Today I had an interesting challenge. I was working on an english retail Windows Server 2008 x64, that was configured as a Domain Controller, running DNS and DHCP.

It was still running SP1 and I wanted to upgrade it to SP2, which did not work using the separate download, but it worked using Microsoft Update!

SP2 installed successfully and it took a while for me to figure out that some services were not running afterwards. Those services included DNS, DHCP and… Windows Event Log. I tried to start the Windows Event Log service, but it would fail with a strange error about the service account not being the same as it used to be or so. Uninstalling SP2 didn’t solve the problem, nor did Google have a solution for me.

I checked the Services and saw the following line:

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

The options on the Log On tab were all disabled (grayed out), but the radio button was set to Local System account, which was interesting, because the Path to executable referred to the LocalServiceNetworkRestricted account.

I decided to try my luck and I started REGEDIT on the server, looked up the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

There was an ObjectName which held a REG_SZ value of LocalSystem and I decided to change it to NT AUTHORITY\LocalService

It worked! The Windows Event Log service started without any complaints and so did the DNS and DHCP. My server was safe and I was happy!