Is it possible to access the Windows event log if the system is unbootable?
If an installation of windows is unbootable, is it possible to access the event log from a Linux LiveCD?
It is possible if you are running Vista or newer. The event log data is now written to an XML file in %SystemRoot%\System32\winevt\Logs\
.
Previous versions of Windows wrote the log in an undocumented binary format. This web page tries to describe that format.
GrokEVT which is mentioned on that page, is is a collection of scripts built for reading Windows NT/2000/XP/2003 event log files. GrokEVT is released under the GNU GPL, and is implemented in Python.
The default locations of the logs are:
-
%SystemRoot%\System32\Config\SysEvent.Evt
(System Log) -
%SystemRoot%\System32\Config\AppEvent.Evt
(Application log) -
%SystemRoot%\System32\Config\SecEvent.Evt
(Security Log)
- Windows event logs are also files, but they are commonly locked by Windows (Event Log Service) and it is impossible to open these files on "live" system. But if the computer is started from another disk or the system drive from the analyzed machine is connected to another computer, you can read event logs as files. The default location of event logs on Vista/2008 and better is "C:\Windows\System32\winevt\Logs\".
- Try Event Log Explorer, it's free for personal use. It better than Event Viewer, e.g. it lets you read even damaged event files.