Windows Event Log

[Black Viper]

Discussion of the Windows Event Log Service located in Windows Vista SP1.

Windows Event Log
Service Information: http://www.blackviper.com/WinVista/Services/Windows_Event_Log.htm

[Revenge282]

I don't know if I am supposed to post here, or in a new thread.  But, my Windows Event Log service won't start.  I try to start it manually, and I get this error:

Code:

Error 1079: The account specified for this service is different from the account specified for other services running in the same process.

I tried to change the log on information manually, but all the fields are disabled.

Any suggestions?

Thanks,
Revenge282

[Black Viper]

What account is it currently using?
You should be able to tell what is checked even though it is grey'd out.

[Revenge282]

It's using the Local System Account.

[Black Viper]

Is this SP1? Did this just start after the installation of SP1?
You cannot change the information for the Windows Event Log service, but you can change the information on the service that is conflicting.

[Revenge282]

It was after SP1, but I think it was fine awhile after I updated.  Anyways, whatever solution you have other than formating, I would love to hear.

[Black Viper]

Format is not an option that I freely give.
The reason I asked about SP1 was I had the same thing happen to me, but with a different service, while I was testing SP1 (beta) on one of my test systems. For some reason, it changed the account that it used and when I swapped it out for the correct one, it fixed it.
You cannot change the behavior of WEL service, but the service that "shares" the same process, you can.
In the WEL service properties, General tab, ensure this:
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Is there.
Now, on my desktop (tweaked), Windows Event Log is sharing a process with the DHCP Client service as well as the Windows Audio Service. Ensure that those are also set to "Local Service" in the logon tab of each.
As a further step, check the following:
On my test system, untweaked (default), I have these services all sharing the same process:
DHCP Client
Security Center
TCP/IP NetBIOS Helper
Windows Audio
Windows Event Log

Ensure that all of those are also on Local Service for logon.

[Revenge282]

All of those are on the Local Service, but the WEL is on Local System.  Should I change all of those to the Local System also?

[Black Viper]

Do you have experience editing the registry? If not, do not try this, but if so...
What you can try is this:
Head to the registry (regedit).

Code:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog

Under:

Code:

ObjectName

(Double Click ObjectName to change)
Change it to:

Code:

NT AUTHORITY\LocalService

Also ensure that

Code:

ImagePath

Is

Code:

%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted

Hope this helped.

[Revenge282]

I love the registry.

Thanks for the help, I wouldn't have thought of that.