6
0
If an installation of windows is unbootable, is it possible to access the event log from a Linux LiveCD?
6
0
If an installation of windows is unbootable, is it possible to access the event log from a Linux LiveCD?
9
It is possible if you are running Vista or newer. The event log data is now written to an XML file in %SystemRoot%\System32\winevt\Logs\
.
Previous versions of Windows wrote the log in an undocumented binary format. This web page tries to describe that format.
GrokEVT which is mentioned on that page, is is a collection of scripts built for reading Windows NT/2000/XP/2003 event log files. GrokEVT is released under the GNU GPL, and is implemented in Python.
The default locations of the logs are:
%SystemRoot%\System32\Config\SysEvent.Evt
(System Log)%SystemRoot%\System32\Config\AppEvent.Evt
(Application log)%SystemRoot%\System32\Config\SecEvent.Evt
(Security Log)2
Does this answer of yours really add something to the one that was accepted years ago already? – zagrimsan – 2016-05-25T13:05:36.497
0
I have a situation where I have a pile of HDD that have been removed from various machines during upgrades. Not knowing what they came out of, accessing the system log in the location listed above, allowed me to access the domain name and user access of that drive.
%drive letter%:\Windows\System32\winevt\Logs
1This question was asked and answered in 2009 and you answered in 2016 after an answer was already accepted. – Eric F – 2016-04-01T17:59:38.560
1Windows 7/Vista XML event files stored in: %SystemRoot%\System32\winevt\Logs\ – Umber Ferrule – 2010-06-30T16:57:37.963
Vista and later use the EVTX format, not EVT. And the raw EVTX file is definitely not an xml file. Try opening it with any text editor and see – phuclv – 2019-06-02T03:27:16.300
Where is this XML file stored? – Macha – 2009-11-29T13:55:12.583