none
Windows could not start the Windows Event Log service on Local Compurter. Error 5: Access is denied

Odpovědi

  • Hi Bob,

     

    This issue can be caused due to the incorrect permission settings for the administrators group.

     

    I would like to suggest you perform the following steps to troubleshoot the issue.

     

    1. In the "Start" menu, locate "Command Prompt". Right-click and choose "Run as Administrator". If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

     

    2. Type the following commands, then press "Enter" to execute them one by one. Please note the space before the command and its parameter.

     

    takeown /f C:\windows\system32\logfiles\wmi\rtbackup

    cacls C:\windows\system32\logfiles\wmi\rtbackup /G administrators:F

     

    3.   Restart the computer to check the issue.

     

    What’s the result?


    Arthur Li - MSFT
    19. března 2010 1:31
    Moderátor

Všechny reakce

  • Hi Bob,

     

    This issue can be caused due to the incorrect permission settings for the administrators group.

     

    I would like to suggest you perform the following steps to troubleshoot the issue.

     

    1. In the "Start" menu, locate "Command Prompt". Right-click and choose "Run as Administrator". If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

     

    2. Type the following commands, then press "Enter" to execute them one by one. Please note the space before the command and its parameter.

     

    takeown /f C:\windows\system32\logfiles\wmi\rtbackup

    cacls C:\windows\system32\logfiles\wmi\rtbackup /G administrators:F

     

    3.   Restart the computer to check the issue.

     

    What’s the result?


    Arthur Li - MSFT
    19. března 2010 1:31
    Moderátor
  • Arthur_Li

    Thank you for your help.  This did solve my problem.  I do not understand what the problem was?  What do you mean by incorrect permission settings fot the admin group?  I thought that they were all enabled when I checked.

    Thanks, Bob Bilmanis

     

    19. března 2010 22:48
  • I would like to explain that the administrators group do not have the correct permission on rtbackup folder. It’s hard to say what cause such issue.

     

    Regards,


    Arthur Li - MSFT
    22. března 2010 2:06
    Moderátor
  • This hint did NOT work for me. I have been using Windows 7 RTM Ultimate 32b and without ANY system modification my Event Log service failed to start.
    The above and all over the net suggestions for solving this issue did not work in my case.
    In my case I had to change NTFS permissions on %WINDIR%\System32\WinEvt\Logs directory for Local Service and Network Service to FULL access.

    I'm just curious what kind of software Windows is if it fails to run after half of a year? Viva la Windows XP!!!

    1Rosomak

     

     

    • Navržen jako odpověď 1Rosomak 16. srpna 2010 8:39
    16. srpna 2010 8:39
  • Arthur, that worked for me too (Win 7 Professional 64-bit), thanks! One has to wonder why there is such a glaring bug in Windows 7 though.
    24. srpna 2010 7:18
  • did any of you also getting error 4201 beside error access denied? 
    8. září 2010 2:58
  • On two occasions, this Windows 7 Ultimate 32-biy system has inexplicably disabled the event viewer with "Error 5: Access is denied"  In the first instance, I was able to repair the system by adding SYSTEM permissions to the RTBackup folder.  On the recent failure, nothing works.  i've tried the above fix, the reset repository fx, the permissions fix, the delete and recreate the logfiles fix.  No soap.

    The startup window on the Services panel is grayed out.  If it was assessable, one might be able to find a user account that would work.

    So the questions are:

    What is the bug in W7 that causes the event service to fail intermittently?

    Why is the Log On panel grayed out (I'm running the Services panel as administrator)?

    Ted

     


    Ted Gage
    2. února 2011 18:41
  • Hi Tedmac did you ever solve this issue? Ive tried everything on every forum to try fix and start my event viewer but nothing has worked.

    I was alerted to it whilst trying to install symantec and it kept failing! After more research the failing pointed to event sevice problems. I have been trying ever since to restart service to no avail.

     

    Please help someone!! Im on windows 7 64bit and all else seems normal with my system. Its the same error 4201 when i try start it in services.msc.

    • Navržen jako odpověď Jackanory 1. dubna 2011 11:41
    • Zrušeno navržení jako odpověď Jackanory 1. dubna 2011 11:41
    21. března 2011 0:36
  • Well.. I tried everyhting here without avail... then I ran cmd as Administrator and typed netsh winsock reset

    Rebooted

    Which worked perfectly.


    • Navržen jako odpověď Nasreddine 14. května 2011 8:54
    1. dubna 2011 11:42
  • In my case I had to change NTFS permissions on %WINDIR%\System32\WinEvt\Logs directory for Local Service and Network Service to FULL access.

    1Rosomak

     

     

    Even though this thread is over a year old, the trouble still exits....

    Checking a machine that was working showed that "Event Log Readers" needed full permission to %WINDIR%\System32\WinEvt\Logs

    16. listopadu 2011 17:02
  • I have found a solution for my machine. First, let me say that I tried every single suggestion and idea that I could find online/think of and none of them worked, so if you're in the same shoes then I hope this will fix you right up. The error I was receiving would occur when I manually tried to start the event log service and it would say error 5: access is denied, however this method *may* help (or at least provide some clues) for other errors as well.

    1. Download Process Monitor & Install: http://technet.microsoft.com/en-us/sysinternals/bb896645

    2. When you run it, it will start collecting data. Hit Control+E to stop it. Then Control+X to clear the data.

    3. Pull up your services snap-in and find the event log service. Fit both on your screen.

    4. Press Control+E in Process Monitor to begin data collection then try to start the event log service so that you receive the error. Close the error and return back to Process Monitor, press Control+E to stop collection. Doing this quickly will reduce the amount of data to scroll through.

    5. Scroll down and look for any results that say ACCESS DENIED (or use the filter to remove all SUCCESS results). I had a handful of results that didn't say SUCCESS, but as far as I know, those are not an issue. What you're looking for is ACCESS DENIED (or perhaps you were getting a different error code, then look for anything out of place or doom-sounding). 

    6. The field(s) with ACCESS DENIED will tell you which file caused the error. Simply browse to the folder this file is in and right-click -> properties. (Mine was system32/winevt/logs).

    (I have a feeling the following steps will require some trial and error, this is what I did)

    7. Goto the security tab -> click advanced -> click the owner tab. Set yourself as the owner and return to the security tab.

    8. Make sure SYSTEM, yourself and the administrator account all have full access. Click ok.

    9. At this point my event viewer service started running when I tested it. Good luck!

    14. prosince 2011 1:56
  • This hint did NOT work for me. I have been using Windows 7 RTM Ultimate 32b and without ANY system modification my Event Log service failed to start.
    The above and all over the net suggestions for solving this issue did not work in my case.
    In my case I had to change NTFS permissions on %WINDIR%\System32\WinEvt\Logs directory for Local Service and Network Service to FULL access.

    I'm just curious what kind of software Windows is if it fails to run after half of a year? Viva la Windows XP!!!

    1Rosomak

     

     


    Thanks mate.. its 100% correct..
    20. prosince 2011 16:37
  • Thanks, that worked for me. It took me a quite a while to find out what had been changed to cause the service not to start.

    Dave

    27. prosince 2011 0:49
  • to those who are still having issues:

     

    The service starts in c:\windows\system32  Make sure LOCAL SERVICE and NETWORK SERVICE has full rights to this and all sub folders.  If you do not see it ADD IT. 

     

    NOTE:  Use the ADVANCED button on the folder properties to make your changes.

     

    Also make sure %computername%\administrators (the %computername% is the name of your machine) has OWNERSHIP and full control of the entire c:\windows\system32 and subfolders directory

    make sure you place a check mark next to the "Replace all child object permissions with inheritable permissions from this object"

     

    Ckick Apply and watch the files fly by as the change is made.  If you have Symantec endpoint or anyother protection it might prompt you that there is a change happening.

     

    Restart

    2. února 2012 21:27
  • to those who are still having issues:

     

    The service starts in c:\windows\system32  Make sure LOCAL SERVICE and NETWORK SERVICE has full rights to this and all sub folders.  If you do not see it ADD IT. 

     

    NOTE:  Use the ADVANCED button on the folder properties to make your changes.

     

    Also make sure %computername%\administrators (the %computername% is the name of your machine) has OWNERSHIP and full control of the entire c:\windows\system32 and subfolders directory

    make sure you place a check mark next to the "Replace all child object permissions with inheritable permissions from this object"

     

    Ckick Apply and watch the files fly by as the change is made.  If you have Symantec endpoint or anyother protection it might prompt you that there is a change happening.

     

    Restart


    After going through EVERY suggested method on this thread, it's this last one that worked for me. I was getting Error 5: Access Denied when trying to start Event Viewer service.

    Thank you!

    3. února 2012 19:33
  • I'm getting the 4201 error and NOTHING has been able to fix it. I've even been able to delete the RtBackup folder, but it comes back and Event Log Service STILL won't turn on. Any luck, snakeybidder?
    9. května 2012 7:45
  • to those who are still having issues:

     

    The service starts in c:\windows\system32  Make sure LOCAL SERVICE and NETWORK SERVICE has full rights to this and all sub folders.  If you do not see it ADD IT. 

     

    NOTE:  Use the ADVANCED button on the folder properties to make your changes.

     

    Also make sure %computername%\administrators (the %computername% is the name of your machine) has OWNERSHIP and full control of the entire c:\windows\system32 and subfolders directory

    make sure you place a check mark next to the "Replace all child object permissions with inheritable permissions from this object"

     

    Ckick Apply and watch the files fly by as the change is made.  If you have Symantec endpoint or anyother protection it might prompt you that there is a change happening.

     

    Restart

    This worked for me & I did not even have to reboot the computer.
    14. června 2012 22:18
  • Hi Bob,

    Give this guide a try - it's written for Server 2008 R2 but is basically the same procedure. Let me know if this works on Win 7 OK.

    Windows Event Log Service Error 5 Access is denied

    • Navržen jako odpověď A. TheOne 19. července 2012 14:46
    19. července 2012 14:46
  • using Procmon.exe I discovered access denied for the LOGS folder for the "LOCAL" system user

    edit the permisions for the folder "%systemroot%/system32/winevt/logs"

    find users

    select LOCAL {enter}

    Select ALL permissions {enter} accept warning {yes}

    restart service where access was denied.

    Use procmon.exe to capture the event and search for denied to verify if it persists. then check properties to identify user name such as LOCAL or NETWORK , jumpto address and change permissions to include,,,

    
    
    
    
    6. srpna 2012 2:01
  • I followed the steps above which didn't resolve the issue completely but I think it helped get me there.

    I also followed the steps in this article for granting Full Control to "SYSTEM"

    http://www.winhelponline.com/blog/fix-event-log-error-4201-instance-name-not-recognized/

    After that the service still wouldn't start, and I kept getting "Access denied" when I would try to set permissions again.  I tried taking ownership and couldn't do it.  It's probably because I set "SYSTEM" to have full control and tried to make "SYSTEM" the owner of the folder.  It didn't totally take. 

    Next I went into Safe Mode and low and behold I saw the Event Log Service started.  Weird.

    I booted into normal mode and now the Event Log service is starting and the VM is happy.

    I came to find out that this VM isn't even needed so it seemed like a waste of time.  I guess nothing is wasted when adding to IT experience and that built-in knowledge base. 

    Thanks all for your contributions.

    20. září 2013 15:27