Best practice for viewing Windows XP and Windows Server 2003 event logs by using Windows Vista
Source: Microsoft Support
RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
When you use Windows Vista Event Viewer to examine logfiles collected on earlier clients such as Windows XP or Windows Server 2003, those events are in a wrong order and the sources are missing. This occurs because the new design of the Windows Vista event formats. Vista uses the new evtx format that introduces several new event objects that do not match earlier resource dlls.
To view earlier event logs under Vista, you will need at least Windows XP or Windows Server 2003 clients as resource. To read the log files in the format that was used, follow these steps:
1. Register legacy Event Viewer snap-in (els.dll) from XP or Windows Server 2003:
Note After registration, the MMC Add and Remove Snap-ins list shows the Classic Event Viewer option.
a. Open mmc.exe.
b. Locate Add and Remove Snap-ins, and then add Classic Event Viewer to the console root.
c. Click New Window from Here, and then save as ClassicEventViewer.msc.
2. Convert the earlier .evt files to .evtx format. To do this, follow these steps:
a. Use the Vista built-in tool wevtutil.exe. set wevtutil epl eventlog.evt eventlog.evtx /lf:true.
Note: wevtutil is located in windows\system32 directory.
b. Rename the .evtx to .evt by using the following command:
rename eventlog.evtx eventlog-x.evt.
3. Start Classic Event Viewer with the following command:
mmc /a ClassicEventViewer.msc /auxsource=\\computername
Note: The /auxsource name is given UNC format: /auxsource=\\computername (!), not as documented /auxsource=computername.
You should be able to see XP-style formatted events after you follow these steps.
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.
Article ID: 967856 - Last Review: 02/12/2009 16:20:37 - Revision: 1.1
- kbnomt kbrapidpub KB967856