Fix STATUS_LOG_CANT_DELETE (0XC01A0011) on Server Logs
This error means Windows can't delete a log file—usually because another process has it locked or the container's full. Here's the quick fix.
Yeah, this error's a pain. You're trying to clean up logs on your server, and Windows just tells you it can't delete the file. The error code STATUS_LOG_CANT_DELETE (0XC01A0011) usually means the log service (or something else) has a lock on the file, or the file system container is full. Let's fix it.
The Fix: Find and Release the Lock
90% of the time, this is a locked handle. A process—often the log service itself or an antivirus scan—has the file open. Here's what to do:
- Find the log file path. Check the event viewer or the application throwing the error. It's usually in
C:\Windows\System32\winevt\Logs\or a custom application log path.
Example:C:\Windows\System32\winevt\Logs\Application.evtx - Use Sysinternals Handle or Process Explorer. Download from Microsoft's site. Run
handle.exe -a "from an elevated command prompt. If it shows a process ID, you've found the culprit." - Kill or stop the process. If it's a service like
EventLog, stop it withnet stop EventLog. For other processes, note the PID and usetaskkill /PID. Had a client last month whose backup software held a lock on a log file for hours—killed that process, error gone./F - Delete the log file manually. Once released, delete it from Explorer or command line:
del ". Then restart any services you stopped."
Alternative if the file's corrupted: Sometimes the log container itself is messed up. Use wevtutil cl to clear it—e.g., wevtutil cl Application. This doesn't delete the file; it clears the entries. If that fails, the file's likely locked.
Why This Works
The error STATUS_LOG_CANT_DELETE is part of the Common Log File System (CLFS) in Windows. CLFS uses containers (files) to store records. When you try to delete one, the system checks if any open handles exist. If a handle's open—even from a crashed service or a hung thread—the deletion fails. Releasing the handle or stopping the locking process lets the file go.
The container-full case is rarer but real. CLFS containers have a size limit (usually 256KB or 1MB depending on config). If the container is completely full and the log service can't write a delete marker, the deletion fails. In that case, you often see other errors like STATUS_LOG_FULL alongside it. But the handle lock is the main culprit.
Less Common Variations
Here are a few edge cases I've run into:
- Antivirus scanning in real-time. Symantec Endpoint Protection once locked a log file for 20 minutes during a deep scan. Disable real-time scanning temporarily, delete the file, then re-enable.
- Windows Search indexing. The indexer sometimes grabs log files. Stop the
WSearchservice, delete, restart. - Volume Shadow Copy (VSS) snapshots. If a VSS snapshot contains the log file, you can't delete it. Delete old snapshots with
vssadmin delete shadows /for=C: /oldestfirst. - Registry permissions. Rare, but the log service might lack delete permission on the file's registry key (under
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\). Check permissions withregedit.
Prevention
Stop this from happening again:
- Set log size limits. In Event Viewer, right-click a log, go to Properties, and set a max size (e.g., 20MB). Enable "Overwrite events as needed" so old logs auto-delete.
- Schedule a log rotation script. Use PowerShell to clear logs on a cron job. Example:
wevtutil cl Application
Run it weekly via Task Scheduler. - Monitor handle usage. If a specific app keeps locking logs, update or reinstall it. I had a database backup tool that locked logs every night—switched to a different tool.
- Check disk space. A full disk can cause container issues. Keep at least 10% free on the system drive.
That's it. No magic—just find the lock or fix the container. You'll have those logs deleted in minutes.
Was this solution helpful?