Changing the Location of the Event Log

  • Article

To improve the performance of EWF on a system that uses an event log, you can relocate the event log to an alternate partition that is not EWF-protected. This requires at least two partitions: one partition that EWF protects, and another partition that is writeable.

To change the location of the event log

  1. To change the location of an event log to an unprotected volume, you must update the registry of the run-time image. Modify the following three registry keys, and change the event log to an unprotected volume.

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\
    Value Name: File
    Type: REG_EXPAND_SZ
    Value: <volume name and path>\AppEvent.evt

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\
    Name: File
    Type: REG_EXPAND_SZ
    Value: <volume name and path>\SecEvent.evt

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\
    Name: File
    Type: REG_EXPAND_SZ
    Value: <volume name and path>\SysEvent.evt

  2. In the Value field, change the path of the event file to a non-protected volume.

For more information about how to add this registry key to your configuration, see Adding Registry Data to a Configuration in Windows XP Embedded Studio Help.

See Also

EWF Performance Considerations | EWF Design Considerations

Last updated on Wednesday, October 18, 2006

© 2006 Microsoft Corporation. All rights reserved.