The Core Technologies Blog

Professional Software for Windows Services / 24×7 Operation

Essential Windows Services: EventLog / Windows Event Log

EventLog Service

What is the Windows Event Log (EventLog) service?

The EventLog service manages event logs — repositories of events generated by services, scheduled tasks and applications working closely with the Windows operating system.

The service’s display name is Windows Event Log and it runs inside the service host process, svchost.exe. By default, the service is set to start automatically when your computer boots:

EventLog Windows Service

You can use the Windows Event Viewer to browse the event logs managed by the service. For example, here are some of the records captured in the Windows Security event log:

Event Viewer: Windows Security log

What happens if I stop EventLog?

You may find it virtually impossible to stop the Windows Event Log service.

That’s because the service supports several important system services. You can see that list on the service’s Dependencies tab:

Windows Event Log Dependencies

And because of those dependency relationships, attempting to stop EventLog triggers a “cascade” that causes all dependent services to stop too. Here you can see Windows alerting us of that situation:

EventLog service: Stop dependents

But after we clicked “Yes”, Windows failed to stop EventLog and the dependent services! A peculiar error was returned:

Error stopping the EventLog service

We tracked the issue to “Network List Service” (netprofm). That service refused every attempt to stop it, consistently failing with the error above. And since we could not stop “Network List Service”, we could not stop EventLog either.

Is it OK to disable the Windows Event Log service?

No — it’s not safe to disable the Windows Event Log service.

Indeed, in the very description of the service, Microsoft warns:

 Stopping this service may compromise security and reliability of the system.

That advice makes sense because EventLog provides essential support for Windows Services, scheduled tasks, and other background programs. Those components typically run “headless”, without a user interface, and rely on the event logs to record important events.

If the EventLog service stops, those background components will have no way to chronicle their activities. There would be an ominous gap in the operating system’s low-level records.

With that in mind, it’s easy to see why the EventLog service is an alluring target for attackers looking to compromise a system. Once the service has been crippled, vital forensics records may not be captured and intruders could operate with impunity.

Questions? Problems?

If you would like to know more about the Windows Event Log service, or you have a specific problem, please feel free to get in touch. We will do our best to help you!

Posted in Windows Services | Tagged , , , | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *