0XC0000197

Fix Event Log File Changed Error 0xC0000197 Fast

Windows Errors Intermediate 👁 1 views 📅 May 27, 2026

This Windows error means the event log file changed while being read. Usually caused by antivirus, log rotation, or corruption. Quick fix: stop the Event Log service and delete the log file.

Quick Answer for Advanced Users

Stop the Event Log service (net stop eventlog as admin), delete or rename the corrupt log files in C:\Windows\System32\winevt\Logs (usually Application.evtx or System.evtx), then restart the service. That's it.

Why This Happens

I've seen this error pop up on everything from old Windows 7 boxes to Server 2019 domain controllers. The error 0xC0000197 literally means the event log file changed between reads. Most of the time it's because an antivirus scanned the file mid-read and locked it, or because Windows log rotation kicked in while the Event Viewer was trying to display entries. Last month, I had a client whose backup software kept triggering this on a Server 2016 box because it was taking snapshots of the event logs without proper locks. Corruption is another suspect—if the log file has a bad header or truncated data, the Event Log service just chokes.

The fix is straightforward, but you need to know which file is the culprit. Here's how to nail it down.

Fix Steps

  1. Identify the problem log. Open Event Viewer (eventvwr.msc). If you get the error immediately, look at the error message details—it usually says something like "The log file for Application has changed between reads." That tells you the file is Application.evtx. If it's System, it's System.evtx. Write down the log name.
  2. Stop the Event Log service. Open Command Prompt as Administrator and run:
    net stop eventlog
    Wait for it to stop. It might take a few seconds. If it hangs, use taskkill /f /fi "services eq eventlog"—but that's rare.
  3. Delete or rename the corrupt log file. Navigate to C:\Windows\System32\winevt\Logs. Find the file you identified (like Application.evtx, System.evtx, or Security.evtx). Rename it to something like Application.old.evtx—don't delete it permanently until you're sure the fix works. If you're on a domain controller, be careful: the Security log might have audit data you need. You can also just rename it and recover the data later.
  4. Start the Event Log service. In the same Command Prompt, run:
    net start eventlog
    Open Event Viewer again. It should create a fresh log file automatically. The error should be gone.
  5. Test it. Generate a test event (like opening a document or running eventcreate /ID 100 /L Application /T INFORMATION /SO test /D test) to confirm logging works.

Alternative Fixes if That Doesn't Work

If the above fails, try these in order:

  • Disable real-time antivirus scanning of event log files. I've seen McAfee and Defender both lock .evtx files. Add an exclusion for C:\Windows\System32\winevt\Logs\*.evtx in your AV. Restart the Event Log service.
  • Repair the log file with PowerShell. Run as admin: wevtutil al Application.evtx. This archives the log and clears corruption. Then run wevtutil cl Application to clear it. This sometimes works without needing to delete the file.
  • Check for corrupt system files. Run sfc /scannow and DISM /Online /Cleanup-Image /RestoreHealth in that order. Rare, but a corrupt OS file can cause the Event Log service to misread logs.
  • Re-register the Event Log DLLs. In an elevated command prompt: regsvr32 wevtsvc.dll and regsvr32 wevtapi.dll. Restart the service.

Prevention Tips

Once you fix it, don't let it come back. Here's what works from real-world experience:

  • Set a max log size and enable auto-archiving. In Event Viewer, right-click the log, go to Properties, set a reasonable max size (like 20 MB for desktops, 100 MB for servers), and check "Archive the log when full, do not overwrite events." This prevents log corruption from forced overwrites.
  • Exclude .evtx files from antivirus scanning. Do this now, before the next scan cycle. It's the #1 cause I see.
  • Don't let backup software copy open event logs. Use Volume Shadow Copy (VSS) or a backup agent that knows how to handle open files. Had a client last month whose backup software was pulling open logs and causing this error daily. Switched to VSS-aware backup—problem gone.
  • Monitor for disk issues. Run chkdsk /f on the system drive if you see frequent log corruption. Failing drives can corrupt .evtx files silently.

That's it. Most people fix this in under 10 minutes once they know which log file is stuck. If you're still stuck after these steps, check the Application log (if you can open it) for Event ID 1101—that's the log service complaining about a specific log file.

Was this solution helpful?

0xC0000197 STATUS_EVENTLOG_FILE_CHANGED Windows event log error event log file changed fix event log error Windows log corruption antivirus blocking event log event log service stop delete event log file Windows Server event log issue event viewer error log file changed between reads event log troubleshooting Windows 10 event log fix Server 2019 event log