A. If when you try and start the Event log service you get error 1501, unable to open Event log files this is usually caused by one of two things

  • The event log files are missing
  • The event log files have read only set on them

The event log files are stored in the %systemroot%\system32\config and are named appevent.evt, secevent.evt and sysevent.evt. If any files are missing try copying from another machine and if the read only attribute is set remove via Explorer.

It is possible to move the event log files and to check you are looking in the correct place check the registry entries:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\File
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\File
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\File