Announcement

Collapse
No announcement yet.

windows event log files, maybe we can reduce a few things

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • windows event log files, maybe we can reduce a few things

    reducing some files and hoping to reduce windows os unnecessary activity for older slower machines
    before disabling the "windows event log" service
    I had these files open in the directory of "\windows\system32\winevt\logs" on a windows 7 machine, in an open state by the windows os.
    I have long since removed many services or disabled them like "windows defender" which was removed.
    Code:
     Directory of C:\Windows\System32\winevt\Logs
    
    11/20/2018  10:09 PM    <DIR>          .
    11/20/2018  10:09 PM    <DIR>          ..
    11/20/2018  10:06 PM            69,632 Application.evtx
    11/20/2018  10:06 PM            69,632 HardwareEvents.evtx
    11/20/2018  10:06 PM            69,632 IEURLLock.evtx
    11/20/2018  10:06 PM            69,632 Internet Explorer.evtx
    11/20/2018  10:06 PM            69,632 Key Management Service.evtx
    06/28/2018  04:32 AM            69,632 Media Center.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-API-Tracing%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-AppID%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Application Server-Applications%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Application Server-Applications%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Application-Experience%4Program-Inventory.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-AppLocker%4EXE and DLL.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-AppLocker%4MSI and Script.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Audio%4CaptureMonitor.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Audio%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Authentication User Interface%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Backup.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-BitLocker-DrivePreparationTool%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-BitLocker-DrivePreparationTool%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Bits-Client%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Bluetooth-MTPEnum%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-BranchCache%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-BranchCacheSMB%4Operational.evtx
    11/20/2018  10:05 PM            69,632 Microsoft-Windows-CAPI2%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-CodeIntegrity%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-DateTimeControlPanel%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-DeviceSync%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Dhcp-Client%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-DhcpNap%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Dhcpv6-Client%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Diagnosis-PCW%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Diagnosis-PLA%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Diagnostics-Networking%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-DiskDiagnostic%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-EapHost%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-EventCollector%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Fault-Tolerant-Heap%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-FMS%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Folder Redirection%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Forwarding%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-GroupPolicy%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Help%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-HomeGroup Control Panel%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-HomeGroup Listener Service%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-HomeGroup Provider Service%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-IKE%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-International%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-International-RegionalOptionsControlPanel%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Iphlpsvc%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Kernel-EventTracing%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Kernel-WDI%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Kernel-WHEA%4Errors.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Kernel-WHEA%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Known Folders API Service.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-LanguagePackSetup%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-MCT%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-MUI%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-MUI%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-NCSI%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-NetworkAccessProtection%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-NetworkAccessProtection%4WHC.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-NetworkLocationWizard%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-NetworkProfile%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-NlaSvc%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-NTLM%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-OfflineFiles%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-ParentalControls%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-PeopleNearMe%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-PowerShell%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-PrintService%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-ReadyBoost%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-ReadyBoostDriver%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Recovery%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-RemoteApp and Desktop Connections%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-RemoteAssistance%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-RemoteAssistance%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx
    11/20/2018  10:06 PM            69,632 microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-RestartManager%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Security-Audit-Configuration-Client%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-SMBServer%4Audit.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-SMBServer%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-TerminalServices-ClientUSBDevices%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-TerminalServices-ClientUSBDevices%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
    11/20/2018  10:08 PM            69,632 Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-TerminalServices-PnPDevices%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-TerminalServices-PnPDevices%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-TerminalServices-ServerUSBDevices%4Admin.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-TerminalServices-ServerUSBDevices%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-TZUtil%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-UAC%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx
    11/20/2018  10:08 PM            69,632 Microsoft-Windows-User Profile Service%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-VDRVROOT%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-VHDMP%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-WER-Diag%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-WFP%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Windows Defender%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Windows Defender%4WHC.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-WindowsBackup%4ActionCenter.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Winlogon%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-WinRM%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-Wired-AutoConfig%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-WPD-ClassInstaller%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-WPD-CompositeClassDriver%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Microsoft-Windows-WPD-MTPClassDriver%4Operational.evtx
    11/20/2018  10:06 PM            69,632 Security.evtx
    11/20/2018  10:06 PM            69,632 Setup.evtx
    11/20/2018  10:06 PM            69,632 System.evtx
    11/20/2018  10:06 PM            69,632 Windows PowerShell.evtx
                 143 File(s)      9,957,376 bytes
    i disabled the "windows event log" service, rebooted, deleted the ".evt and .evtx" files in "\windows\system32\winevt\logs" then set "windows event log" service back to automatic. then rebooted the second time and here is the listing of the file directory with all evt files in an open state after the second boot.

    Code:
    Directory of C:\Windows\System32\winevt\Logs
    11/20/2018  10:14 PM            69,632 Application.evtx
    11/20/2018  10:14 PM            69,632 HardwareEvents.evtx
    11/20/2018  10:14 PM            69,632 Internet Explorer.evtx
    11/20/2018  10:14 PM            69,632 Key Management Service.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-CodeIntegrity%4Operational.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-Kernel-WHEA%4Operational.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-NCSI%4Operational.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-User Profile Service%4Operational.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-Winlogon%4Operational.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-Kernel-WHEA%4Errors.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-GroupPolicy%4Operational.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-NetworkAccessProtection%4Operational.evtx
    11/20/2018  10:14 PM            69,632 Microsoft-Windows-NetworkProfile%4Operational.evtx
    11/20/2018  10:14 PM            69,632 Security.evtx
    11/20/2018  10:14 PM            69,632 System.evtx
    11/20/2018  10:14 PM            69,632 Windows PowerShell.evtx
                  22 File(s)      1,531,904 bytes
    p purvis

  • #2
    As a forensicator (and previously a PC support guy) I would hate to lose the Event Logs... evidential and troubleshooting gold mine.
    <b>George W. Bleck</b>
    <img src='http://www.blecktech.com/myemail.gif'>

    Comment


    • #3
      George, i understand, but it looks like what services build logs, the logs are created.
      It would be nice to be able to reduce the event logs too by removing unnecessary to me log items.
      I am only interested in failures and mostly what i have been able to use comes in the form a failure.
      It would be nice to have fast machines too but we don't have a lot of that.
      p purvis

      Comment

      Working...
      X