RECOMMENDED: Click here to fix Windows errors and optimize system performance
With the increasing spread of the latest Microsoft Windows operating systems, the new protocol format, the new file format EVTX log file. Properly stored EVTX log files can usually be easily opened in the Microsoft Windows Event Viewer or in a third-party tool such as WhatsUp Event Analyst or WhatsUp Event Rover.
However, corrupted and/or closed EVTX files pose a serious problem for the network administrator or forensic investigator who is responsible for viewing their contents. In some cases, but not all, Microsoft Event Viewer is available on Windows Vista and Windows Server 2008 can open an EVTX file retrieved from a system that is out of order, for example from a computer on which the plug has been moved to launch a forensic investigation.
However, Microsoft Event Viewer attempts to repair the data elements in the file without asking or confirming this action to the program user.
The Event Viewer log files (Sysevent.evt, Appevent.evt, Secevent.evt) are always used by the system so that the files cannot be deleted or renamed. The EventLog service cannot be stopped because it is required by other services, so the files are always open. This article describes a method for renaming or moving these files for troubleshooting purposes.
To resolve the corrupted Windows event log (EVTX file)
To repair the event log file, simply copy the four fields of the floating footer to the appropriate location in the header, then set the file status byte to an even value. Keep it and it’s over. It’s as simple as that.
The original method to solve the problem was as follows:
1. disable the event display service
2. restart the server
3. Delete the file C:WINDOWS\system32\config\SysEvent.evt.
4. reactivate the Event Observer service and ensure that the log files are no longer corrupted.
Unfortunately, the above method may not work with 2003 SP1 because the cause of the problem is that the network card sends a poorly formatted event message to the event log. To solve the problem, change the network card so that it operates in full duplex mode. The message about the damaged system log should then disappear.
Deleting Corrupted EVTX files
You can delete the corrupted file at any time and wait for the error to appear again. On the other hand, you can try to repair the damaged EVTX file or export it as a CSV file, but this may require some specialized knowledge. There are a few tools that allow you to extract binary values from and access the corrupted file. You need Python, which can be a problem for a misinformed user.
So, the best way to handle corrupted files is simply to delete them and allow the system to create new logs. These can be deleted manually, so we recommend that you use a batch file (script) to delete them all.
That concludes this article. If you have any questions or other ways to recover data from corrupted Windows event log files, please let us know in the Comments section below.
RECOMMENDED: Click here to troubleshoot Windows errors and optimize system performance