Windows Event Log - Access Denied

Vista HP

The Windows Event Log Service isn't starting; when I try to start it
manually I get Error 5: Access Denied.

No solution on the web generally or MS knowledgebase in particular - can you
help?

TIA

--
Julian I-Do-Stuff

Some Vista stuff, but mostly just Stuff at http://berossus,blogspot.com

On the start menu, rightclick the Command Prompt icon, and then 'run as
administrator'. From that prompt, type 'start eventvwr.msc'

One other bit of info...

Checking the properties of the service, it is set to Log On as Local
Service...but unlike other services of the same type the Log On tab is
entirely greyed out... (i.e. can't change how it logs on) - that doesn't
seem right somehow...

(adding this message to the correct thread)

The usual suspects are the registry settings or the file permissions.
You could use Process Monitor and see if you find an status Access Denieds
in it why trying to start the service.

http://technet.microsoft.com/en-us/s.../bb896645.aspx


You could also check the permissions on the files themselves.
Start a command prompt as administrator and repeat for each evtx file.

cd %SystemRoot%\System32\Winevt\Logs
cacls system.evtx

If it doesn't look like this, then it's been modified from the default.

C:\Windows\System32\winevt\Logs\System.evtx
NT SERVICE\Eventlog:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F

However, there could be other files locations that are in correct as well
like.
C:\Windows\ServiceProfiles\LocalService\AppData\Local


If the permissions are incorrect, you could change it back manually or use
the command in this KB article.

How to reset security settings back to the defaults
http://support.microsoft.com/kb/313222

Good Luck,

Many thanks to you both... good solid responses for which I am very grateful

(Would have been even more grateful if I had been able to act on them!
unfortunately by Saturday morning I had attempted a disk restore from
(validated!) backup, which fell over and *&^$ed the whole system... but now
I've got it back I can't test these things, but I'm filing all this away for
future reference...)

I have had to reinstall a few apps since but the problem has not cropped up
again... my suspicion - as it's the one thing I haven't reinstalled (other
than an Adobe Reader update) is VS2008 (which had the most monstrous install
time of any "app" I have seen in years... with SQL server, .NET 3.5 and so on
it must have touched rather a lot of the system... but even if I reinstall it
I bet it doesn't repeat!

Part of me thinks that the more obscure the error message, such as "Access
Is Denied", the more it cries out for a "Details" button that says what was
being accessed by what and how... most things are fixable once you know what
needs fixing!

Great input - thanks.