Re: Application, Security and System log files - where are they located

  • Thread starter Thread starter AnnaMarie
  • Start date Start date
A

AnnaMarie

Thanks for your reply, JS.

I want to also thank you for sharing your suggestions, one of which provided
me with the ANSWER to my QUESTION . . . Does anyone know how and where I can
find the files associated with Event Viewer's Application, Security and
System log files???

The ANSWER is, of course, the C:\WINDOWS\system32\config\ directory - where
we find . . .

C:\WINDOWS\system32\config\AppEvent.Evt
C:\WINDOWS\system32\config\SecEvent.Evt
C:\WINDOWS\system32\config\SysEvent.Evt

Prior to investigating the links provided in your reply, I . . .
- cleared each Event Log file
- copied each .Evt file to a new directory on my F:\ drive
- and created the following batch file . . .

COPY F:\Event_Viewer_LOG_Files\AppEvent.Evt
C:\WINDOWS\system32\config\AppEvent.Evt
COPY F:\Event_Viewer_LOG_Files\SecEvent.Evt
C:\WINDOWS\system32\config\SecEvent.Evt
COPY F:\Event_Viewer_LOG_Files\SysEvent.Evt
C:\WINDOWS\system32\config\SysEvent.Evt

It did not work. To find why, I opened a CMD PROMPT window and discovered
the following . . .

C:\>COPY F:\Event_Viewer_LOG_Files\AppEvent.Evt
C:\WINDOWS\system32\config\AppEvent.Evt

The process cannot access the file because it is being used by another
process.
0 file(s) copied.

C:\>

Having failed, I investigated the contents of each of your suggested links
and my results and or conclusions are as follows . . .

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q172156 states . . .

The Event Viewer Log files (Sysevent.evt, Appevent.evt, Secevent.evt) are
always in use by the system, preventing the files from being deleted or
renamed. The EventLog service cannot be stopped because it is required by
other services, thus the files are always open. This article describes a
method to rename or move these files for troubleshooting purposes.

NTFS Partition method

Click the Start button, point to Settings, click Control Panel, and then
double-click Services.
Select the EventLog service and click Startup. Change the Startup Type to
Disabled, and then click OK. If you are unable to log on to the computer but
can access the registry remotely, you can change the Startup value in the
following registry key to 0x4:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Restart Windows.

NOTE: When the system starts up, several services may fail; a message
informing the user to use Event Viewer to review errors may appear.
Rename or move the corrupt *.evt file from the following location:
%SystemRoot%\System32\Config
In Control Panel Services tool, re-enable the EventLog service by setting it
back to the default of Automatic startup, or change the registry Startup
value back to 0x2.

.. . . far too destructive and requires far more work than what I am
currently doing - manually clearing each LOG file's entries. However, it
gave me another batch file idea as follows . . .

sc stop Eventlog
sc config Eventlog start= disabled
sc config Eventlog start= auto
sc start Eventlog

It did not work. To find why, I opened a CMD PROMPT window and discovered
the following . . .

C:\>sc stop Eventlog
[SC] ControlService FAILED 1052:

The requested control is not valid for this service.

C:\>

To confirm that the "sc stop Eventlog" command was working I executed the
following command line syntax . . .

C:\>sc config Eventlog start= disabled
[SC] ChangeServiceConfig SUCCESS

C:\>COPY F:\Event_Viewer_LOG_Files\AppEvent.Evt
C:\WINDOWS\system32\config\AppEvent.Evt

The process cannot access the file because it is being used by another
process.
0 file(s) copied.

C:\>

While I did confirm the command line syntax was working properly, this idea
failed. Accordingly, I furthered my investigation associated with the
contents of your remaining links and my results and or conclusions are as
follows . . .

http://support.microsoft.com/kb/308427 states (among other non-applicable
instructions) . . .

How to Filter Log Events
To filter log events, follow these steps:
Click Start, and then click Control Panel. Click Performance and
Maintenance, then click Administrative Tools, and then double-click Computer
Management. Or, open the MMC containing the Event Viewer snap-in.
In the console tree, expand Event Viewer, and then click the log that
contains the event that you want to view.
On the View menu, click Filter.
Click the Filter tab (if it is not already selected).
Specify the filter options that you want, and then click OK.
Only events that match your filter criteria are displayed in the details
pane.
To return the view to display all log entries, click Filter on the View
menu, and then click Restore Defaults.


.. . . this procedure gave me another new idea. How do create a batch file
that UNCHECKS the FILTERS for ALL Event types, something I do not have a
clue how to accomplish. Unfortunately, this new idea turned out to be a
poor one. Poor, because when I tried this manually, while it did filter the
event logs as long as I stayed in MMC, but it did nothing to the actual LOG
files [i.e. Appevent.evt, Secevent.evt and Sysevent.evt]. Otherwise, once
again, it did not provide a simpler solution than what I am currently
doing - manually clearing each LOG file's entries.

http://www.tunexp.com/tips/maintain_your_computer/fix_corrupt_event_log_files/
states . . .

Fix Corrupt Event Log Files

One of the administrative tools in Microsoft Management Console, Event
Viewer maintains logs about program, security, and system events on your
computer. You can use Event Viewer to view and manage the event logs, gather
information about hardware and software problems, and monitor Windows
security events.

If Event Viewer reports on startup that one or more of your log files is
corrupt, you can remedy the situation as follows:
Open the Event Viewer.
Rightclick on the corrupt log in the left pane and click Properties.
Click the Clear button in the Properties dialog box.

You cannot delete or rename the log files while the Event Log service is
running.

.. . . which only provides instructions to accomplish exactly what I am
currently doing - manually clearing each LOG file's entries.

In conclusion, I want to thank you again for helping to ANSWER my QUESTION
which identified where the files associated with Event Viewer's Application,
Security and System logs were located:


C:\WINDOWS\system32\config\AppEvent.Evt
C:\WINDOWS\system32\config\SecEvent.Evt
C:\WINDOWS\system32\config\SysEvent.Evt

Unfortunately, after reviewing your suggested links, I was unable to resolve
my other goal of creating a BATCH file program to delete the individual
files that are created. Given the various system responses including, but
not limited to, "The process cannot access the file because it is being used
by another process" as well as the Microsoft article that states, "The Event
Viewer Log files (Sysevent.evt, Appevent.evt, Secevent.evt) are always in
use by the system, preventing the files from being deleted or renamed," it
appears that my goal may never be achieved.

Thanks again, JS.
 
I posted all the information I could find in hopes of giving you some ideas
to try.
You did all that was expected and more.

One thing you might try is a "keystroke" macro. It's been a long time since
I have
used this technique so I can't make any recommendations as to what keystroke
tool
to use but if your google:
http://www.google.com/search?hl=en&q=keystroke+recorder+macro

You will find a number of hits, one being:
Auto Macro Recorder
http://www.macro-recorder.com/

--
JS
http://www.pagestart.com


AnnaMarie said:
Thanks for your reply, JS.

I want to also thank you for sharing your suggestions, one of which
provided me with the ANSWER to my QUESTION . . . Does anyone know how and
where I can find the files associated with Event Viewer's Application,
Security and System log files???

The ANSWER is, of course, the C:\WINDOWS\system32\config\ directory -
where we find . . .

C:\WINDOWS\system32\config\AppEvent.Evt
C:\WINDOWS\system32\config\SecEvent.Evt
C:\WINDOWS\system32\config\SysEvent.Evt

Prior to investigating the links provided in your reply, I . . .
- cleared each Event Log file
- copied each .Evt file to a new directory on my F:\ drive
- and created the following batch file . . .

COPY F:\Event_Viewer_LOG_Files\AppEvent.Evt
C:\WINDOWS\system32\config\AppEvent.Evt
COPY F:\Event_Viewer_LOG_Files\SecEvent.Evt
C:\WINDOWS\system32\config\SecEvent.Evt
COPY F:\Event_Viewer_LOG_Files\SysEvent.Evt
C:\WINDOWS\system32\config\SysEvent.Evt

It did not work. To find why, I opened a CMD PROMPT window and discovered
the following . . .

C:\>COPY F:\Event_Viewer_LOG_Files\AppEvent.Evt
C:\WINDOWS\system32\config\AppEvent.Evt

The process cannot access the file because it is being used by another
process.
0 file(s) copied.

C:\>

Having failed, I investigated the contents of each of your suggested links
and my results and or conclusions are as follows . . .

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q172156 states . .
.

The Event Viewer Log files (Sysevent.evt, Appevent.evt, Secevent.evt) are
always in use by the system, preventing the files from being deleted or
renamed. The EventLog service cannot be stopped because it is required by
other services, thus the files are always open. This article describes a
method to rename or move these files for troubleshooting purposes.

NTFS Partition method

Click the Start button, point to Settings, click Control Panel, and then
double-click Services.
Select the EventLog service and click Startup. Change the Startup Type to
Disabled, and then click OK. If you are unable to log on to the computer
but can access the registry remotely, you can change the Startup value in
the following registry key to 0x4:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Restart Windows.

NOTE: When the system starts up, several services may fail; a message
informing the user to use Event Viewer to review errors may appear.
Rename or move the corrupt *.evt file from the following location:
%SystemRoot%\System32\Config
In Control Panel Services tool, re-enable the EventLog service by setting
it back to the default of Automatic startup, or change the registry
Startup value back to 0x2.

. . . far too destructive and requires far more work than what I am
currently doing - manually clearing each LOG file's entries. However, it
gave me another batch file idea as follows . . .

sc stop Eventlog
sc config Eventlog start= disabled
sc config Eventlog start= auto
sc start Eventlog

It did not work. To find why, I opened a CMD PROMPT window and discovered
the following . . .

C:\>sc stop Eventlog
[SC] ControlService FAILED 1052:

The requested control is not valid for this service.

C:\>

To confirm that the "sc stop Eventlog" command was working I executed the
following command line syntax . . .

C:\>sc config Eventlog start= disabled
[SC] ChangeServiceConfig SUCCESS

C:\>COPY F:\Event_Viewer_LOG_Files\AppEvent.Evt
C:\WINDOWS\system32\config\AppEvent.Evt

The process cannot access the file because it is being used by another
process.
0 file(s) copied.

C:\>

While I did confirm the command line syntax was working properly, this
idea failed. Accordingly, I furthered my investigation associated with
the contents of your remaining links and my results and or conclusions are
as follows . . .

http://support.microsoft.com/kb/308427 states (among other non-applicable
instructions) . . .

How to Filter Log Events
To filter log events, follow these steps:
Click Start, and then click Control Panel. Click Performance and
Maintenance, then click Administrative Tools, and then double-click
Computer Management. Or, open the MMC containing the Event Viewer snap-in.
In the console tree, expand Event Viewer, and then click the log that
contains the event that you want to view.
On the View menu, click Filter.
Click the Filter tab (if it is not already selected).
Specify the filter options that you want, and then click OK.
Only events that match your filter criteria are displayed in the details
pane.
To return the view to display all log entries, click Filter on the View
menu, and then click Restore Defaults.


. . . this procedure gave me another new idea. How do create a batch file
that UNCHECKS the FILTERS for ALL Event types, something I do not have a
clue how to accomplish. Unfortunately, this new idea turned out to be a
poor one. Poor, because when I tried this manually, while it did filter
the event logs as long as I stayed in MMC, but it did nothing to the
actual LOG files [i.e. Appevent.evt, Secevent.evt and Sysevent.evt].
Otherwise, once again, it did not provide a simpler solution than what I
am currently doing - manually clearing each LOG file's entries.

http://www.tunexp.com/tips/maintain_your_computer/fix_corrupt_event_log_files/
states . . .

Fix Corrupt Event Log Files

One of the administrative tools in Microsoft Management Console, Event
Viewer maintains logs about program, security, and system events on your
computer. You can use Event Viewer to view and manage the event logs,
gather information about hardware and software problems, and monitor
Windows security events.

If Event Viewer reports on startup that one or more of your log files is
corrupt, you can remedy the situation as follows:
Open the Event Viewer.
Rightclick on the corrupt log in the left pane and click Properties.
Click the Clear button in the Properties dialog box.

You cannot delete or rename the log files while the Event Log service is
running.

. . . which only provides instructions to accomplish exactly what I am
currently doing - manually clearing each LOG file's entries.

In conclusion, I want to thank you again for helping to ANSWER my QUESTION
which identified where the files associated with Event Viewer's
Application, Security and System logs were located:


C:\WINDOWS\system32\config\AppEvent.Evt
C:\WINDOWS\system32\config\SecEvent.Evt
C:\WINDOWS\system32\config\SysEvent.Evt

Unfortunately, after reviewing your suggested links, I was unable to
resolve my other goal of creating a BATCH file program to delete the
individual files that are created. Given the various system responses
including, but not limited to, "The process cannot access the file because
it is being used by another process" as well as the Microsoft article that
states, "The Event Viewer Log files (Sysevent.evt, Appevent.evt,
Secevent.evt) are always in use by the system, preventing the files from
being deleted or renamed," it appears that my goal may never be achieved.

Thanks again, JS.
 
Back
Top