Is it possible to access the Windows event log if the system is unbootable?

6

0

If an installation of windows is unbootable, is it possible to access the event log from a Linux LiveCD?

Macha

Posted 2009-11-28T13:07:06.260

Reputation: 4 772

Answers

9

It is possible if you are running Vista or newer. The event log data is now written to an XML file in %SystemRoot%\System32\winevt\Logs\.

Previous versions of Windows wrote the log in an undocumented binary format. This web page tries to describe that format.

GrokEVT which is mentioned on that page, is is a collection of scripts built for reading Windows NT/2000/XP/2003 event log files. GrokEVT is released under the GNU GPL, and is implemented in Python.

The default locations of the logs are:

  • %SystemRoot%\System32\Config\SysEvent.Evt (System Log)
  • %SystemRoot%\System32\Config\AppEvent.Evt (Application log)
  • %SystemRoot%\System32\Config\SecEvent.Evt (Security Log)

Benjamin Schollnick

Posted 2009-11-28T13:07:06.260

Reputation: 4 313

1Windows 7/Vista XML event files stored in: %SystemRoot%\System32\winevt\Logs\ – Umber Ferrule – 2010-06-30T16:57:37.963

Vista and later use the EVTX format, not EVT. And the raw EVTX file is definitely not an xml file. Try opening it with any text editor and see – phuclv – 2019-06-02T03:27:16.300

Where is this XML file stored? – Macha – 2009-11-29T13:55:12.583

2

  1. Windows event logs are also files, but they are commonly locked by Windows (Event Log Service) and it is impossible to open these files on "live" system. But if the computer is started from another disk or the system drive from the analyzed machine is connected to another computer, you can read event logs as files. The default location of event logs on Vista/2008 and better is "C:\Windows\System32\winevt\Logs\".
  2. Try Event Log Explorer, it's free for personal use. It better than Event Viewer, e.g. it lets you read even damaged event files.

saidurcse

Posted 2009-11-28T13:07:06.260

Reputation: 21

Does this answer of yours really add something to the one that was accepted years ago already? – zagrimsan – 2016-05-25T13:05:36.497

0

I have a situation where I have a pile of HDD that have been removed from various machines during upgrades. Not knowing what they came out of, accessing the system log in the location listed above, allowed me to access the domain name and user access of that drive.

%drive letter%:\Windows\System32\winevt\Logs

Robert Adams

Posted 2009-11-28T13:07:06.260

Reputation: 1

1This question was asked and answered in 2009 and you answered in 2016 after an answer was already accepted. – Eric F – 2016-04-01T17:59:38.560

Asked: 2009-11-28T13:07:06.260

Viewed: 26 811 times

Active: 2016-05-21T16:24:55.850