Change the Location of the Event Log (Standard 7 SP1)

  • Article

7/8/2014

To improve the performance of Enhanced Write Filter (EWF) on a system that uses an event log, you can relocate the event log to an alternative partition that is not EWF-protected. This requires at least two partitions: one partition that EWF protects, and another partition that is writable.

To change the location of the event log

  1. To change the location of an event log to an unprotected volume, you must update the registry of the run-time image. Modify the following three registry keys, and change the event log to an unprotected volume.

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\

    Value Name: File

    Type: REG_EXPAND_SZ

    Value: <Volume Name and Path>\AppEvent.evt

     

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\

    Name: File

    Type: REG_EXPAND_SZ

    Value: <Volume Name and Path>\SecEvent.evt

     

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\

    Name: File

    Type: REG_EXPAND_SZ

    Value: <Volume Name and Path>\SysEvent.evt

  2. In the Value field, change the path of the event file to a nonprotected volume.

See Also

Other Resources

EWF Performance Considerations
EWF Design Considerations