Changing the Location of the Event Log
To improve the performance of EWF on a system that uses an event log, you can relocate the event log to an alternate partition that is not EWF-protected. This requires at least two partitions: one partition that EWF protects, and another partition that is writeable.
To change the location of the event log
To change the location of an event log to an unprotected volume, you must update the registry of the run-time image. Modify the following three registry keys, and change the event log to an unprotected volume.
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\
Value Name: File
Value: <volume name and path>\AppEvent.evt
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\
Value: <volume name and path>\SecEvent.evt
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\
Value: <volume name and path>\SysEvent.evt
In the Value field, change the path of the event file to a non-protected volume.
For more information about how to add this registry key to your configuration, see Adding Registry Data to a Configuration in Windows XP Embedded Studio Help.
Last updated on Wednesday, October 18, 2006
© 2006 Microsoft Corporation. All rights reserved.