Windows Setup Log Files and Event Logs

Windows® Setup creates log files for all actions that occur during installation. If you are experiencing problems installing Windows, consult the log files to troubleshoot the installation.

WindowsВ Setup log files are available in the following directories:

Log location before Setup can access the drive.

Log location when Setup rolls back in the event of a fatal error.

Log location of Setup actions after disk configuration.

Used to log Plug and Play device installations.

Location of memory dump from bug checks.

Location of log minidumps from bug checks.

Location of Sysprep logs.

WindowsВ Setup Event Logs

WindowsВ Setup includes the ability to review the WindowsВ Setup performance events in the Windows Event Log viewer. This enables you to more easily review the actions that occurred during WindowsВ Setup and to review the performance statistics for different parts of WindowsВ Setup. You can filter the log so as to view only relevant items that you are interested in. The WindowsВ Setup performance events are saved into a log file that is named Setup.etl, which is available in the %WINDIR%\Panther directory of all installations. To view the logs, you must use the Event Viewer included with the Windows media that corresponds to the version of the customized image that you are building.

To view the logs on a computer that does not include the corresponding kit, you must run a script from the root of the media that installs the Event Trace for Windows (ETW) provider. From the command line, type:

where D is the drive letter of the Windows DVD media.

To view the WindowsВ Setup event logs

Start the Event Viewer, expand the Windows Logs node, and then click System.

In the Actions pane, click Open Saved Log and then locate the Setup.etl file. By default, this file is available in the %WINDIR%\Panther directory.

The log file contents appear in the Event Viewer.

To Export the log to a file

From the command line, use the Wevtutil or Tracerpt commands to save the log to an .xml or text file. For information about how to use these tools, see the command-line Help. The following commands show examples of how to use the tools:

Event Logging Security

The Security log is designed for use by the system. However, users can read and clear the Security log if they have been granted the SE_SECURITY_NAME privilege (the «manage auditing and security log» user right). For more information, see Privileges.

Only the Local Security Authority (Lsass.exe) has write permission for the Security log. No other account can request this privilege. To write an event to the Security log, use the AuthzReportSecurityEvent function.

Access to the Application log, the System log, and custom logs is restricted. The system grants access based on the access rights granted to the account under which the thread is running. The following table shows which types of access are required by the event logging functions.

Log file location	Description

Access right	Description
ELF_LOGFILE_CLEAR (0x0004)	Required by ClearEventLog.
ELF_LOGFILE_READ (0x0001)	Required by OpenBackupEventLog and OpenEventLog.
ELF_LOGFILE_WRITE (0x0002)	Required by RegisterEventSource.

Use the CustomSD registry value to configure the security of the Application log, the System log, and custom logs. For more information, see Eventlog Key.

WindowsВ XP/2000: The following table describes the access rights granted for each account on each log.

Log	Account	Read	Write	Clear
Application	Administrators (system)	X	X	X
Administrators (domain)	X	X	X
LocalSystem	X	X	X
Interactive user	X	X
System	Administrators (system)	X	X	X
Administrators (domain)	X	X
LocalSystem	X	X	X
Interactive user	X
Custom	Administrators (system)	X	X	X
Administrators (domain)	X	X	X
LocalSystem	X	X	X
Interactive user	X	X

To grant access to the members of the Guest account, change the following registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Log\RestrictGuestAccess

Windows Event Logs — Event Log FAQ

What is Windows event log?

Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Whenever these types of events occur, Windows records the event in an event log. Users might find the details in event logs helpful when troubleshooting problems with Windows and other programs.

Unlike UNIX syslog, Microsoft event log is not a text file and it is impossible to view it with simple text editors. Microsoft Windows event log is a binary file that consists of special records – Windows events.

Microsoft Windows runs Event Log Service to manage event logs, configure event publishing, and perform operations on the logs. Windows Event Log service exposes a special API, which allows applications to maintain and manage event logs.

Windows event logging was introduced in Windows NT operating system (version 3.1) in 1993. This Windows edition came with three Windows logs: Application event log, System event log and Security event log. Modern versions of Windows come with more than a hundred of Windows eventlogs, and third party applications can create and integrate into Windows logging their own event logs.

How to view event logs?

You can view eventlogs using Event Viewer (comes with Windows operating system) or third-party Windows event viewers. We recommend using our Event Log Explorer software – it provides a lot of advanced features for event log management.

What is Windows Event Log Service?

Windows Event Log Service is a Windows service that manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata. It helps to display events in both XML and plain text format. This service is enabled and starts automatically by default. You should not stop or disable this service. Stopping Windows Event Log service may compromise security and reliability of the system.

What are Windows event log files?

Windows Event Log Service lets users to save (backup) event logs to files. Windows NT, 2000 and XP/2003 save event logs to EVT format. Windows Vista/2008 and better save logs to EVTX format. Having backup event files are essential for incident investigation.

Windows event logs are also files, but they are commonly locked by Windows (Event Log Service) and it is impossible to open these files on «live» system. But if the computer is started from another disk or the system drive from the analyzed machine is connected to another computer, you can read event logs as files. The default location of event logs on Vista/2008 and better is «C:\Windows\System32\winevt\Logs\». Windows Event Viewer allows you to open event file as follows:

Click Open Saved Log in Actions pane of Event Viewer.

Select your event log file and it will appear in Windows Event Viewer as a log.

Our Event Log Explorer software also works with event files and does it even better than Event Viewer, e.g. it lets you read even damaged event files.

What is Windows Application event log?

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. Program developers decide which events should be logged. E.g. Microsoft SQL Server logs details about important events linked with SQL server, e.g. «out of memory», «backup failure» etc. One application log commonly contains events logged from different sources (applications), so it is incorrect to rely solely on event ID when analyzing the Application log. You should always rely on event ID along with event source. Some applications, such as Internet Explorer, Power Shell create own event log instead of using Windows application event log. Such logs look exactly like standard Windows event logs and Event Viewer (as well as Event Log Explorer) can read these event logs. Application logs are commonly useful for application support teams.

What is Windows System event log?

The System log contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined by Windows. Similarly to Application log, System event log lists events from different sources (system components) so you should not rely only on event ID when analyzing System log, instead you should rely on event ID along with event source. System logs are essential for system administrators and technicians.

How to set event log security locally or by using Group Policy

You can customize security access rights to their event logs in Windows Server 2012. These settings can be configured locally or through Group Policy. This article describes how to use both of these methods.

Original product version: В Windows Server 2012 Standard, Windows Server 2012 Datacenter
Original KB number: В 323076

Summary

You can grant users one or more of the following access rights to event logs:

You can configure the security log in the same way. However, you can change only Read and Clear access permissions. Write access to the security log is reserved only for the Windows Local Security Authority (LSA).

You can use an Administrative Template Policy for the purpose. The path for the System Eventlog, for example, is:

Computer Configuration\Administrative Templates\Windows Components\Event log Service\System

The setting is configure log access and it takes the same Security Descriptor Definition Language (SDDL) string.

Microsoft suggests moving to this method once you are on Windows Server 2012.

Configure event log security locally

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.

The security of each log is configured locally through the values in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog .

For example, the Application log Security Descriptor is configured through the following registry value: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD

And the System log Security Descriptor is configured through HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD .

The Security Descriptor for each log is specified by using SDDL syntax. For more information about SDDL syntax, see the Platform SDK, or see the article mentioned in the References section of this article.

To construct an SDDL string, note that there are three distinct rights that pertain to event logs: Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string:

The following is a sample SDDL that shows the default SDDL string for the Application log. The access rights (in hexadecimal) are bold-faced for illustration:

O:BAG:SYD:(D;; 0xf0007 ;;;AN)(D;; 0xf0007 ;;;BG)(A;; 0xf0007 ;;;SY)(A;; 0x5 ;;;BA)(A;; 0x7 ;;;SO)(A;; 0x3 ;;;IU)(A;; 0x2 ;;;BA)(A;; 0x2 ;;;LS)(A;; 0x2 ;;;NS)

For example, the first ACE denies Anonymous Users read, write, and clear access to the log. The sixth ACE permits Interactive Users to read and write to the log.

Modify your local policy to permit customization of the security of your event logs

Back up the %WinDir%\Inf\Sceregvl.inf file to a known location.

Open %WinDir%\Inf\Sceregvl.inf in Notepad.

Scroll to the middle of file, and then put the pointer immediately before [Strings].

Insert the following lines:

Scroll to the end of the file, and then insert the following lines:

AppLogSD=»Event log: Specify the security of the application log in Security Descriptor Definition Language (SDDL) syntax»
SysLogSD=»Event log: Specify the security of the System log in Security Descriptor Definition Language (SDDL) syntax»

Save and then close the file.

Select Start, select Run, type regsvr32 scecli.dll in the Open box, and then press ENTER.

In the DllRegisterServer in scecli.dll succeeded dialog box, select OK.

Use the computer’s local group policy to set your application and system log security

1. Select Start, select Run, type gpedit.msc, and then select OK.
2. In the Group Policy editor, expand Windows Setting, expand Security Settings, expand Local Policies, and then expand Security Options.
3. Double-click Event log: Application log SDDL, type the SDDL string that you want for the log security, and then select OK.
4. Double-click Event log: System log SDDL, type the SDDL string that you want for the log security, and then select OK.

Use group policy to set your application and system log security for a domain, site, or organizational unit in Active Directory

To view the group policy settings that are described in this article in the Group Policy editor, first complete the following steps, and then continue to the Use group policy to set your application and system log security section:

Use a text editor such as Notepad to open the Sceregvl.inf in the %Windir%\Inf folder.

Add the following lines to the [Register Registry Values] section:

MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\Directory Service\CustomSD,1,%DSCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD,1,%DNSCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD,1,%FRSCustomSD%,2

Add the following lines to the [Strings] section:

AppCustomSD=»Eventlog: Security descriptor for Application event log»
SecCustomSD=»Eventlog: Security descriptor for Security event log»
SysCustomSD=»Eventlog: Security descriptor for System event log»
DSCustomSD=»Eventlog: Security descriptor for Directory Service event log»
DNSCustomSD=»Eventlog: Security descriptor for DNS Server event log»
FRSCustomSD=»Eventlog: Security descriptor for File Replication Service event log»

Save the changes you made to the Sceregvl.inf file, and then run the regsvr32 scecli.dll command.

Start Gpedit.msc, and then double-click the following branches to expand them:

Computer Configuration
Windows Settings
Security Settings
Local Policies
Security Options

View the right panel to find the new Eventlog settings.

Use group policy to set your application and system log security

In the Active Directory Sites and Services snap-in or the Active Directory Users and Computers snap-in, right-click the object for which you want to set the policy, and then select Properties.

Select the Group Policy tab.

If you must create a new policy, select New, and then define the policy’s name. Otherwise, go to step 5.

Select the policy that you want, and then select Edit.

The Local Group Policy MMC snap-in appears.

Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then select Security Options.

Double-click Event log: Application log SDDL, type the SDDL string that you want for the log security, and then select OK.

Double-click Event log: System log SDDL, type the SDDL string that you want for the log security, and then select OK.

References

For more information about SDDL syntax and about how to construct an SDDL string, see Security Descriptor String Format.