Event Viewer query error message

Posted: September 13, 2014 in Solved, Windows General
Tags: ,

Usually after an OS upgrade or possibly a major system corruption and repair, event viewer will start throwing up a message when you go into certain “query” views such as the “Custom Views\Administrative Events”. Usually this is because a component that event viewer was configured to monitor no longer exists in the upgraded OS.

One or more logs in the query have errors 
The system cannot find the file specified
The events displayed are partial results

eventvwrbadlog

This is usually because an element of the query for the logs is no longer part of the system or is corrupted to the point it can no longer be read.

(If you are seeing this on a standalone Exchange server when opening “Custom Views\Microsoft Exchange with Database Availability Group Events” then check this post instead)

SOLUTION

If the queried event log is no longer relevant, the simplest thing is to just remove it from the Event viewer and hence any queries trying to use it.

NOTE: This is a quick and dirty fix, so use at your own risk. Recommended to back up any registry keys before deleting just in case.

  1. Open Regedit.exe
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
  3. Find the sub-key that matches the “log” entry in the error message and delete it
    • eg. Microsoft-Windows-DxpTaskRingtone/Analytic

Event viewer should now open without those pesky log errors.

Comments
  1. VS Rawat says:

    My event viewer (w8) showing the following:

    Microsoft-Windows-Security-SPP-UX/Analytic
    Microsoft-Windows-Security-Vault/Performance
    Microsoft-Windows-SendTo/Diagnostic

    But none of the three is present in regedit where you mentioned.

    What to do?

    Thanks.

    Rawat
    India

    • Scott says:

      I can see all three of those keys in the location in the blog post. If they aren’t in the registry then they would be appearing in your event viewer as that’s they place event viewer knows them from. Just recheck you are looking in the correct location in the registry.

  2. VS Rawat says:

    I am beginning to wonder whether the 3 missing reqistry keys are the basic cause of the “channels missing” error.

    Can and how and should I create them in registry to remove this error?

    Thanks again.

    Rawat

    • Scott says:

      A couple of things to check.
      If you expand the event viewer tree for “Applications and Services Logs | Microsoft | Windows” and scroll down, are you able to see those event log entries or get any error messages?
      It sounds like you have had some file corruption at some point. You may be able to repair that by running “sfc /scannow” as an administrator account
      Alternatively, locate another machine and get a copy of those registry entries
      Lastly, the only other option I can think of is to right click the “Administrative Events” custom view, select “Copy Custom View…” and create your own version of it. You can then open the properties on that, edit the filter, then select the drop menu beside the list of event logs and find the “bad” entries and untick them. Then just use your own custom Administrative events view when you need it.

  3. Tony G says:

    This was exactly the info I needed. Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s