Partager via


Changing the Location of the Event Log

5/10/2007

To improve the performance of EWF on a system that uses an event log, you can relocate the event log to an alternate partition that is not EWF-protected. This requires at least two partitions: one partition that EWF protects, and another partition that is writeable.

To change the location of the event log

  1. To change the location of an event log to an unprotected volume, you must update the registry of the run-time image. Modify the following three registry keys, and change the event log to an unprotected volume.

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\

    Value Name: File

    Type: REG_EXPAND_SZ

    Value: <volume name and path>\AppEvent.evt

     

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\

    Name: File

    Type: REG_EXPAND_SZ

    Value: <volume name and path>\SecEvent.evt

     

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\

    Name: File

    Type: REG_EXPAND_SZ

    Value: <volume name and path>\SysEvent.evt

  2. In the Value field, change the path of the event file to a non-protected volume.

For more information about how to add this registry key to your configuration, see Adding Registry Data to a Configuration in Windows XP Embedded Studio Help.

  1. To change the location of an event log to an unprotected volume, you must update the registry of the run-time image. Modify the following three registry keys, and change the event log to an unprotected volume.

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\

    Value Name: File

    Type: REG_EXPAND_SZ

    Value: <volume name and path>\AppEvent.evt

     

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\

    Name: File

    Type: REG_EXPAND_SZ

    Value: <volume name and path>\SecEvent.evt

     

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\

    Name: File

    Type: REG_EXPAND_SZ

    Value: <volume name and path>\SysEvent.evt

  2. In the Value field, change the path of the event file to a non-protected volume.

For more information about how to add this registry key to your configuration, see Adding Registry Data to a Configuration in Windows XP Embedded Studio Help.

See Also

Other Resources

EWF Performance Considerations
EWF Design Considerations