ERROR_EVT_INVALID_EVENT_DATA (0X00003A9D) Fix in 3 Steps

1. Corrupted Event Log File – The Usual Suspect

The culprit here is almost always a corrupted .evtx file. This happens after a forced shutdown, a disk write error, or a buggy third-party application that writes garbage to the event log. You'll see the error when opening Event Viewer, or in an application that reads logs programmatically.

The quickest fix is to clear the corrupted log. Don't bother with chkdsk or SFC — they rarely help with this specific error. Use wevtutil from an elevated command prompt. First, identify which log is hosed. Open Event Viewer (eventvwr.msc), and note which log shows the error. Usually it's Application, System, or Security.

Open Command Prompt as Administrator. Run:

wevtutil gl Application

Replace "Application" with your log name. Check the logFileName path. Then clear it:

wevtutil cl Application

Repeat for each affected log. This empties the log file. The event log service recreates a fresh one. You'll lose old entries, but the error goes away. I've done this on hundreds of Windows 10, 11, and Server 2016/2019/2022 machines. It works 9 times out of 10.

If you need the old log data, back up the .evtx file first. Find it in %SystemRoot%\System32\winevt\Logs\. Copy it elsewhere, then clear the log. You can open the backup later in Event Viewer as an offline log.

2. Event Log Service Stuck or Misconfigured

Second most common cause: the Windows Event Log service is in a bad state. It's not the service itself failing — it's the underlying file handle or a permissions issue on the .evtx file.

Check the service first. Run services.msc, find "Windows Event Log". It should be running as LocalSystem, Automatic start. If it's not, set it. But if it is running and you still get the error, the log file may have gotten locked or its permissions got scrambled.

Stop the service temporarily:

net stop EventLog

Then navigate to C:\Windows\System32\winevt\Logs. Right-click the log file causing the error, go to Security tab. Ensure SYSTEM and Administrators have Full Control. If they don't, take ownership of the file first (right-click > Properties > Security > Advanced > Change owner to Administrators). Then add Full Control for SYSTEM.

Once permissions look right, start the service:

net start EventLog

Test Event Viewer again. I've seen this fix issues where a backup utility or security scanner locked down file permissions on the event logs.

3. Third-Party Software Writing Malformed Events

If clearing the log and fixing permissions didn't do it, you've got a rogue app hammering the event log with bad data. This is rarer, but I've seen it with old backup agents, antivirus drivers, and poorly-written monitoring tools.

You need to catch the event right when it happens. Use Event Viewer's filter to show only the log where 0x00003A9D appears. Look for the source (the application name) that appears just before the error. Common offenders: Veeam, Symantec, old Java apps, and custom .NET services.

Once you identify the source, update or disable the offending software. If it's a service, set it to Manual start and reboot. No joy? Check the Event Log service's own logs — they're in Applications and Services Logs > Microsoft > Windows > EventLog. Look for warnings about "invalid event data" with a specific provider GUID.

If you can't update the app, a workaround is to disable event generation from that source. Run this in PowerShell:

wevtutil set-log Application /e:false

Don't do that for System or Security — you'll break stuff. But disabling the Application log entirely is a temporary band-aid. Better to fix the root app.

Quick-Reference Summary

That's it. Three moves, one of them will kill this error. Don't waste time reinstalling Windows or running SFC. Start with wevtutil cl — that's your money fix.