Is it possible to access the Windows event log if the system is unbootable?

Is it possible to access the Windows event log if the system is unbootable? If an installation of windows is unbootable, is it possible to access the event log from a Linux LiveCD?
Asked by: Guest \| Views: 271

Total answers/comments: 2

Comments display order:

Guest [Entry]

"It is possible if you are running Vista or newer. The event log data is now written to an XML file in %SystemRoot%\System32\winevt\Logs\.

Previous versions of Windows wrote the log in an undocumented binary format. This web page tries to describe that format.

GrokEVT which is mentioned on that page, is is a collection of scripts built for reading Windows NT/2000/XP/2003 event log files. GrokEVT is released under the GNU GPL, and is implemented in Python.

The default locations of the logs are:

%SystemRoot%\System32\Config\SysEvent.Evt (System Log)
%SystemRoot%\System32\Config\AppEvent.Evt (Application log)
%SystemRoot%\System32\Config\SecEvent.Evt (Security Log)"

Guest [Entry]

"I have a situation where I have a pile of HDD that have been removed from various machines during upgrades. Not knowing what they came out of, accessing the system log in the location listed above, allowed me to access the domain name and user access of that drive.

%drive letter%:\Windows\System32\winevt\Logs"