Event Viewer problems

I’m currently spending an exciting Friday night in the office. Specifically, I’ve been fixing a Windows 2000 PC that’s been running extremely slowly for the past few days. I’ve got that problem solved now (I’m just sticking around to do general maintenance on it), and I thought it was worth documenting here, in case anyone else encounters it.

Problem:
PC running Windows 2000 Pro with SP4 is extremely slow.

Symptoms:
services.exe taking 99% or 100% of CPU time.
Can’t run Event Viewer.
In Admin Tools | Services, the “Event Log” service says “Starting”.

Cause:
One or more of the event viewer log files was corrupt, so the service couldn’t start, and therefore the application couldn’t run. But the service didn’t fail either, it just kept retrying, which meant that it was tying up the whole CPU.

Solution:
Change the startup type of that service to “Manual”, then reboot the computer. After rebooting, delete *.evt from
C:WinNTsystem32config
(or just move them to a spare folder), and start the service manually. If this works (which it did in this case), it will recreate the three files, and then you should change the service’s startup type back to “Automatic”.

Further info:
In this case, two of the three files had a size of 512kb. When the service had restarted, I ran Event Viewer, and looked at the properties for each of the logs. They all had a maximum size of 512kb, and they were also configured to overwrite events after 7 days. I’ve changed this setting to be “Override events as needed”. My theory is that the files got corrupted because Windows tried to add new events, but it had run out of space, and it couldn’t delete the old entries because they were less than 7 days old. Normally this would just give an error message on the screen, but I think it’s best to avoid this configuration in general (I really don’t know why Microsoft made this the default). So, if you’re working on any other machines, take a minute to change this setting over.