. Standard users are not able to log into the computer on the first try consistently. They receive the error message: Group Policy client service failed the sign-in access is
  denied. They are stuck at the logon screen.
  If an administrator logs in (local or domain), they can log in but get a black desktop with two error messages. The first is Location is Not available - C:\Windows\system32\config\systemprofile\Desktop is unavailable. The second error message is a popup
  balloon. It states "Failed to Connect to a Windows service. Windows couldn't connect to the System Event Notification Service service."
  When a standard user attempts to log in, event viewer records three warnings. They are listed in order from oldest to newest
  The winlogon notification subscriber <Profiles> was unavailable to handle a critical notification event. -Logged 9:14:44
  The winlogon notification subscriber <GPClient> failed a critical notification event. - Logged 9:14:44
  The winlogon notification subscriber <Profiles> was unavailable to handle a notification event. - Logged 9:14:49
  After a reboot, users still have the issue. I noticed that the user profile services and system event notification service are not running though their startup type is automatic. They start after a minute or two.

  Hi Joseph__Moody,
  Based on your description ,I assume it is a domain environment .First of all ,I would suggest you to try to update all the machine .
  "I have an issue that has been bothering me for a while on new 8.1 computers"
  Do you mean all the Windows 8.1 machine share the same symptom or just a specific one ?Did the machine work correctly before ?When did the issue start to occur ?Have you installed any third party software before ?Can we operate the machine when we login with
  an administrator account ?
  If the issue occurred with the specific machine :
  "The first is Location is Not available - C:\Windows\system32\config\systemprofile\Desktop is unavailable."
  Please try the following suggestions if we can operate the machine when we login with the administrator account :
  Open Windows Explorer and navigate to: C:\Windows\system32\config\systemprofile and verify if it has the Desktop folder there.If the folder doesn`t exit, we can copy from C:\users\Default\Desktop location(This folder is hidden by default).
  We also can try the following suggestions to have a troubleshoot :
  1.Run "sfc /scannow"or "dism /online /cleanup-image /restorehealth" to check the health of the system files.
  2.Perform a full scan with an antivirus software.
  3."They start after a minute or two."
  I suspect there is a third party service confilct here. Please perform a clean boot to verify whether there is a third party conflict here .
  How to perform a clean boot in Windows
  https://support.microsoft.com/en-us/kb/929135
  If the issue occurred with multiple machines in the domian ,I would suggest you to check whether you have configured any logon scripts and logon group policy .We can remove the machine from the domain to have  a troubleshoot .
  If the issue occurred recently ,we can perform a system restore to recover the machine to a previous normal point.
  Best regards
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].

• Windows update KB2964444 broke Event Logging Service and SQL Agent Service on Windows Server 2008 R2

  I got the following problem:
  I discovered that on my Windows Server 2008R2 machine the event logging stopped working on 04/May/2014 at 03:15.
  Also, SQL Agent Service won't run
  The only change that day was security
  update KB2964444 - Security
  Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems, that was installed exactly 04/May/2014 at 03:00. Apparently, that's what broke my machine...
  When I try to start Windows Event Log via net
  start eventlog or via Services
  panel, I get an error:
  C:\Users\Administrator>net start eventlog
  The Windows Event Log service is starting.
  The Windows Event Log service could not be started.
  A system error has occurred.
  System error 2 has occurred.
  The system cannot find the file specified.
  I tried:
  restarted the OS (virtual on the host's VMWare).
  re-checked the settings in services menu -they are like in the link.
  checked the identity in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog -
  the identity is NT
  AUTHORITY\LocalService
  gave all Authenticated Users full access to C:\Windows\System32\winevt\Logs
  ran fc /scannow - Windows Resource Protection did not find any integrity violations.
  went to the file %windir%\logs\cbs\cbs.log -
  all clean, [SR] Repairing 0 components
  EDIT: Uninstalled the recent system updates and rebooted - didn't help
  EDIT: Sysinternals Process Monitor results when running start service from services panel (procmon in elevated mode):
  filters:
  process name is svchost.exe : include
  operation contains TCP : exclude
  the events captured are:
  21:50:33.8105780 svchost.exe 772 Thread Create SUCCESS Thread ID: 6088
  21:50:33.8108848 svchost.exe 772 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
  21:50:33.8109134 svchost.exe 772 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0
  21:50:33.8109302 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services REPARSE Desired Access: Read
  21:50:33.8109497 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read
  21:50:33.8110051 svchost.exe 772 RegCloseKey HKLM SUCCESS
  21:50:33.8110423 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services SUCCESS Query: HandleTags, HandleTags: 0x0
  21:50:33.8110705 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read
  21:50:33.8110923 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0
  21:50:33.8111257 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS Desired Access: Read
  21:50:33.8111547 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services SUCCESS
  21:50:33.8111752 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS
  21:50:33.8111901 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
  21:50:33.8112148 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS
  21:50:33.8116552 svchost.exe 772 Thread Exit SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
  NOTE: previoulsy, for
  21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
  I also got NAME
  NOT FOUND error ,so I created the new string value for the Parameters with
  the name ServiceDll and
  data %SystemRoot%\System32\wevtsvc.dll (copied
  from the upper HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key)
  and this event now is
  21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
  I also checked for the presence of wevtsvc.dll in
  the place and it's there.
  Also, I tried to capture all events with path containing 'event' and
  got following events firing every several seconds:
  21:38:38.9185226 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Tag NAME NOT FOUND Length: 16
  21:38:38.9185513 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup NAME NOT FOUND Length: 268
  21:38:38.9185938 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Group NAME NOT FOUND Length: 268
  Also, I tried to capture all the events containing 'file',
  excluding w3wp.exe,
  chrome.exe, wmiprvse.exe, wmtoolsd.exe, System and it shows NO attempts to access any file ih the time I try to start
  the event logger (if run from cmd - there are several hits by net executable,
  not present if run from the panel).
  What can be done?

  Hi,
  I don’t found the similar issue, if you have the IE 11 please try to update system automatic or install the MS14-029 update.
  The related KB:
  MS14-029: Security update for Internet Explorer 11 for systems that do not have update 2919355 (for Windows 8.1 or Windows Server 2012 R2) or update 2929437 (for Windows 7
  SP1 or Windows Server 2008 R2 SP1) installed: May 13, 2014
  http://support.microsoft.com/kb/2961851/en-us
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Cannot open eventlog service on computer '.'. (Windows Event Log service doesn't exist)

  This problem used to be solved after moving a computer object into the appropriate OU and restarting, and if that didn't work, it used to be solved when uninstalling and reinstalling Microsoft FEP (restarts in-between).  Now, the only way to access
  event logs is by logging in as a domain admin, or by accessing event logs through remote manage.
  If a machine object is added to the domain, dropped into the computers container, and restarted, we get this error when going into Computer Management:
  "Cannot open eventlog service on computer '.'."
  The original problem was noticed on our VMs, but I also tried it with a Lenovo Windows 7 build out of the box, added it to our domain, and the problem occurred. When our desktops are built, SCCM's task manager drops it into the appropriate OU immediately,
  so desktops don't have issues.  With VMs, they are dropped into the computers container and restarted, so once this problem occurs, it almost never leaves.  SOMETIMES, removing it from the domain solves the problem, but not always.
  I've tried all of the suggestions I've seen online and none of them have worked, such as cleaning up the policies (through registry, and the appropriate system folders), adding the proper NTFS permissions on the RtBackup folder and %SystemRoot%\System32\winevt\logs, netsh
  winsock reset, cleanboot, etc.
  I did notice that I'm unable to find the NT Service\EventLog user group. I wanted to add it to %systemroot%\system32\winevt\logs, but the group cannot be found on the local computer. Even if that's the problem, why is it missing?
  It doesn't seem like anyone else on the internet gets this exact error.

  Hi Kate!
  Yes, the Windows Event Log service is missing. I had already tried your method (#3), and I did try it again. This is the error I get:
  "The specified service already exists."
  If you check services.msc, it's still not there. If you try to start the Event Viewer, the same error comes up:
  Cannot open eventlog service on computer '.'.
  Hi, 
  Please check for the existence of this key. If not found, create a *.reg file from another machine and import.
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
  Then, check the issue again.
  If this doesn't work, let's run System file checker tool to repair system:
  Run SFC command in elevated command prompt
  SFC /scannow
  Any error message, please post here to let me know.
  Keep post.
  Kate Li
  TechNet Community Support

• Event Viewer cannot open the event Log or Custom view. Verify that the Event log service is running or query is too long. The instance name passed was not recognized as valid by a WMI data provider(4201).

  "Event Viewer cannot open the event Log or Custom view. Verify that the Event log service is running or query is too long. The instance name passed was not recognized as valid by a WMI data provider(4201)"
  This error keeps cropping up now and again on most of our domain controllers (OS-2008 AND 2008R2)...Usually a restart fixes the issue however the issue repeats and security logs don't generate.
  Any advice on how to fix this issue permanently would be greatly appreciated.

  Please see this: https://social.technet.microsoft.com/Forums/windows/en-US/95987ca3-a1b2-4da6-95b7-d825d06cdac7/error-code-4201-the-instance-name-passed-was-not-recognized-as-valid-by-a-wmi-data-provider?forum=w7itprosecurity
  You can also try rebuilding the WMI repository: http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-rebuilding-the-wmi-repository.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile