Knowledgebase:
How do I retain the event logs on a Windows computer?
Posted by Adam Zilliax, Last modified by Adam Zilliax on 02 May 2013 12:11 PM

In some cases administrators may wish to retain the event logs on a Windows computer running Deep Freeze for diagnostic or auditing purposes. On a frozen machine the event logs can be retained by creating a second partition and instructing the operating system to save the log files in that second partition.

This can be done with the following process:

  1. Navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog
  2. Open the subkey that contains the event log you want to redirect, such as Application.
  3. On the right pane, you will find a value named File (type REG_EXPAND_SZ), which contains the pathname and filename to the log file. You can provide a new pathname and filename here, but you should use the .EVT file extension.
  4. Close the Registry and restart the computer.

 

In some cases it may be possible to configure the domain to forward event log data to a central repository. Details on this process can be found at the link below:

http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx

(8 vote(s))
Helpful
Not helpful

Comments (0)