clock for blog

Office Hours
Mon-Fri 09:00-21:00

Knowledgebase: Non-Gizmo Specific
How To: Redirect Event Viewer Log File Location to a thawed partition
Posted by Panagiotis Mantzouranis on 27 December 2013 11:33 AM

In the event of troubleshooting an application error or crash (e.g. Gizmo client's) one of the things you will be looking for is errors in Windows Application and System Log.

 

By default, these logs are stored inside %SystemRoot%\System32\Config\

 

When using an automatic recovery software (such as Deep Freeze) for the OS partition, the errors are not saved after a system reboot, making the use of these diagnostics impossible.

The best way to handle this is by re-locating the  Event Viewer Log Files to a thawed partition.

 

One way to do it is by modifying Windows Registry.

  • Backup your registry first. Follow this guide if you do not know how: http://windows.microsoft.com/en-us/windows/back-up-registry#1TC=windows-7
  • Launch regedit and navigate to System\CurrentControlSet\Services\EventLog\System. Double-click the FILE value. Type the new drive and path in the String box, including the file name \SysEvent.Evt, and then click OK. Make sure that the path you enter already exists AND is located on a local drive.
  • Repeat for System\CurrentControlSet\Services\EventLog\Application

*http://support.microsoft.com/kb/216169

 

A second way to achieve the same result is by using the wevtutil Utility (Vista and above)

To change the location of the System Log, enter the command below in a command line prompt:

Wevtutil sl "System" /lfn:D:\Windows_Logs\System.evtx

Replace D:\Windows_Logs with your preferred Log location

To do the same for Application log, enter:

Wevtutil sl "Application" /lfn:D:\Windows_Logs\Application.evtx

Verify that the directory exists or else the logs will not be created.

 

*http://technet.microsoft.com/en-us/library/cc732848.aspx

 

You can then use event viewer: http://technet.microsoft.com/en-us/library/cc766401.aspx to open the log files on another computer.

(4 vote(s))
Helpful
Not helpful