How To: Redirect Event Viewer Log File Location to a thawed partition

Panagiotis Mantzouranis

Last Update hace 8 meses

In the event of troubleshooting an application error or crash (e.g. Gizmo client's) one of the things you will be looking for is errors in Windows Application and System Log.

By default, these logs are stored inside %SystemRoot%\System32\Config\

When using an automatic recovery software (such as Deep Freeze) for the OS partition, the errors are not saved after a system reboot, making the use of these diagnostics impossible.

The best way to handle this is by re-locating the Event Viewer Log Files to a thawed partition.

One way to do it is by modifying Windows Registry.

  • Backup your registry first. Follow this guide if you do not know how
  • Launch regedit and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System.
  • Double-click the FILE value. Type the new drive and path in the String box, including the file name \SysEvent.Evt, and then click OK. Make sure that the path you enter already exists AND is located on a local drive.
  • Repeat for HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application

An alternative way to achieve the same result is by using the wevtutil Utility (Vista and above)

To change the location of the System Log, enter the command below in a command line prompt:

Replace D:\Windows_Logs with your preferred Log location

To do the same for Application log, enter:

Verify that the directory exists or else the logs will not be created.

You can then use event viewer to open the log files on another computer.

Was this article helpful?

2 out of 2 liked this article

Still need help? Message Us