Windows
How To Access And View Event Logs In Windows Recovery Environment
March 25, 2022

How To Access And View Event Logs In Windows Recovery Environment

Information on how to get into the Windows Recovery Environment (WinRE) can be found here from Microsoft. To access and view the Event Logs we need the Command Prompt option, available by selecting Troubleshoot > Advanced options menus in WinRE.

x:\windows\system32

Once opened you will notice the current working directory is X:\windows\system32. This volume basically contains all the command-line tools available for the Windows Pre-installation Environment (Windows PE) and is not to be confused with C:\Windows\System32. In fact the C: volume as you know it, may not be labelled as such; in this environment it may have been temporarily assigned another drive letter (usually C,D,or E) depending on hardware setup.
To find out which drive letter we can use the diskpart utility.

Diskpart utility

Diskpart is usually used for disk management from the command-line, in this instance we just need it to determine the volume in which our windows image resides.

Some basic diskpart commands you should know:
diskpart (opens the diskpart utility)
list disk (lists the disks, 0,1,2 etc.)
select disk <disknumber> (selects a disk)
list vol (lists volumes on the selected disk)
list part (lists partitions on the selected disk)
exit (exit diskpart utility)

After determining the volume containing your windows image (Vol:2 Ltr:C in my example) you can exit diskpart.

The next step is to move the prompt from X: to C: (or whatever letter you require). Normal wisdom is to change directory with the CD command (eg cd c:\) but that will not work. Just the drive letter and colon required.
C: <press enter>

Now we can change directory to the path where the event logs are located.
cd C:\Windows\System32\winevt\Logs

C:\Windows\System32\winevt\Logs

Use the dir command to list all the files in the Logs directory.
Tip: I also use the switch /OD to list in chronological order, this will put the last log modified at the bottom of the list making the list easier to read and to save on scrolling.
dir /OD

Event Logs .evtx

You will notice the logs have the file extension .evtx
This is the Windows XML Eventlog format and more information regarding its specification can be found here on GitHub.
To view these files we will use wevtutil. Full documentation on this utility can be found on this Microsoft wevtutil reference page.

A useful command to start with is:
wevtutil qe <file> /lf:true /f:text /rd:true | more
qe – query events
/lf – logfile (true because we are specifying a log file not a log name)
/f – format (options are text or xml)
/rd – direction (true puts most recent events first)
| more – piping through more enables you to manually scroll through log.

wevtutil qe System.evtx /lf:true /f:text /rd:true | more

Navigate more with these commands:
Use <enter key> to advance line-by-line
Use <space bar> to advance by page
Use ‘s‘ then a number to advance by number of lines
Use ‘q‘ to exit more

Logs worth viewing in terms of diagnostic value:
System.evtx
Setup.evtx
Application.evtx

Lee Woodhouse
0
Tags :

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Categories

Archives

Recent Comments