How do I retain the event logs on a Windows computer?

Note: This process only applies to versions of Deep Freeze that do not have the option to retain the Windows Event logs as a native feature.

In some cases, administrators may wish to retain the event logs on a Windows computer running Deep Freeze for diagnostic or auditing purposes. On a frozen machine the event logs can be retained by creating a second partition and instructing the operating system to save the log files in that second partition.

This can be done with the following process:

1. Navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog
2. Open the subkey that contains the event log you want to redirect, such as Application.
3. On the right pane, you will find a value named File (type REG_EXPAND_SZ), which contains the pathname and filename to the log file. You can provide a new pathname and filename here, but you should use the .EVT file extension.
4. Close the Registry and restart the computer.

In some cases, it may be possible to configure the domain to forward event log data to a central repository. Details on this process can be found at the link below:

http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx