SYMPTOMS

When you run Windows Event Viewer, one of the following error messages you get if one of the *.evt files is damage:

The handle is invalid
Dr. Watson Services.exe
Exception: Access Violation (0xc0000005), Address: 0x76e073d4

When you click OK or cancel on above error message, you get following error message:

Event Viewer
Remote Procedure Call failed
The services.exe process uses high percentage of CPU utilization.

CAUSE

The Event Viewer Log files like Sysevent.evt, Appevent.evt, and Secevent.evt are always used by the system, avoiding the files from being deleted or renamed. The EventLog service cannot be stopped because it is needed by other services; therefore the files are always open. This explains technique to rename or move these files for troubleshooting reasons.

RESOLUTION
NTFS Partition

1. Click Start button, Settings, click Control Panel, and then double-click Services.

2. Choose the EventLog service and click Startup. Modify the Startup Type to Disabled, and then click OK. If you are not able to log on to PC but can access the registry remotely, you can modify the Startup value in the following registry key to 0x4:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlog

3. Restart Windows.

4. Rename the corrupt *.evt file from the following place:
%SystemRoot%\System32\Config

5. In Control Panel Services tool, re-enable the EventLog service by setting it back to the default of Automatic startup, or else alter the registry Startup value back to 0x2.

FAT partition (Alternative method)

1. Boot to a MS-DOS prompt using a DOS bootable disk.

2. Rename or move the corrupt *.evt file from the following place:
%SystemRoot%\System32\Config

3. Remove the disk and restart Windows.
When Windows is restarted, the Event Log file will be again created.