#1
Posted 07 February 2012 - 07:03 AM
I was able to bring up the service (the system shows it's running), but instead of writing to:
%systemroot%\system32\winevt\Logs\xxxxxx.evtx
as configured in registry (system\currentcontrol\services\eventlog\xxxxxx\file), it seems end up in
%systemroot%\system32\LogFiles\WMI\RtBackup\EtwRTEventLog-xxxxxx.etl
Could anyone give me little hint what is going on? and how can I configure the classic event viewer to view these files?
Thanks a million!
lianzi2000
#2
Posted 07 February 2012 - 11:48 PM
http://serverfault.c...es-wmi-rtbackup
AND check this:
http://msdn.microsof...8(v=vs.85).aspx
File
Fully-qualified path to the file where each event log is stored. This enables Event Viewer and other applications to find the log files. This value is of type REG_SZ or REG_EXPAND_SZ. This value is optional. If the value is not specified, it defaults to %SystemRoot%system32winevtlogs followed by a file name that is based on the event log registry key name.
The specific event log file path should be set using the command line utility wevtutil.exe or by using the EvtSetChannelConfigProperty function with EvtChannelLoggingConfigLogFilePath passed into the PropertyId parameter.
If a specific file is set, make sure that the event log service has full permissions on the file.
This value needs to be a valid file name for a file that is located on a local directory (not a remote computer, not a DOS device, not a floppy, and not a pipe). If the file setting is wrong, an event is fired in the System event log when the event log service starts.
Do not use environment variables, in the path to the file, that cannot be expanded in the context of the event log service.
Windows Server 2003 and Windows XP/2000: This value defaults to %SystemRoot%system32config followed by a file name that is based on the event log registry key name. If the File setting is set to an invalid value, the log will either not be initialized properly, or all requests will silently go to the default log (Application).
It is very possible that something is missing (although the service appears as running).
Anyway:
http://www.microsoft...t.mspx?mfr=true
http://technet.micro...700(WS.10).aspx
Wonko
#3
Posted 08 February 2012 - 01:29 PM
RegWrite,HKLM,0x2,%RegSystem%ControlSet001serviceseventlogApplication,"File","#$pSystemRoot#$psystem32winevtLogsApplication.evtx"
however, although the service is started automatically at booting, no .evtx created at all under the specified location. I'll try to study the procmon log carefully to see if it is missing anything.
Thanks for the comment.
lianzi2000
#4
Posted 08 February 2012 - 06:47 PM
What I was (indirectly) suggesting was to REMOVE the filename alltogether and see what happens OR trying using wevtutil.exeYeah I figured so....My problem is, the registry setting appears correct:
RegWrite,HKLM,0x2,%RegSystem%ControlSet001serviceseventlogApplication,"File","#$pSystemRoot#$psystem32winevtLogsApplication.evtx"
however, although the service is started automatically at booting, no .evtx created at all under the specified location. I'll try to study the procmon log carefully to see if it is missing anything.
Thanks for the comment.
lianzi2000
If the value is not specified, it defaults to %SystemRoot%system32winevtlogs followed by a file name that is based on the event log registry key name.
The specific event log file path should be set using the command line utility wevtutil.exe ...
or however peruse wevtutil.exe to gather moreinfo on waht's happening:
http://technet.micro...848(WS.10).aspx
Wonko
Also tagged with one or more of these keywords: win7pe, services, eventlog
Boot methods & tools →
WinBuilder →
Support →
The Problem Win7PE SE + Please HelpStarted by mehrantelikani , 14 Jul 2015 win7pe |
|
|
||
Boot methods & tools →
WinBuilder →
Win8PE →
MMC.script modificationStarted by era4sure , 02 Dec 2014 mmc, win8pe, win7pe, scripts and 2 more... |
|
|
||
Boot methods & tools →
WinBuilder →
Win7PE →
MMC.script modificationStarted by era4sure , 02 Dec 2014 mmc, win8pe, win7pe, scripts and 2 more... |
|
|
||
Boot methods & tools →
WinBuilder →
Win7PE →
Is it possible to Script specific disk filter drivers?Started by tblo , 14 Sep 2014 e2b, easy2boot, pe3, win7pe |
|
|
||
Boot methods & tools →
WinBuilder →
Win7PE →
PGP Recovery in Win7PEStarted by KP13 , 27 Feb 2014 pgp, win7pe, pgp recovery |
|
|
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users