Updates Fail, Slow Response, Fail to Connect to a Windows Service, etc

Kipac · 22 Dec 2012

It still gives me the same result after CheckSUR.

And by Event Viewer, do you mean the one that I can open by typing 'event viewer' in the 'Start' -> search bar?
If so, it is giving me an error message saying: "Event Log service is unavailable. Verify that the service is running."
and there's no log anywhere.
The only thing showing on the left pane of Event Viewer is 'Event Viewer (Local)'.
in the middle is that error message from above,
and the right pane just contains Event Viewer (Local)'s 'Connect to Another computer...' 'view' 'Refresh' 'Help'.

Do you think a video driver or chipsets has something to do with this kind of problems? 'cause when I searched through the internet, I found some of people recommending to try updating them to the newest.

Every time I reinstalled Windows 7 (7 times in total), I just reused chipsets, video drivers, usb, and audio updates that I've put in my usb flash drive because that's convenient.
If those files were happened to be corrupted and I used them to install, wouldn't that can be the cause of these problems?

NoelDP · 22 Dec 2012

Ahah! another clue :)

Please open an Elevated Command Prompt, and run the following commands

NET START EVENTLOG
SC QC EVENTLOG
NET START WECSVC
SC QC WECSVC
NET START EVENTSYSTEM
SC QC EVENTSYSTEM

post the results.

Kipac · 22 Dec 2012

Here's a result of running those commands:

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>NET START EVENTLOG
The Windows Event Log service is starting.
The Windows Event Log service was started successfully.


C:\Windows\system32>SC QC EVENTLOG
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: EVENTLOG
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k LocalServiceNetw
orkRestricted
        LOAD_ORDER_GROUP   : Event Log
        TAG                : 0
        DISPLAY_NAME       : Windows Event Log
        DEPENDENCIES       :
        SERVICE_START_NAME : NT AUTHORITY\LocalService

C:\Windows\system32>NET START WECSVC
The Windows Event Collector service is starting........
The Windows Event Collector service could not be started.

More help is available by typing NET HELPMSG 3523.


C:\Windows\system32>SC QC WECSVC
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WECSVC
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k NetworkService
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Windows Event Collector
        DEPENDENCIES       : HTTP
                           : Eventlog
        SERVICE_START_NAME : NT AUTHORITY\NetworkService

C:\Windows\system32>NET START EVENTSYSTEM
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.


C:\Windows\system32>SC QC EVENTSYSTEM
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: EVENTSYSTEM
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k LocalService
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : COM+ Event System
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : NT AUTHORITY\LocalService

C:\Windows\system32>

NoelDP · 22 Dec 2012

It looks as if there's something wrong with the Event Collector Service.
Catch 22 applies here - the only sensible data would be in the Event Viewer- but that can't be used because teh Even Collector Service can't start... :)

Best check the Dependency service, I suppose...

Please run the following commands, and post the results.

NET START HTTP
SC QC HTTP

(I'm off to bed - see you tomorrow!)

Kipac · 22 Dec 2012

Here's a result of command prompt.
And ok, good night :)

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>NET START HTTP
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.


C:\Windows\system32>SC QC HTTP
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: HTTP
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\drivers\HTTP.sys
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : HTTP
        DEPENDENCIES       :
        SERVICE_START_NAME :

C:\Windows\system32>

NoelDP · 23 Dec 2012

The chances are that your Eventlog problems are caused by corrupted logs
We'll have to see what logs are likely to be the cause, and rename them.

Please run the following commands in an Elevated Command prompt, and post the results.

DIR C:\Windows\System32\winevt\logs /on
ICACLS C:\Windows\System32\winevt\logs

Kipac · 23 Dec 2012

Here's a result:

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>DIR C:\Windows\System32\winevt\logs /on
 Volume in drive C has no label.
 Volume Serial Number is 127B-6585

 Directory of C:\Windows\System32\winevt\logs

12/18/2012  04:50 PM    <DIR>          .
12/18/2012  04:50 PM    <DIR>          ..
12/21/2012  12:25 PM         2,166,784 Application.evtx
12/14/2012  10:09 PM            69,632 HardwareEvents.evtx
12/14/2012  10:09 PM            69,632 Internet Explorer.evtx
12/14/2012  10:09 PM            69,632 Key Management Service.evtx
12/14/2012  10:09 PM            69,632 Media Center.evtx
12/14/2012  10:09 PM            69,632 Microsoft-Windows-Application-Experience%
4Problem-Steps-Recorder.evtx
12/21/2012  12:41 AM            69,632 Microsoft-Windows-Application-Experience%
4Program-Compatibility-Assistant.evtx
12/14/2012  10:09 PM            69,632 Microsoft-Windows-Application-Experience%
4Program-Compatibility-Troubleshooter.evtx
12/15/2012  02:35 PM            69,632 Microsoft-Windows-Application-Experience%
4Program-Inventory.evtx
12/16/2012  02:21 AM            69,632 Microsoft-Windows-Application-Experience%
4Program-Telemetry.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-Audio%4CaptureMonitor.e
vtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-Audio%4Operational.evtx

12/21/2012  12:41 AM         1,052,672 Microsoft-Windows-Bits-Client%4Operationa
l.evtx
12/21/2012  12:27 PM         1,052,672 Microsoft-Windows-BranchCacheSMB%4Operati
onal.evtx
12/21/2012  12:44 PM            69,632 Microsoft-Windows-Dhcp-Client%4Admin.evtx

12/21/2012  12:41 AM            69,632 Microsoft-Windows-Dhcpv6-Client%4Admin.ev
tx
12/21/2012  12:41 AM         1,052,672 Microsoft-Windows-Diagnosis-DPS%4Operatio
nal.evtx
12/15/2012  02:35 PM            69,632 Microsoft-Windows-Diagnosis-Scheduled%4Op
erational.evtx
12/18/2012  04:45 PM            69,632 Microsoft-Windows-Diagnosis-Scripted%4Adm
in.evtx
12/18/2012  04:45 PM            69,632 Microsoft-Windows-Diagnosis-Scripted%4Ope
rational.evtx
12/18/2012  04:50 PM            69,632 Microsoft-Windows-Diagnosis-ScriptedDiagn
osticsProvider%4Operational.evtx
12/21/2012  12:41 AM         1,052,672 Microsoft-Windows-Diagnostics-Performance
%4Operational.evtx
12/21/2012  12:45 PM         1,052,672 Microsoft-Windows-DriverFrameworks-UserMo
de%4Operational.evtx
12/21/2012  12:41 AM            69,632 Microsoft-Windows-Fault-Tolerant-Heap%4Op
erational.evtx
12/21/2012  12:37 PM         1,118,208 Microsoft-Windows-GroupPolicy%4Operationa
l.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-Help%4Operational.evtx
12/21/2012  12:41 AM            69,632 Microsoft-Windows-HomeGroup Provider Serv
ice%4Operational.evtx
12/21/2012  12:35 PM            69,632 Microsoft-Windows-Kernel-EventTracing%4Ad
min.evtx
12/14/2012  10:09 PM            69,632 Microsoft-Windows-Kernel-Power%4Thermal-O
perational.evtx
12/14/2012  10:09 PM            69,632 Microsoft-Windows-Kernel-StoreMgr%4Operat
ional.evtx
12/14/2012  10:09 PM            69,632 Microsoft-Windows-Kernel-WHEA%4Errors.evt
x
12/21/2012  12:31 PM         1,052,672 Microsoft-Windows-Kernel-WHEA%4Operationa
l.evtx
12/21/2012  12:41 AM            69,632 Microsoft-Windows-Known Folders API Servi
ce.evtx
12/15/2012  02:35 PM            69,632 Microsoft-Windows-LanguagePackSetup%4Oper
ational.evtx
12/14/2012  07:29 PM            69,632 Microsoft-Windows-MUI%4Admin.evtx
12/15/2012  02:35 PM            69,632 Microsoft-Windows-MUI%4Operational.evtx
12/14/2012  10:09 PM            69,632 Microsoft-Windows-NCSI%4Operational.evtx
12/14/2012  07:29 PM            69,632 Microsoft-Windows-NetworkAccessProtection
%4Operational.evtx
12/14/2012  07:29 PM            69,632 Microsoft-Windows-NetworkAccessProtection
%4WHC.evtx
12/14/2012  08:01 PM            69,632 Microsoft-Windows-NetworkLocationWizard%4
Operational.evtx
12/21/2012  12:26 PM         1,052,672 Microsoft-Windows-NetworkProfile%4Operati
onal.evtx
12/21/2012  12:27 PM            69,632 Microsoft-Windows-OfflineFiles%4Operation
al.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-PrintService%4Admin.evt
x
12/21/2012  12:41 AM            69,632 Microsoft-Windows-ReadyBoost%4Operational
.evtx
12/21/2012  12:41 AM            69,632 Microsoft-Windows-ReliabilityAnalysisComp
onent%4Operational.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-RemoteDesktopServices-R
dpCoreTS%4Admin.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-RemoteDesktopServices-R
dpCoreTS%4Operational.evtx
12/14/2012  10:57 PM            69,632 microsoft-windows-RemoteDesktopServices-R
emoteDesktopSessionManager%4Admin.evtx
12/21/2012  12:41 AM            69,632 Microsoft-Windows-Resource-Exhaustion-Det
ector%4Operational.evtx
12/21/2012  12:41 AM            69,632 Microsoft-Windows-Resource-Exhaustion-Res
olver%4Operational.evtx
12/14/2012  07:29 PM            69,632 Microsoft-Windows-RestartManager%4Operati
onal.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-TerminalServices-Client
USBDevices%4Admin.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-TerminalServices-Client
USBDevices%4Operational.evtx
12/14/2012  10:09 PM            69,632 Microsoft-Windows-TerminalServices-LocalS
essionManager%4Admin.evtx
12/21/2012  12:41 AM            69,632 Microsoft-Windows-TerminalServices-LocalS
essionManager%4Operational.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-TerminalServices-RDPCli
ent%4Operational.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-TerminalServices-Remote
ConnectionManager%4Admin.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-TerminalServices-Remote
ConnectionManager%4Operational.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-TerminalServices-Server
USBDevices%4Admin.evtx
12/14/2012  10:57 PM            69,632 Microsoft-Windows-TerminalServices-Server
USBDevices%4Operational.evtx
12/21/2012  12:36 PM            69,632 Microsoft-Windows-User Profile Service%4O
perational.evtx
12/21/2012  12:41 AM            69,632 Microsoft-Windows-WER-Diag%4Operational.e
vtx
12/14/2012  09:51 PM            69,632 Microsoft-Windows-Windows Defender%4Opera
tional.evtx
12/14/2012  09:51 PM            69,632 Microsoft-Windows-Windows Defender%4WHC.e
vtx
12/14/2012  10:09 PM            69,632 Microsoft-Windows-Windows Firewall With A
dvanced Security%4ConnectionSecurity.evtx
12/21/2012  12:26 PM         1,052,672 Microsoft-Windows-Windows Firewall With A
dvanced Security%4Firewall.evtx
12/14/2012  07:29 PM            69,632 Microsoft-Windows-WindowsBackup%4ActionCe
nter.evtx
12/15/2012  02:35 PM         1,052,672 Microsoft-Windows-WindowsSystemAssessment
Tool%4Operational.evtx
12/21/2012  12:41 AM         1,052,672 Microsoft-Windows-WindowsUpdateClient%4Op
erational.evtx
12/14/2012  10:09 PM            69,632 Microsoft-Windows-Winlogon%4Operational.e
vtx
12/21/2012  12:26 PM         1,052,672 Microsoft-Windows-WLAN-AutoConfig%4Operat
ional.evtx
12/21/2012  12:25 PM         4,263,936 Security.evtx
12/20/2012  01:18 AM         1,052,672 Setup.evtx
12/21/2012  12:25 PM        18,944,000 System.evtx
12/14/2012  10:09 PM            69,632 Windows PowerShell.evtx
              75 File(s)     43,233,280 bytes
               2 Dir(s)  73,580,122,112 bytes free

C:\Windows\system32>ICACLS C:\Windows\System32\winevt\logs
C:\Windows\System32\winevt\logs NT SERVICE\eventlog:(OI)(CI)(F)
                                NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                BUILTIN\Administrators:(OI)(CI)(F)
                                NT AUTHORITY\Authenticated Users:(CI)(R)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>

NoelDP · 24 Dec 2012

It looks like it's the System log that's stuck
we need to delete it, after saving the file to the desktop for any forensics..
Reboot to Safe Mode with Command prompt, and run

NET STOP EVENTLOG
COPY C:\Windows\System32\winevt\logs\system.evtx %userprofile%\desktop
DEL C:\Windows\System32\winevt\logs\system.evtx

The reboot to normal mode, and see if you can now open Event Viewer

Kipac · 24 Dec 2012

It's working! I can open Event Viewer now!
Then, shall I follow the guide you posted on the 1st page and post the compressed files of Apps.evtx and Sys.evtx?

Kipac · 24 Dec 2012

Here are Apps.evtx and Sys.evtx from Event Viewer:

Updates Fail, Slow Response, Fail to Connect to a Windows Service, etc

Command Prompt Result

Result

Result of Command Prompt

Apps.evtx and Sys.evtx