Some important event viewer logs completely cleared. No clue why

There was either a power loss, or a system restart this morning, around 11:30-ish eastern. (I'm not sure which)

When I got to my computer at almost 1:30p, it was sitting on the lock screen. I logged in, and my apps started. Out of curiosity, I checked the event viewer, looking for the real reason, and found that two logs were completely cleared

Application, and System logs were completely cleared. New log entries begin at the time I logged in. The reason for the restart isn't important. What bothers me is that these logs have been cleared, and I didn't clear them.

What I've tried:

* chkdsk on drive C (No issues)
* sfc /scannow (No issues)
* Antivirus scan (Comodo, no issues)
* Malware scan (Malwarebytes, no issues)
* Checked startup tab in task manager (No new apps)
* Checked processes tab in Task manager (No unrecognized apps)
* Checked Add/Remove in Control Panel (No unrecognized apps)
* Checked update history (No Windows updates installed in the last week)

At this point, I'm at a loss of what to check, so any ideas would be really helpful. If you need more info, just ask.

Hello @jasoncollege24,

I noticed that you have NOT had ANY replies so I thought that I would try and help.

You might be able to get some answers by running the following which will check the Reliability History for entries covering the problem time[s] . . .

> How to View Reliability History in Windows 10

I hope this helps.

Thanks for the reply. Reliability history showed nothing at the time of the restart on the day I originally posted. This happened again today, but this one was definitely after a crash. (Reliability history claims there was a hardware problem. Tracking it down is why I need the logs to be kept)

After restarting my computer from the crash, I checked the logs, and yet again, all of the same logs were wiped clean on startup.

I've had Comodo antivirus from the day I installed Windows. This started happening within the last month at most. Windows was installed back in September 2020.

As a test, I did a random reboot, and noticed it happens on each boot, with an event ID of 104 (Log CLEAR) for each of the two cleared logs.

This looks like it could possibly be some kind of infection, so I'm going through a number of malware scans.

Jason,

jasoncollege24 said:

This looks like it could possibly be some kind of infection …

It would be a novel type of malware, one that disrupts something that the majority of users would never know about.

jasoncollege24 said:

… an event ID of 104 (Log CLEAR) for each of the two cleared logs.

Set EventID 104 to run a task, something simple like running TaskList. Then you can see the moment that it happens and look at Task mgr to see what's running.
- Set EventID 104 up as a Custom view then use the Action Attach task to this Custom view
- The results are likely to be inconclusive so save your TaskList output to a text file to use as a comparison with the next set of results.

I also think you might find useful guidance in the Events just before EventID 104. I run NirSoft's FullEventLogView because that makes it easy to see everything in chronological order enabling the events before & after the event of interest to be considered

Best of luck,
Denis

event 104 happens before I see the desktop. I did a little checking with ProcMan, and found the PID was from svchost, but the thread ID wasn't running.

Added to troubleshooting were the following:

* Comodo AV scan again
* Uninstalled Comodo
* MBAM scan again
* Uninstalled all listed PuPs from MBAM
* Uninstalled a few other programs (Optimizers/Cleaners)
* rkill, immediately followed by another MBAM scan
* SUPERAntiSpyware scan (Found one item in a rarely used storage location. Didn't resolve the issue, so probably wasn't the cause.)
* CCleaner - Found scheduled tasks run by PCIEBus, and PCIEBusQueue, set to clear the logs at every logon.

This issue is resolved. Tasks listed above claimed to be authored by me. I removed the scheduled tasks.

Thanks for the help.