I have created an image of hard disk using FTK imager. I want to extract the windows event logs. The system was running windows 7. What should I do?
Asked
Active
Viewed 1.1k times
3
-
8Extract all .evt files from `C:\Windows\system32\winevt\logs`. – Adi Mar 26 '16 at 09:25
-
This is the answer. Waiting for what ? – elsadek Mar 26 '16 at 14:31
2 Answers
1
Windows event logs are stored in the following locations by default:
2000, XP and 2003
C:\Windows\system32\config
Vista+
C:\Windows\system32\winevt\logs
Event and parameter message templates
The event and parameter message templates specific to each type of log are stored in DLLs (so you can interpret the messages and parameters in context for each log) and their location is stored in the Eventlog key in the Registry, located at:
HKLM\SYSTEM\CurrentControlSet\services\Eventlog
You can also use this key to validate that the event logs are being stored in their default location since an administrator can change this (such changes will be reflected within this key sub-path).
"Dirty" evt logs
When copying event logs off of a live system, for the older *.evt logs (2000, XP and 2003), they have a file status byte that sometimes can prevent reading the logs in standard viewers when it is an odd value. Fixing the logs is well documented, and there used to be a tool called fixevt.exe that made this easier but I don't know of a reliable download source so I'll leave this exercise to the reader to find it (the site where it used to be located indicates the hosting provider account was suspended).
Dan
- 155
- 8
-3
Go to start type cmd type regedit in the open box and click enter Locate and click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog Click the subkey that represents the event log that you want to move, for example, click Application. In the right pane, double-click File. Type the complete path to the new location (including the log file name) in the Value data box, and then click enter.
For example, if you want to move the application log (Appevent.evt) to the Eventlogs folder on the E drive, type e:\eventlogs\appevent.evt. Repeat steps 4 through 6 for each log file that you want to move. Click Exit on the Registry menu. Restart the computer.
Ones
- 1
- 1
- 2