Windows Event Log Service – Error 13: The data is invalid

For me, I had run through a series of hardening of the server and I found that the Windows Event Log service would no longer start.

After trying a series of other attempted fixes, like clearing out the existing logs from: %SystemRoot%\System32\Winevt\Logs, as well as making sure the permissions on the folder were ok.

There was a suggestion to use Process Monitor(procmon), so I tried starting the service, worked out what PID it was then filtered the view by that PID.  I saw the PID was attempting to traverse a set of Registry Keys which were showing as NOT FOUND.

The full key was: HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog

I checked the registry and this contained a set of Keys for Application, Security and System. For me these then only contained an entry for Retention.

Which got me thinking, does this even need to be here?

I deleted the Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog then tried to start the Windows Event Log service and BAM! worked straight up 🙂