Jump to content











Photo
- - - - -

Eventlog service in Win7PE

win7pe services eventlog

  • Please log in to reply
3 replies to this topic

#1 lianzi2000

lianzi2000

    Member

  • Members
  • 43 posts
  •  
    United States

Posted 07 February 2012 - 07:03 AM

Does anyone have experience with the eventlog service under win7PE?

I was able to bring up the service (the system shows it's running), but instead of writing to:

%systemroot%\system32\winevt\Logs\xxxxxx.evtx

as configured in registry (system\currentcontrol\services\eventlog\xxxxxx\file), it seems end up in

%systemroot%\system32\LogFiles\WMI\RtBackup\EtwRTEventLog-xxxxxx.etl

Could anyone give me little hint what is going on? and how can I configure the classic event viewer to view these files?

Thanks a million!

lianzi2000

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 07 February 2012 - 11:48 PM

My guess is that you are barking up the wrong tree, seemingly those in WMIRtBackup are DIFFERENT things:
http://serverfault.c...es-wmi-rtbackup

AND check this:
http://msdn.microsof...8(v=vs.85).aspx

File
Fully-qualified path to the file where each event log is stored. This enables Event Viewer and other applications to find the log files. This value is of type REG_SZ or REG_EXPAND_SZ. This value is optional. If the value is not specified, it defaults to %SystemRoot%system32winevtlogs followed by a file name that is based on the event log registry key name.

The specific event log file path should be set using the command line utility wevtutil.exe or by using the EvtSetChannelConfigProperty function with EvtChannelLoggingConfigLogFilePath passed into the PropertyId parameter.

If a specific file is set, make sure that the event log service has full permissions on the file.

This value needs to be a valid file name for a file that is located on a local directory (not a remote computer, not a DOS device, not a floppy, and not a pipe). If the file setting is wrong, an event is fired in the System event log when the event log service starts.

Do not use environment variables, in the path to the file, that cannot be expanded in the context of the event log service.
Windows Server 2003 and Windows XP/2000: This value defaults to %SystemRoot%system32config followed by a file name that is based on the event log registry key name. If the File setting is set to an invalid value, the log will either not be initialized properly, or all requests will silently go to the default log (Application).


It is very possible that something is missing (although the service appears as running).

Anyway:
http://www.microsoft...t.mspx?mfr=true
http://technet.micro...700(WS.10).aspx

:cheers:
Wonko

#3 lianzi2000

lianzi2000

    Member

  • Members
  • 43 posts
  •  
    United States

Posted 08 February 2012 - 01:29 PM

Yeah I figured so....My problem is, the registry setting appears correct:

RegWrite,HKLM,0x2,%RegSystem%ControlSet001serviceseventlogApplication,"File","#$pSystemRoot#$psystem32winevtLogsApplication.evtx"

however, although the service is started automatically at booting, no .evtx created at all under the specified location. I'll try to study the procmon log carefully to see if it is missing anything.

Thanks for the comment.

lianzi2000

#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 08 February 2012 - 06:47 PM

Yeah I figured so....My problem is, the registry setting appears correct:

RegWrite,HKLM,0x2,%RegSystem%ControlSet001serviceseventlogApplication,"File","#$pSystemRoot#$psystem32winevtLogsApplication.evtx"

however, although the service is started automatically at booting, no .evtx created at all under the specified location. I'll try to study the procmon log carefully to see if it is missing anything.

Thanks for the comment.

lianzi2000

What I was (indirectly) suggesting was to REMOVE the filename alltogether and see what happens OR trying using wevtutil.exe

If the value is not specified, it defaults to %SystemRoot%system32winevtlogs followed by a file name that is based on the event log registry key name.

The specific event log file path should be set using the command line utility wevtutil.exe ...


or however peruse wevtutil.exe to gather moreinfo on waht's happening:
http://technet.micro...848(WS.10).aspx

:cheers:
Wonko





Also tagged with one or more of these keywords: win7pe, services, eventlog

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users