51

I have an application that has created a number of custom event log sources to help filter its output. How can I delete the custom sources from the machine WITHOUT writing any code as running a quick program using System.Diagnostics.EventLog.Delete is not possible.

I've tried using RegEdit to remove the custom sources from [HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX\Services\Eventlog] however the application acts as if the logs still exist behind the scenes.

What else am I missing?

Improve this question

4 Answers 4

Reset to default
53

I also think you're in the right place... it's stored in the registry, under the name of the event log. I have a custom event log, under which are multiple event sources.

HKLM\System\CurrentControlSet\Services\Eventlog\LOGNAME\LOGSOURCE1 HKLM\System\CurrentControlSet\Services\Eventlog\LOGNAME\LOGSOURCE2

Those sources have an EventMessageFile key, which is REG_EXPAND_SZ and points to:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll

I think if you delete the Key that is the log source, LOGSOURCE1 in my example, that should be all that's needed.

For what it's worth, I tried it through .NET and that's what it did. However, it does look like each custom event log also has a source of the same name. If you have a custom log, that could affect your ability to clear it. You'd have to delete the log outright, perhaps. Further, if your app has an installer, I can see that the application name also may be registered as a source in the application event log. One more place to clear.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thats got it, deleting the entry under the source key sorted it out. Nice clean event log and the app recreated its sources and uses them correctly. Thanks!
I hate to muck with the registry, but sometimes it's the only way. Sadly you can't effectively enumerate EventSources like you can EventLogs. You can test for the existence, providing a name, but you can't loop through them.
You can get a list of eventlog sources by wildcard with Powershell's Get_ChildItem "HKLM:\SYSTEM\CurrentControlSet\services\eventlog\..." -Name If you fiddle this into a comma separated list in an text-editor, you can use it with the Cmdlet Remove-Eventlog -Source <string[]> to delete multiple event sources at once. Very handy if you want to delete sources with similar names.
Building on what @needfulthing added, you could also enumerate the sources of a given log in Powershell this way: "Get-EventLog -LogName YOURLOGNAMEHERE | Group-Object -Property Source" which gives you the sources (and the counts for event log entries from each). You could then follow the Remove-Eventlog -Source to do the removal.
44

What about using Powershell?

Remove-EventLog -LogName "Custom log name"

Remove-EventLog -Source "Custom source name"
Improve this answer

2 Comments

I don't think this was supported in PowerShell 7 years ago (seems to have been released with v3?) but +1 for a modern solution!
I found it odd that the Remove-EventLog cmdlet is used for this and that you need not specify which Event Log - it removes the Source from all Event Logs. That IS what the docs say: learn.microsoft.com/en-us/powershell/module/…
8

I was able only to delete it by using:

[System.Diagnostics.EventLog]::Delete("WrongNamedEventLog");

in powershell

Improve this answer

2 Comments

you can do that in code too: EventLog.Delete("name")
This worked for me even though Remove-EventLog did not.
3

Perhaps your application is fault-tolerant, meaning that it checks to see if the event log source is already registered and registers the source if it isn't?

If this were the case, your application would re-create the source(s) each time it ran, no matter what you did.

Improve this answer

1 Comment

That could be part of it. The issue we're seeing is that instead of writing to its custom sources it's all getting dumped into the Application log. The source of this bug was fixed and we're just trying to clean down the event log so we can start over fresh.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.