Error code: 4201 - The instance name passed was not recognized as valid by a WMI data provider. RRS feed

  • Question

  • Got the Error code: 4201 when attempting to start the Windows Event Log.

    I am almost certain that it has something to do with me changing ownership in the C:\ directory so that I could access C:\Documents\User\SendTo folder.

    Saturday, May 9, 2009 2:40 AM


  • I figured it out.

    I didn't have the Permissions or the Auditing set correctly.
    • Marked as answer by Nick FV Wednesday, June 10, 2009 5:04 AM
    Saturday, May 9, 2009 3:41 PM

All replies

  • I forgot to mention that in trying to delete some .jpg files in the Windows\Web directory I wound up taking ownership of the subfolders in order to successfully delete them.

    I can't think of anything else that could have resulted in that Event Log/WMI error.   All I have installed is Win 7 x64, the regular Windows Updates and some other recommended updates (drivers for my VGA, NIC, HID, TV tuner...I think that's it).  All were done via the Windows Update program.

    I don't think it was any of the many settings that I made via the MMC/Local Computer Policy.  Most of the changes were for Internet Explorer.  Made some minor settings for Windows Explorer, Windows Installer, Windows Messenger, etc...

    Any advice would be greatly appreciated.
    Saturday, May 9, 2009 4:49 AM
  • I figured it out.

    I didn't have the Permissions or the Auditing set correctly.
    • Marked as answer by Nick FV Wednesday, June 10, 2009 5:04 AM
    Saturday, May 9, 2009 3:41 PM
  • Can you clarify what exactly you did to solve this? Where did you not have Permissions and Auditing set correctly? How did you set them?

    I'm having the same problem. Thanks in advance.
    Friday, October 9, 2009 3:59 AM
  • Ya, I'm having the same thing happen. Just started after running the final release of Win 7 now for about 6 weeks. I had also changed permissions to get some things to work so that could be it. Could you give some direction on what you did to rectify?

    Sunday, October 11, 2009 11:22 PM
  • same problem; just happened to stumble across this fix, :)

    Thursday, December 6, 2012 12:32 PM
  • I know this is an old thread but it took me weeks to find my solution to starting the EventLog service with the same error message, here goes:

    The renaming or deleting or changing the permissions of RtBackup  did not fix this error for me,, after many weeks of testing and poking I found my solution , and I hope it helps others who haven't found a fix yet.

    • Open the Registry and Navigate to:


    • Under this key are 3 EventLog- keys, each one has a DWORD(32) value called LogFileMode, if these aren't set correctly it causes the EventLog to fail to start with the 4201 Error. Here are the correct settings for each key...

    \EventLog-Application\LogFileMode - value should be 11000180 (Hex)
    \EventLog-Security\LogFileMode - value should be 100001c0 (Hex)
    \EventLog-System\LogFileMode - value should be 10000180 (Hex)

    Now reboot the PC and see if the eventlog service now starts

    Good Luck

    Thursday, August 11, 2016 10:11 PM
  • Could you explain a little further how you solved it ?

    Because I am experiencing the same error message.

    Luis Olías.

    Wednesday, December 13, 2017 9:33 AM
  • This post just saved my day!

    Thank you.

    Wednesday, February 21, 2018 8:36 PM
  • I had the same issue on my Windows 10 machine. Tried to rename RtBackup folder but always failed with error saying another program is using file in the folder.

    I checked the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System], unlike the [EventLog-Application] and [Eventlog-Security], there was no registry values under [EventLog-System] root path.

    So I exported the key values from another Windows 10 machine and imported it, then after reboot.Ta-Dah!!! 

    Here the registry values I used to fix the problem. It might not work for you so make sure you back up original registry key before importing it.

    Windows Registry Editor Version 5.00


    - Frank Tao

    Thursday, February 21, 2019 2:04 AM
  • One of the possible SOLUTIONs, and the most simple is:

    hlm\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\Start   0 -> 1.

    hlm\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security\Start   0 -> 1.

    hlm\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\Start   0 -> 1.

    You can provoke this error and solve it by changing Start 0 <-> 1 as many times as you like.

    tip   -    EventLog-Security\Start   -   is not required like other two, and without it eventViewer will be partially enabled. Event viewer will work, but will report that component   EventLog-Security   can not be recognized by wmi 4201.

    The CAUSE   -   After looking Performance Monitor, i have noticed that some events are being recorded realtime. [Data Collector Sets\Event Trace Sessions]. Why would I want these events to be recorded and my computer slowed down ? So i have disabled them, and that has changed the above Start values.

    other things   -   that rtBackup folder is just buffer for realTime events that are being collected. If you look at Performance Monitor data can be collected in 4 different modes: [file,  realTime,  file and realTime, buffered]. Event trace sessions:  EventLog-Application, EventLog-System are realTime.

    • Edited by Marko279 Saturday, December 7, 2019 4:45 PM
    • Proposed as answer by Marko279 Saturday, December 7, 2019 4:55 PM
    Saturday, December 7, 2019 4:41 PM