In this article…
What is the Windows Event Log (EventLog) service?
The EventLog service manages event logs — repositories of events generated by services, scheduled tasks and applications working closely with the Windows operating system.
The service’s display name is Windows Event Log and it runs inside the service host process, svchost.exe. By default, the service is set to start automatically when your computer boots:
You can use the Windows Event Viewer to browse the event logs managed by the service. For example, here are some of the records captured in the Windows Security event log:
What happens if I stop EventLog?
You may find it virtually impossible to stop the Windows Event Log service.
That’s because the service supports several important system services. You can see that list on the service’s Dependencies tab:
And because of those dependency relationships, attempting to stop EventLog triggers a “cascade” that causes all dependent services to stop too. Here you can see Windows alerting us of that situation:
But after we clicked “Yes”, Windows failed to stop EventLog and the dependent services! A peculiar error was returned:
We tracked the issue to “Network List Service” (netprofm). That service refused every attempt to stop it, consistently failing with the error above. And since we could not stop “Network List Service”, we could not stop EventLog either.
Is it OK to disable the Windows Event Log service?
No — it’s not safe to disable the Windows Event Log service.
Indeed, in the very description of the service, Microsoft warns:
That advice makes sense because EventLog provides essential support for Windows Services, scheduled tasks, and other background programs. Those components typically run “headless”, without a user interface, and rely on the event logs to record important events.
If the EventLog service stops, those background components will have no way to chronicle their activities. There would be an ominous gap in the operating system’s low-level records.
With that in mind, it’s easy to see why the EventLog service is an alluring target for attackers looking to compromise a system. Once the service has been crippled, vital forensics records may not be captured and intruders could operate with impunity.
If you would like to know more about the Windows Event Log service, or you have a specific problem, please feel free to get in touch. We will do our best to help you!