Introduction

The Windows Event Log service (eventlog) writes system, security, and application events to .evtx files in %SystemRoot%\System32\winevt\Logs. When a log file becomes corrupted (due to disk errors, abrupt shutdowns, or file system issues), the service may fail to start or stop logging events entirely. This creates a blind spot for security auditing and troubleshooting.

Symptoms

  • Event Log service shows Stopped in services.msc
  • Get-Service eventlog shows Status: Stopped
  • Event Viewer fails to open with The service has not been started
  • System logs errors: The Event log service was stopped
  • New events are not being recorded in any log channel
  • Service fails to start with error 1500 or 4000

Common Causes

  • Unclean shutdown while event log was being written
  • Disk sector errors corrupting the .evtx file structure
  • Log file grew beyond maximum size and could not wrap properly
  • Antivirus scanning the .evtx file while it was being written
  • File system corruption on the system drive

Step-by-Step Fix

  1. 1.Check Event Log service status:
  2. 2.```powershell
  3. 3.Get-Service eventlog | Select-Object Status, StartType
  4. 4.# If stopped, attempt to start and capture the error
  5. 5.Start-Service eventlog -ErrorAction Stop
  6. 6.`
  7. 7.Identify the corrupted log file:
  8. 8.```powershell
  9. 9.Get-ChildItem C:\Windows\System32\winevt\Logs*.evtx |
  10. 10.ForEach-Object {
  11. 11.try {
  12. 12.wevtutil qe $_.Name /c:1 /f:text 2>$null
  13. 13.Write-Host "OK: $($_.Name)"
  14. 14.} catch {
  15. 15.Write-Host "CORRUPTED: $($_.Name)"
  16. 16.}
  17. 17.}
  18. 18.`
  19. 19.Move corrupted log files and recreate them:
  20. 20.```powershell
  21. 21.# Stop the service first if it is partially running
  22. 22.Stop-Service eventlog -Force -ErrorAction SilentlyContinue

# Move corrupted files to a backup location $corrupted = "C:\Windows\System32\winevt\Logs\Security.evtx" Move-Item $corrupted "C:\temp\Security.evtx.corrupted" -Force ```

  1. 1.Restart the Event Log service:
  2. 2.```powershell
  3. 3.Start-Service eventlog
  4. 4.Get-Service eventlog
  5. 5.# Windows will automatically create new empty .evtx files
  6. 6.`
  7. 7.Verify new log files are created and logging works:
  8. 8.```powershell
  9. 9.Write-EventLog -LogName Application -Source "Application Error" -EventId 1 -Message "Test event after recovery"
  10. 10.Get-EventLog -LogName Application -Newest 3
  11. 11.`
  12. 12.Configure log size limits to prevent future corruption:
  13. 13.```powershell
  14. 14.Limit-EventLog -LogName Security -MaximumSize 200MB -OverflowAction OverwriteAsNeeded
  15. 15.Limit-EventLog -LogName System -MaximumSize 200MB -OverflowAction OverwriteAsNeeded
  16. 16.Limit-EventLog -LogName Application -MaximumSize 200MB -OverflowAction OverwriteAsNeeded
  17. 17.`

Prevention

  • Set maximum log size and overflow action for all event log channels
  • Exclude *.evtx files from real-time antivirus scanning
  • Monitor disk health with chkdsk and SMART data to catch sector errors early
  • Archive and clear logs regularly using wevtutil cl (clear log)
  • Configure log forwarding to a centralized SIEM to maintain audit continuity during local log failures