Event logger won’t start: error 2 The system cannot find the file specified, Windows server 2008R2

NOTE: this is a "spawn" of a previous post which dealt with 2 different issues and became too lengthy, so I decided to clean the original question and post this issue in a separate question

When I try to start Windows Event Log via net start eventlog or via Services panel, I get an error:

C:\Users\Administrator>net start eventlog
The Windows Event Log service is starting.
The Windows Event Log service could not be started.

A system error has occurred.

System error 2 has occurred.

The system cannot find the file specified.

I tried the following advice I from here:

1. restarted the OS (virtual on the host's VMWare).
2. re-checked the settings in services menu -they are like in the link.
3. checked the identity in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog – the identity is NT AUTHORITY\LocalService
4. gave all Authenticated Users full access to C:\Windows\System32\winevt\Logs
5. ran fc /scannow – Windows Resource Protection did not find any integrity violations.
6. went to the file %windir%\logs\cbs\cbs.log – all clean, [SR] Repairing 0 components

EDIT: Uninstalled the recent system updates and rebooted – didn't help

EDIT: Sysinternals Process Monitor results when running start service from services panel (procmon in elevated mode):

1. filters:

   process name is svchost.exe : include
   operation contains TCP : exclude
   

   the events captured are:

   21:50:33.8105780    svchost.exe 772 Thread Create       SUCCESS Thread ID: 6088
   21:50:33.8108848    svchost.exe 772 RegOpenKey  HKLM    SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
   21:50:33.8109134    svchost.exe 772 RegQueryKey HKLM    SUCCESS Query: HandleTags, HandleTags: 0x0
   21:50:33.8109302    svchost.exe 772 RegOpenKey  HKLM\System\CurrentControlSet\Services  REPARSE Desired Access: Read
   21:50:33.8109497    svchost.exe 772 RegOpenKey  HKLM\System\CurrentControlSet\Services  SUCCESS Desired Access: Read
   21:50:33.8110051    svchost.exe 772 RegCloseKey HKLM    SUCCESS 
   21:50:33.8110423    svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services  SUCCESS Query: HandleTags, HandleTags: 0x0
   21:50:33.8110705    svchost.exe 772 RegOpenKey  HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read
   21:50:33.8110923    svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0
   21:50:33.8111257    svchost.exe 772 RegOpenKey  HKLM\System\CurrentControlSet\services\eventlog\Parameters  SUCCESS Desired Access: Read
   21:50:33.8111547    svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services  SUCCESS 
   21:50:33.8111752    svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS 
   21:50:33.8111901    svchost.exe 772 RegQueryValue   HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll   SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
   21:50:33.8112148    svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters  SUCCESS 
   21:50:33.8116552    svchost.exe 772 Thread Exit     SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
   

   NOTE: previoulsy, for

   21:46:31.6130476    svchost.exe 772 RegQueryValue   HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll   SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
   

   I also got NAME NOT FOUND error ,so I created the new string value for the Parameters with the name ServiceDll and data %SystemRoot%\System32\wevtsvc.dll (copied from the upper HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key) and this event now is

   21:46:31.6130476    svchost.exe 772 RegQueryValue   HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll   SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
   

   I also checked for the presence of wevtsvc.dll in the place and it's there.

2. Also, I tried to capture all events with path containing 'event' and got following events firing every several seconds:

   21:38:38.9185226    services.exe    492 RegQueryValue   HKLM\System\CurrentControlSet\services\EventSystem\Tag  NAME NOT FOUND  Length: 16
   21:38:38.9185513    services.exe    492 RegQueryValue   HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup    NAME NOT FOUND  Length: 268
   21:38:38.9185938    services.exe    492 RegQueryValue   HKLM\System\CurrentControlSet\services\EventSystem\Group    NAME NOT FOUND  Length: 268
   

3. Also, I tried to capture all the events containing 'file', excluding w3wp.exe, chrome.exe, wmiprvse.exe, wmtoolsd.exe, System and it shows NO attempts to access any file ih the time I try to start the event logger (if run from cmd – there are several hits by net executable, not present if run from the panel).

EDIT: the event logging stopped working on 04/May/2014 at 03:15.

The only change that day was security update 2964444 – Security Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems, that was installed exactly 04/May/2014 at 03:00. Apparently, that's what broke my machine…

What can be done?