question

SwaminathanShanmugam-8182 avatar image
0 Votes"
SwaminathanShanmugam-8182 asked SwaminathanShanmugam-8182 answered

EventViewer service not starting

Hello all,

EventViewer service not starting for particular 2 Windows Server 2012 R2.

Found a solution from below website

http://klevster.com/fix/windows-event-log-service-error-13-the-data-is-invalid/

First, try to clear out the existing logs from: %SystemRoot%\System32\Winevt\Logs and make sure the permissions on the folder were ok.

If it doesn't work, the last recommendation is that deleted the Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog then tried to start the Windows Event Log service


In my case , deletion of the registry entry is the solution but the same issue appears after couple of weeks after.

Any help for a permanent fix is greatly appreciated.....

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
0 Votes"
MotoX80 answered MotoX80 edited

Sounds like a group policy problem. Who supports Active Directory in your organization? Talk to them and verify that the 2 servers are in the correct OU and getting the correct policies assigned.

From an admin command prompt you can review policies and look at those registry entries to see what it's changing.

 gpresult /r
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog /s


Rsop.msc will show you a GUI version of policies.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SwaminathanShanmugam-8182 avatar image
0 Votes"
SwaminathanShanmugam-8182 answered SwaminathanShanmugam-8182 commented

Hi,

I checked the RSOP.MSC output and found the security eventlogs retention is set for 90 days in both the servers , they are in the same OU.

When I checked for other 2012 R2 server which is having the same problem in test OU not applied with that GPO also , having the same issue.

Any inputs where the issue stems from?

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What values are in that registry key that you delete? If deleting them solves your problem, then there must something more than just some retention settings.

0 Votes 0 ·

Hi Please find the picture ![124091-image.png][1] For security retention setting is below ![124028-image.png][2] For app & system is below the same for both ![124029-image.png][3] [1]: /answers/storage/attachments/124091-image.png [2]: /answers/storage/attachments/124028-image.png [3]: /answers/storage/attachments/124029-image.png

0 Votes 0 ·
MotoX80 avatar image MotoX80 SwaminathanShanmugam-8182 ·

Your image does not show the values that are in the subkeys. Run the "reg query" command that I posted.

And just to verify, the "Windows Event Log" service is not running and if you try to start it, you get "Error 13 the data is invalid"?

0 Votes 0 ·
Show more comments
MotoX80 avatar image
0 Votes"
MotoX80 answered

I think that your problem might be the Retention value on the Security eventlog. I don't have a Server 2012 machine to test with so I used a Win10 Pro VM.

If I set the log to "Overwrite events as needed", the retention value is 0. If I set it to "Archive the log when full" it got set to 0xffffffff.


124101-capture.jpg


Run regedit and set Retention to 0 in both:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security

Try to start the eventlog service. If it won't start then reboot.

When it comes back up, set the retention to "Archive the log when full" and then examine the value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

If it's 0x00ffffff then you've still got some other problem. If it's 0xffffffff then tell your AD administrator that his policy is bad and to remove that Retention setting. It may be that older versions like Server2003 or 32 bit Server versions used 0x00ffffff



capture.jpg (134.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SwaminathanShanmugam-8182 avatar image
0 Votes"
SwaminathanShanmugam-8182 answered

Thanks for your inputs, I will keep posted on the updates on the proceedings further to resolve

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SwaminathanShanmugam-8182 avatar image
0 Votes"
SwaminathanShanmugam-8182 answered

Hi all,

Finally found that the issue arose from bad GPO

Thanks for the help MotoX80

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.