Error message when attempting to start the Windows Event Log Service: "Access denied"

Source: Microsoft Support

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

When you try to start the Windows Event Log service from the Services console on Windows Server 2008, the Windows Event Log service fails. Additionally, you receive the following error message:

����Error 5: Access denied

The Task Scheduler and Windows Event Collector services, which depend on Windows Event Log service, also fail.

This problem happens if any of the following conditions are true:

• The built-in security group EventLog does not have permissions on the folder %SystemRoot%\System32\winevt\Logs
• The Local Service account does not have default permissions on the following registry key:
  
  HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability

Restore the default permissions on %SystemRoot%\System32\winevt\logs.

Authenticated user - List folder/read data, Read attributes, Read Extended attributes, Read permissions
Administrators - Full control
SYSTEM - Full control
EventLog - Full control

Method 1

To restore the default permissions on folder %SystemRoot%\System32\winevt\logs, follow these steps.

1. Right-click on %SystemRoot%\System32\winevt\logs and select Properties.
2. Select the Security tab.
3. Click Edit button and click the Add button in the permissions dialog box.
4. In Select users, computers, or Groups dialog box ensure that under object types Built in Security Principals and the location as local computer name is selected.
5. Enter the object name as "NT SERVICE\EventLog" without quotes. And click OK. This group should have full control on the folder.
6. Once EventLog group is added add the rest of the groups with above mentioned permissions.

Method 2

Identify a Windows Server 2008 machine with default permissions.

1. Click Start, and then type cmd in the Start Search box.
2. In the search results list, right-click Command Prompt, and then click Run as Administrator.
3. When you are prompted by User Account Control, click Continue.
4. Type the command CD %SystemRoot%\SYSTEM32.
5. Once the working directory is changed to %SystemRoot%\SYSTEM32 type the command icacls winevt\* /save acl /T.
6. This will save a file named ACL in %SystemRoot%\SYSTEM32. Copy this file to the C: drive on the problem computer.
7. On the problem computer, open command prompt with administrator privileges (refer to previous steps 1-3).
8. Change the working directory to %SystemRoot%\SYSTEM32.
9. Execute the command icacls winevt\ /restore acl.
   
   Default permissions on the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability should be:
   
   CREATOR OWNER - Full control
   SYSTEM - Full control
   LOCAL SERVICE - Query Value, Set Value, Create Subkey, Notify and Delete
   Administrators - Full control
   Users - Read
   
   To set the permission on this registry key:
   1. Click the Start menu, select Run and type Regedit.
   2. Go to the location HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability.
   3. From the Edit menu click Permissions.
   4. Add the permissions for the accounts as listed above.

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE �MATERIALS�) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.