Event Log Service Error 4201

Not pointing any fingers but I’m wondering if there can be an issue on Vista x64 & CIS concerning the Event Log Service.
Reason I ask is because last week I saw CIS red flag some etl accesses by ‘system.exe’.
At the time I OK’d the etl writes:-
From D+ log -
2011-03-26 10:00:08 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

I used Event Viewer on 25th, but spent all of the 27th trying to get it to start.
More hours today & still nothing.

Have tried :-

  • Creating new repository
    attrib change
    Altering permissions
    Taking ownership of the log folders
    Deleting RtBackup folder

All I get is Event Log Service Error 4201 the Instance Name Passed Was Not Recognized by a WMI data provider.

If I restart the system after deleting RtBackup in normal mode no new folder is created - this only happens in safe mode.
Event Log Service will start in safe mode every time.

Once I return to normal mode all but

  • are deleted from the folder. ???

Have done full scans with CIS, CCE & SpybotSD - all clean.

I reason that something is preventing Event Log Service from starting or writing it’s required files when the PC is in normal mode…
Both system & svchost have been added to the exclusions list & are also/obviously on the safe-list.
Nothing is recorded in the CIS logs. (I sooooo wish the devs would add a search feature to CIS )

I am at a loss as to what to try next. This is not an uncommon error from Windows, but nothing seems to be fixing it… Maybe I’ll just have to wipe the drive & start-over.

Reason I ask is because last week I saw CIS red flag some etl accesses by 'system.exe'.
Can you show the D+ logs showing this event?

For some reason CIS logs only go back 5 days ??? & I don’t see the intial block msgs that were displayed
this is the earliest instance of the logging-after I’d started giving permissions…


[attachment deleted by admin]

Resolved by installing a new OS…