Not the first time I've encountered it, and when an event log goes bad (the word "corrupted" gets thrown around), it will pretty much render Windows useless except as an benchmark for reboot times.
Symptoms: applications won't start, though no errors are thrown. Eventually one looks into the event logs. Or tries to.
On Vista, the
%winroot%\System32\winevt\Logs
directory contains the logs. On the machine under investigation, these were numerous. The main interest was the Windows system log, but it wasn't obvious which of these reflected that. A Google search turned up the forensics utility "fixevt," so this simple exe was transferred to the offending machine.
The Windows event log service must be disabled / stopped before the logs can be disturbed.
Log into an administrator command window in Safe Mode (possibly not necessary, but since the cause of the corruption was unknown, this was prudent), and run fixevt.
An attempt to run fixevt with the argument "*.evt" resulted in an immediate crash of fixevt, so simply "s*.evt" was attempted. Same result. A spot-check of a few event logs here and there ensued. A few would rebuild, but crashing was regular.
There was no time for further research, so the entire \Logs directory was renamed, and the service restarted after a restart. The services wouldn't start, so the \Logs directory was manually recreated, and then the services would start. Windows recreates the logs anew. The history is gone from view, but the machine is usable again. Monitoring the logs for unusual activity and malware scans are advisable.
No comments:
Post a Comment