4

Windows Event Log service will not start, it says "Error 2: The system cannot find the file specified." I've tried sfc /scannow and it reported zero issues. All other services start up fine, so svchost.exe isn't the issue. I'm guessing there is some permission or path issue or missing file, but I don't what I should do to find out where it is failing. Is process explorer useful in this situation? If so, what do I watch for?

Windows error

EDIT

After watching what failed using Process Monitor, the "fix" for my particular situation was to create a registry key at HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll containing the same value as the key HKLM\System\CurrentControlSet\services\eventlog\ServiceDll

I'm a big fan of mysterious windows self-reconfigurations.

jayrdub
  • 338
  • 5
  • 13

2 Answers2

5

Process Monitor would be more useful than Process Explorer. You would filter on only the executable that is used by the service. I don't have a Win7 box in front of me, so I can't check what that is.

Run it, try to start the service, and see what fails.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • 2
    Thanks for the tip on process monitor, I was able to see that it was looking for a registry key that doesn't exist and created the key with the value it was looking for. Perhaps a screwy windows update changed something. The key used to be found at HKLM\System\CurrentControlSet\services\eventlog\ServiceDll but I had to create it at HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll for it to work. – jayrdub Jun 14 '11 at 21:48
  • fantastic news. – mfinni Jun 14 '11 at 21:59
1

Are the event logs trying to write to a location that isn't there? Rt-Click on a particular windows event log and select properties. Look at the path that the logs are writing to. Is it something other then the default windir, for example another drive that isn't there?

Chadddada
  • 1,680
  • 1
  • 19
  • 26
  • To add to this, check the path of the executable, which is under the general tab. For windows 7 it should say something like C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted – Nixphoe Jun 14 '11 at 19:12
  • If you find the exe, or it's path, isn't right: this could be a sign of pending hard disk or hard-disk/RAID controller failure, or of course a nice little virus/trojan/malware infection. – DutchUncle Jun 14 '11 at 19:21
  • @UnisoftDesign: I'm failing to see how a failing HDD or controller would alter the path. Malware, yes. – joeqwerty Jun 14 '11 at 20:32
  • I don't know what you mean by your first suggestion of "Rt-Click on a particular windows event log and select properties. Look at the path that the logs are writing to." The event viewer won't run because the event log doesn't run. Sure there are a bunch of files in C:\Windows\System32\winevt\Logs but looking at those files does me no good, their permissions seem fine. The "path to executable" of the service is there and permissions seem fine. – jayrdub Jun 14 '11 at 21:28
  • @ joeqwerty: "If you find the exe ... isn't right:" – DutchUncle Jun 14 '11 at 22:22
  • Ah I see what you are saying, Jayrdub. – Chadddada Jun 14 '11 at 23:07
  • @Unisoft: OK, got it now. My apologies. – joeqwerty Jun 14 '11 at 23:55
  • @ joeqwerty: no worries man, speed reading and my fancy grammar don't mix :-) – DutchUncle Jun 15 '11 at 08:12