Windows Event Log (eventlog) Service Defaults in Windows 7

This service manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata. It can display events in both XML and plain text format. Stopping this service may compromise security and reliability of the system.

Default Settings

Startup type:Automatic
Display name:Windows Event Log
Service name:eventlog
Service type:share
Error control:normal
Group:Event Log
Object:NT AUTHORITY\LocalService
Path:%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
Registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog
Privileges:
  • SeChangeNotifyPrivilege
  • SeImpersonatePrivilege

Default Behavior

Windows Event Log is a Win32 service. In Windows 7 it is starting automatically on the operating system startup. Then the Windows Event Log service is running as NT AUTHORITY\LocalService in a shared process of svchost.exe. Other system components, such as drivers and services, may run in the same process. If Windows Event Log fails to start, Windows 7 attempts to write the failure details into Event Log. Then Windows 7 startup should proceed and the user should be notified that the eventlog service is not running because of the error.

Dependencies

If Windows Event Log is stopped, the following services cannot start:

Restore Default Startup Configuration for Windows Event Log

1. Select your Windows 7 edition and service pack, and then click Download.

2. Save the Win7_eventlog_Service_Startup.cmd file to a local storage device.

3. Run the saved file as an administrator.

4. Restart the computer.

The eventlog service is using the svchost.exe file that is located in the %WinDir%\System32 folder. If the file is changed, damaged or deleted, you can restore its original version from Windows 7 installation media.