This tip is applicable to Enhanced Write Filter (EWF-RAM) users. To move Event Viewer logs to a volume unprotected by EWF, modify the following three registry keys as shown in the following example. The example uses drive D as the unprotected volume.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application File=D:\\AppEvent.evt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security File=D:\\SecEvent.evt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System File=D:\\SysEvent.evt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
File=D:\\AppEvent.evt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
File=D:\\SecEvent.evt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System
File=D:\\SysEvent.evt
- Mark
Technorati Tags: XPe,Embedded
I don't ordinarily just copy stuff that someone else sends me into my blog, but this is an exception.