Eventvwr/MMC hangs and is barely usable

Copper Contributor

Hi All,


I am hoping you can assist with an issue that has been plaguing us for a while. We have one  Windows Server 2019 Standard x64 (which is also the DC) where the EventVwr is not working properly. What happens is that it takes a good 2/3 minutes to load the application/security/system logs (window goes unresponsive), and when they finally load, we can see them and scroll down/up through the logs, but within a 5/10 seconds it will happen again into a never ending cycle (or until it crashes).


We've already ran chkdsks, sfc /scannow and dism, none of those resolved issues. All windows and drivers/firmware updates have been run and everything is up to date. We booted into safe mode with all non-microsoft services disabled, issue persists, indicating an issue at the OS level.


Other than rebuilding the server (we rather not), we are running out of options. Has anyone ever run into a similar issue or has any input on additional steps we can try?




5 Replies

How large are the EVTX files? One or more files may also be corrupt. One option is setting the Windows Event Log (EventLog) service to Disabled, then after restart delete the *.evtx files from C:\Windows\System32\winevt\Logs, then set the Windows Event Log (EventLog) service back to Automatic, then reboot.    




@MickaelM just checking if there's any progress of updates? please don't forget to close up the thread here by marking helpful replies.    





@Dave Patrick  They are not very large as we reduced the size in order to troubleshoot. I've attempted the steps you've recommended but still an issue unfortunately, even with only 100 events under Application logs as an example.


It looks like once the logs load, scrolling down multiple times will eventually cause it to hang again.

Ok, if deleting all the EVTX does not help then the safest simplest thing to do is stand up a new one for replacement.   

I'd use dcdiag / repadmin tools to verify health `correcting all errors found` before starting `any` operations. Then stand up the new one, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.    






@MickaelM just checking if there's any progress of updates? please don't forget to close up the thread here by marking helpful replies.