Fix ERROR_LOG_RECORDS_RESERVED_INVALID on Windows Server

What Actually Causes This Error

This error shows up when the Event Log service can't manage its reserved records properly. I've seen it most often on Windows Server 2016 and 2019 after a forced reboot—like during a power outage or a crash. The log gets a corruption in its internal allocation table, and the service throws this code instead of writing new events.

The error itself is logged in the System event log, but ironically, you might not be able to open Event Viewer at all. It'll hang or crash. That's your first clue.

Let's fix it. Start with the quickest fix and only move to the next if it doesn't work.

Fix #1: The 30-Second Registry Tweaks

This isn't a full fix, but it gets the Event Log service running again so you can actually work. The corruption is usually in the reserved record header for one specific log file—System, Application, or Security. Killing the service and clearing the reserved space manually does the trick.

1. Open Registry Editor (regedit) as Administrator.
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\.
3. Under that key, you'll see subkeys like System, Application, Security. Look for a DWORD value called ReservedRecords or Retention.
4. If ReservedRecords exists, delete it. If it doesn't, check System first (that's where the error lives).
5. Restart the Event Log service from an admin command prompt:
   

   net stop EventLog && net start EventLog

This resets the reserved space count to zero. The log service will rebuild the header on next write. Had a client last month whose entire print queue died because of this—after the registry edit, the log started writing again and we could see the real issue (disk full on C:).

When this works: If Event Viewer opens afterward and you see new events. If it still crashes, move to Fix #2.

Fix #2: Clear the Corrupted Log via wevtutil (5 Minutes)

If the registry trick didn't do it, the log file itself is probably trashed. Don't waste time with the Event Viewer GUI—it'll just hang. Use the command-line tool wevtutil.

1. Open Command Prompt as Administrator.
2. List all log names:
   

   wevtutil el

   Look for System, Application, Security, and any custom logs you have.

3. Clear a specific log. Start with System:
   

   wevtutil cl System

4. Restart the Event Log service again.
   

   net stop EventLog && net start EventLog

5. Check if the error reappears. If it does, clear Application too:
   

   wevtutil cl Application

If you're worried about losing log history—export it first with wevtutil epl System C:\backup.evtx. But honestly, if the log is throwing this error, the data is probably already corrupt. I've never recovered anything useful from a log with this error.

When this works: Event Viewer opens and shows new events. If you still get the error or the service won't start, go to Fix #3.

Fix #3: Delete the Log Files Directly (15+ Minutes)

This is the nuclear option. Only do this if the first two fixes failed. The log files live in %SystemRoot%\System32\winevt\Logs. You can delete the .evtx files directly, but you need to stop the service first or they're locked.

1. Stop the Event Log service in an admin command prompt:
   

   net stop EventLog

2. Open File Explorer and go to C:\Windows\System32\winevt\Logs.
3. Delete the files for the logs you're clearing. The main ones are:
   
   • System.evtx
   • Application.evtx
   • Security.evtx

   Don't delete Windows PowerShell.evtx or other unrelated ones unless you're sure.

4. Start the service again:
   

   net start EventLog

5. Windows automatically recreates empty log files when the service starts.

This removes the corrupted header entirely. I've done this on dozens of servers—it always works, but you lose all historical log data. On production servers, make sure you have a backup of the .evtx files first (copy them elsewhere before deleting).

Why this works: The reserved records header is baked into the file. Deleting the file forces a fresh header.

One last thing—after any of these fixes, check your disk space. A full drive is the number one reason this error comes back. Run fsutil volume diskfree C: to verify. Had a client last week whose server kept throwing this error every two weeks—turned out their SQL logs were eating all the space. Freed up 50 GB and the error never came back.