FAQ: The Eventlog of Windows

Copyright © 1997-2007 Frank Heyne - All rights reserved - Last update: 05. February 2007

If you want to put this page on your own web server, please renounce and use a link instead. The reason is simple: I don't want old copies with old versions of the FAQ laying around on the web.

A: General eventlog questions

  1. How do I disable the Print log?
  2. Is there a problem with NT 3.51/4 recording logon / logout of events?
  3. When I change the maximum size of a log, how big will it grow?
  4. Why does Windows refuse to add entries to my half empty log? (10. Oct 2006)
  5. Does CrashOnAuditFail have any influence if the system or application log is getting full?
  6. Why is the end of a process logged with a timestamp earlier than the begin of it? (01. Oct 2002)
  7. Where does security event 642 with user anonymous come from? (10. Nov 1999)
  8. I get a lot of event log IDs 528, 538 (users logging on and off). (19. Mar 2001)
  9. Are there any known bugs with the Security event logging? (19. Apr 2001)
  10. Are there any known bugs with the Print event logging? (10. Aug 1999)
  11. Why are old events in my logs, though I selected "overwrite after 7 days"?
  12. It seems that certain successful logons generate double entries in the log. (19. Apr 2001)
  13. Why can only admins log on to my machine?
  14. Who can access the Security log? (20. Aug 1998)
  15. Any ideas to stop domain users from viewing event logs on a server? (01. Oct 2002)
  16. Is it possible to use the eventlog to log Security events to another server, in real time? (03. Aug 2000)
  17. Is it possible to have different Audit policies on BDCs and the PDC of a domain? (27. Jan 2003)
  18. Are there any books dedicated to Windows NT Event Logging? (28. Oct 1998)
  19. I'd like to use a Perl Script instead of EventSave. (30. Nov 1998)
  20. Is it possible to merge for instance all failed logon events of the domain into one eventlog file? (01. Oct 2002)
  21. What can I do to shut off the log generation process? In many cases I don't need them anyway.
  22. Some of my event logs show the time of the events with an offset of one hour(10. Nov 1999)
  23. Event 627 shows that NT AUTHORITY\ANONYMOUS is trying to change an user's password (10. Nov 1999)
  24. I can't figure out why the occassional week shows a "hole" (no events recorded) (02 Aug. 2000)
  25. I am accused of a license violation, but did nothing illegal! (02. Aug 2000)
  26. Is there software that allows a person to make deletions to individual log entries? (19. Mar 2001)
  27. Why should I rename the admin account? (19. Mar 2001)
  28. How do I save an eventlog file into an ASCII file? (01. Oct 2002)
  29. Does NT log remote interactive logons? (19. Apr 2001)
  30. Is there anyway that you can find out how full (percentage) an eventlog is using API calls? (22. Dec 2001)
  31. Where can I obtain a complete list of Windows Event Identifiers? (02. Jan 2002)
  32. I'm an administrator on a NT wan, with several users with admin rights (02.Jan 2002)
  33. My secuity logs are filled with failed logon events 529 for account MACHINE$, one every few seconds (02. Jan 2002)
  34. Why are no events 592 and 593 logged when a 16 bit application is run? (02. Jan 2002)
  35. What do I need to audit when I want to log only the changing of file permissions? (02. Jan 2002)
  36. Are there problems with auditing of the Registry root keys? (15. May 2006)
  37. Which events will be logged during local logon and logoff? (18. Dec 2006)
  38. What does, for instance, the Logon ID (0x0,0x3E5) mean? (18. Dez 2006)
  39. Did, with the new event log from Windows Vista, all problems inherent to earlier versions go away? (05. Feb 2007)

B: EventSave questions

  1. I want to run Eventsave in a scheduled job and direct all the output into a text file (19. Mar 2001)
  2. I can't for the life of me figure out how to call EventSave using the AT command.
  3. Will EventSave ever overwrite events it saved during its last run?
  4. Is it possible to save logs to a remote path, and does that location need to be mapped first? (10. Aug 1999)
  5. Is it possible to save logs of different machines into different directories? (19. Aug 2002)
  6. I was wondering if you have a version of EventSave for the Alpha based NT servers (19. Mar 2001)
  7. EventSave moves all events of a month into the same file, but I need to run some of the Report Event Tools for daily reports (02. Aug 2000)
  8. I cannot seem to read the outputted files with Notepad (01. Oct 2002)
  9. What is the -ANSI switch good for? (19. Aug 2002)
  10. How do I need to configure the Firewall of Windows XP SP2 for EventSave? (21. Feb 2005)
  11. Is there an option available, for example with EventSave+, that would compress the resulting file when it is extracted? (21. Feb 2005)
  12. Is there a way to tell EventSave to use file names like Computer_Eventlog_Year_Month.evt? (15. May 2006)
  13. Why should I never use EventSave to save and delete events from a Windows Vista machine? (05. Feb 2007)

C: Elwiz questions

  1. There are some current eventlogs missing in the eventlog tree, though the machines in question are up and running(22. Dec 2001)
  2. I want filters on things I want to see, NOT what I don't want to see. (22. Dec 2001)
  3. Elwiz has the eventlog table option "Add Item to Watcher Filter Rules", why does it not have a "Remove ..." option?(22. Dec 2001)
  4. We have 2 domain admins with 2 different accounts and we would like those event notices to be sent to two different Workstations.
  5. Does Elwiz work across domains?
  6. Why does Elwiz in "Client Info | Misc" for Windos 2000 machines not show the hard disk usage? (03. Aug 2000)
  7. Why do I need to provide the names of the domains when I want to register Elwiz or Report Event? (03. Aug 2000)
  8. I want to watch machines in different domains with Elwiz (03. Aug 2000)
  9. We want to view logs on machines with disabled admin shares (03. Aug 2000)
  10. May the EventWatcher service run under the System account? (02. Jan 2002)

D: Report Event tools questions

  1. Unfortunately when i run a Report Event tool, the following appears...
  2. How does the installation of the Shareware version of a Report Event tool work? (03. Aug 2000)
  3. I would like to show the output of R528 on a web page, how can I do this?
  4. Do the tools allow me to scan event logs in multiple domains from one server? (03. Sep 1998)
  5. Does print event 10 report the correct number of pages, even if the print job was canceled? (03. Sep 1998)
  6. The Shareware version of R528 does not seem to work (19. Mar 2001)
  7. Is there a way to de-merge a large file created by MER? (19. Aug 2002)
  8. There is a new version of EventSave+ adapted to Windows Vista, why are there no such versions of EventCopy and ECA? (05. Feb 2007)

Welcome page