Reading a File Saved with the Event Viewer of Another Computer

This article was previously published under Q165959
This article has been archived. It is offered "as is" and will no longer be updated.
The Event Viewer enables the user to save the event logs in a binary filewith the EVT extension. Such a file can be opened with the Event Viewer onany other computer running the same version of Windows NT.

Even though the Event Viewer is able to load such a file, it needs themessages DLLs for each component described in the source of the events.

For example, assume that computer A is running Windows NT 4.0 and a servicecalled "aservice". On this computer, save the system event logs under thefile System_A.evt. Now assume that computer B is also running Windows NT4.0. The service "aservice" has not been installed on computer B.

On computer B, you open the file System_A.evt with the Event Viewer. If youdouble-click a message with the source set to "aservice," you get thefollowing error:
The description for Event ID (xxx) in Source (aservice) could not be found. It contains the following insertion string(s): ...
Follow the steps in the next section to read the event logs of computer Awhile on computer B without having to install the components of computer Aonto computer B.
The EVT files include the event log messages as they are stored by thesystem. Each message is composed of an ID (that is, the message itself) anda number of insertion strings. The IDs are translated into strings throughthe use of messages DLLs.

All the application event logs messages DLLs are defined under thefollowing registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ Application

All the system event logs messages DLLs are defined under the followingregistry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ System

For example, the TCP/IP service's message DLL is defined under thefollowing registry entry:
Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ System\TcpIp Value = EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\ netevent.d

Therefore, all the TCP/IP event log messages are defined in the DLLnetevent.dll.

When the user double-clicks an event for which the message DLL is notdefined in the registry, the message string cannot be displayed and thefollowing message is displayed:
The description for Event ID (51) in Source (aservice) could not be found. It contains the following insertion string(s): ...
Below is a description of a way to read the system event logs of a computerwith WINS on a computer without WINS. This sample can be adapted for anyapplication or system component.

WARNING: Using Registry Editor incorrectly can cause serious, system-wideproblems that may require you to reinstall Windows NT to correct them.Microsoft cannot guarantee that any problems resulting from the use ofRegistry Editor can be solved. Use this tool at your own risk.

The following operations are required:
  1. On the computer with WINS, run REGEDIT and select the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ System\Wi
  2. On the Registry menu, click Export Registry File and select a file name (for example, Winsreg.reg).
  3. On the computer without WINS (for example, the one used to read the system event logs of the computer with WINS), run REGEDIT. On the Registry menu, click Import Registry File and select the file Winsreg.reg previously saved on the other computer.
  4. You should now have the following registry entry on the target computer (that is, the one without WINS):
    Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ EventLog\System\Wins Value = EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\ winsevnt.d

    You now need to copy the file defined in the EventMessageFile registry value in your System32 directory. If X: is mapped to \\wins_server\admins$, you can run the following command:
    copy x:\System32\winsevnt.dll %SystemRoot%\System32\winsevnt.dll
    Of course, the file may be copied somewhere else, but in this case you need to edit the EventMessageFile registry value manually so that it points to the directory with the DLL.
  5. Close all the instances of the Event Viewer and rerun the Event Viewer. You should now be able to dump all the WINS events.

Article ID: 165959 - Last Review: 12/04/2015 16:40:27 - Revision: 1.1

Microsoft Windows NT Server 4.0 Standard Edition, Microsoft Windows NT Workstation 4.0 Developer Edition

  • kbnosurvey kbarchive kbhowto kbnetwork KB165959