A Step-by-Step Guide to Deleting Corrupt Event Viewer Log Files in Windows Server

If you’re dealing with corrupted .evt files in the Event Viewer on Windows Server or Windows 11/10, you may encounter various error messages, such as "The handle is invalid" or "Remote Procedure Call failed." These corruption issues can arise from unexpected shutdowns, malware, hardware problems, or exceeding log size limits. To resolve these issues, it’s necessary to delete the corrupted Event Viewer log files.

Deleting Corrupt Event Viewer Log Files

There are specific methods based on your partition type, which are either NTFS or FAT.

For NTFS Partitions

1. Backup the Registry: Since you will change the registry, it’s crucial to create a backup. Open the Registry Editor, navigate to File > Export, choose a location to save, and name the backup file.

2. Stop the Event Log Service:

   • Open Run (Win + R), type services.msc, and press OK.
   • Locate Event Log or Windows Event Log, right-click it, and select Properties. Set Startup type to Disabled, then click Stop.

3. Modify the Registry (alternate method):

   • Open the Registry Editor and go to:

     HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlog

   • Find the Start value, double-click it, and set its Value data to 4, then click OK.

4. Reboot the Computer: If you see messages about stopped services, continue with the solution.

5. Delete or Move Corrupt .evt Files:

   • Navigate to %SystemRoot%System32Config in File Explorer.
   • Remove or move any corrupted .evt files.

6. Restore Event Log Service: After deleting the files, go back to the Services Manager, set the Event Log (or Windows Event Log) service’s Startup type back to Automatic, and start the service.

For FAT Partitions

1. Create a Bootable DOS Disk: Use tools like Rufus to create a DOS bootable disk. Select FreeDOS as the boot option.

2. Configure BIOS to Boot from USB: Make changes to your BIOS settings to boot from the USB drive.

3. Access DOS Prompt:

   • At the DOS prompt, navigate to the directory with the corrupt Event Viewer log files using:

     cd %SystemRoot%System32Config

4. Identify and Rename/Move Files: Locate the corrupt .evt files (e.g., Sysevent.evt) and rename/move them with commands like:

   rename Sysevent.evt Sysevent.old

Troubleshooting Further Issues

If you encounter ERROR_CORRUPT_LOG_CLEARED, follow these steps:

1. Run chkdsk C: /f /r /x in Command Prompt to check for drive corruption and restart your PC.
2. Check the SMART status of your drives with wmic diskdrive get status; replace any failing drives.
3. Repair system files using sfc /scannow.
4. Optionally, run DISM /Online /Cleanup-Image /RestoreHealth.
5. Review the Event Viewer for any additional disk-related errors.

Deleting Corrupted Log Files

To delete corrupted log files, access %SystemRoot%System32Config, identify the corrupted .evt files, and delete or rename them using the Command Prompt or File Explorer.

For more detailed management of Event Viewer logs, you can also look into exporting and other related tasks:

• Export Event Viewer Logs in Windows

Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.

For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.