注意:这是一个处理两个不同的问题,变得太冗长的以前的post的“产卵”,所以我决定清除原来的问题,并在一个单独的问题
当我尝试通过net start eventlog或通过“ Services panel启动Windows事件日志时,出现错误:
C:\Users\Administrator>net start eventlog The Windows Event Log service is starting. The Windows Event Log service could not be started. A system error has occurred. System error 2 has occurred. The system cannot find the file specified.
我从这里尝试了以下build议 :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog检查身份 – 身份是NT AUTHORITY\LocalService C:\Windows\System32\winevt\Logs %windir%\logs\cbs\cbs.log – 全部清理,[SR]修复0个组件 编辑:卸载最近的系统更新并重新启动 – 没有帮助
编辑: Sysinternals进程监视器结果时,从服务面板(procmon在提升模式)运行启动服务:
filter:
process name is svchost.exe : include operation contains TCP : exclude
捕获的事件是:
21:50:33.8105780 svchost.exe 772 Thread Create SUCCESS Thread ID: 6088 21:50:33.8108848 svchost.exe 772 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read 21:50:33.8109134 svchost.exe 772 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 21:50:33.8109302 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services REPARSE Desired Access: Read 21:50:33.8109497 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read 21:50:33.8110051 svchost.exe 772 RegCloseKey HKLM SUCCESS 21:50:33.8110423 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services SUCCESS Query: HandleTags, HandleTags: 0x0 21:50:33.8110705 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read 21:50:33.8110923 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0 21:50:33.8111257 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS Desired Access: Read 21:50:33.8111547 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services SUCCESS 21:50:33.8111752 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS 21:50:33.8111901 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll 21:50:33.8112148 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS 21:50:33.8116552 svchost.exe 772 Thread Exit SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
注:以前,为
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
我也得到了NAME NOT FOUND错误,所以我为名为ServiceDll和data %SystemRoot%\System32\wevtsvc.dll (从HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key复制)的Parameters创build了新的string值。这个事件现在是
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
我也检查了wevtsvc.dll在场的存在,它在那里。
此外,我试图捕捉所有事件的path包含'event'并得到以下事件每隔几秒钟发射:
21:38:38.9185226 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Tag NAME NOT FOUND Length: 16 21:38:38.9185513 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup NAME NOT FOUND Length: 268 21:38:38.9185938 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Group NAME NOT FOUND Length: 268
此外,我试图捕获所有包含'file' ,不包括w3wp.exe, chrome.exe, wmiprvse.exe, wmtoolsd.exe, System并显示没有尝试访问任何文件,当我尝试启动事件logging器(如果从cmd运行 – 有几个由net可执行文件命中,如果从面板运行则不存在)。
编辑 :事件日志logging停止工作在04 / May / 2014在03:15。
当天发生的唯一更改是security update 2964444 – Security Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems security update 2964444 Security Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems在03:00安装。 显然,这是什么打破了我的机器…
可以做什么?
什么解决了这个问题才被删除了
HKLM\System\CurrentControlSet\services\eventlog\Parameters\
键。
正如我前面所说,我已经看到了Process Monitor的这个错误,但是select了放一些关键 – 那是我的错误。 我应该删除这个键,而不是。