Tip of the Day: Moving Event Viewer logs to an unprotected volume
This tip is applicable to Enhanced Write Filter (EWF-RAM) users. To move Event Viewer logs to a volume unprotected by EWF, modify the following three registry keys as shown in the following example. The example uses drive D as the unprotected volume.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
File=D:\\AppEvent.evt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
File=D:\\SecEvent.evt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System
File=D:\\SysEvent.evt
- Mark