Event Viewer?

Once in awhile I'll notice the Event Viewer logs seem to automatically get
cleared out and start afresh. Has anyone else had that happen?

Specifically, there might be a month or so of dated entries, and then on a
rare occasion after rebooting, there may "magically" be only a day's worth
or so of entries showing up in Event Viewer. It's like almost all of the
previous day entries were truncated. (I do not have that option selected
in Event Viewer)

Bill in Co wrote:
Once in awhile I'll notice the Event Viewer logs seem to automatically get
cleared out and start afresh. Has anyone else had that happen?

Specifically, there might be a month or so of dated entries, and then on a
rare occasion after rebooting, there may "magically" be only a day's worth
or so of entries showing up in Event Viewer. It's like almost all of the
previous day entries were truncated. (I do not have that option selected
in Event Viewer)



C:\WINDOWS\system32\config

AppEvent.Evt 524,288 bytes Created: January 15, 2009, 4:08:40 PM
Internet.evt 65,536 bytes
SecEvent.Evt 65,536 bytes
SysEvent.Evt 524,288 bytes Created: January 15, 2009, 4:08:40 PM

A casual look inside, they look like
circular buffers (FIFO). Pointers would
need to be kept somewhere, for location
of head and tail. I can tell they are circular,
because one event starts near the end
of the file, and the rest of it seems to be
at the start of the file.

I suspect the two small ones, never had anything
written in them.

Each entry probably takes a few bytes,
and isn't very compact. I'm guessing probably
room for 2000 or so entries, in the 512KB space.

My Application stretches from 6/23/2012 to 6/13/2013
My System stretches from 5/13/2013 to 6/13/2013

The "Properties" for each type, has a setting
for delete policy. But that doesn't seem to align
with the above dates in any meaningful way. Maybe
if I had a runaway event thing, it would be different ?

The properties set the max file size at 512KB.

I wonder if your file got corrupted, and the log
started over ?

Is your creation date "old" or "recent" ? Mine
looks like it could be from install time, but I
don't have any records as to when that might have
been.

Paul

Paul wrote:
Bill in Co wrote:
Once in awhile I'll notice the Event Viewer logs seem to automatically
get
cleared out and start afresh. Has anyone else had that happen?

Specifically, there might be a month or so of dated entries, and then on
a
rare occasion after rebooting, there may "magically" be only a day's
worth
or so of entries showing up in Event Viewer. It's like almost all of
the
previous day entries were truncated. (I do not have that option
selected
in Event Viewer)



C:\WINDOWS\system32\config

AppEvent.Evt 524,288 bytes Created: January 15, 2009, 4:08:40 PM
Internet.evt 65,536 bytes
SecEvent.Evt 65,536 bytes
SysEvent.Evt 524,288 bytes Created: January 15, 2009, 4:08:40 PM

A casual look inside, they look like
circular buffers (FIFO). Pointers would
need to be kept somewhere, for location
of head and tail. I can tell they are circular,
because one event starts near the end
of the file, and the rest of it seems to be
at the start of the file.

I suspect the two small ones, never had anything
written in them.

Each entry probably takes a few bytes,
and isn't very compact. I'm guessing probably
room for 2000 or so entries, in the 512KB space.

My Application stretches from 6/23/2012 to 6/13/2013
My System stretches from 5/13/2013 to 6/13/2013

The "Properties" for each type, has a setting
for delete policy. But that doesn't seem to align
with the above dates in any meaningful way. Maybe
if I had a runaway event thing, it would be different ?

The properties set the max file size at 512KB.

I wonder if your file got corrupted, and the log
started over ?

Is your creation date "old" or "recent" ? Mine
looks like it could be from install time, but I
don't have any records as to when that might have
been.

Paul

Creation dates are old. File sizes are the same as yours, except that only
the Internet.evt one is 64K in my case. I tried looking at them in Notepad,
but boy it's not easy to make much sense of it, due to all the non-text
stuff. :-) I'm wondering if you had a better "editor" to examine it

I'm thinking maybe it somehow got corrupted and started over. The security
one is the only one that had older date entries left in it (a few days
worth).

At any rate, just to play it safe, I'm gonna restore the previous image
backup, of a couple of days ago, which I think was ok in that regard. (I
generally remake an image backup of C: every few days, but keep a select few
older ones around just in case)

Thanks, Paul.

Bill in Co wrote:
Paul wrote:
Bill in Co wrote:
Once in awhile I'll notice the Event Viewer logs seem to automatically
get
cleared out and start afresh. Has anyone else had that happen?

Specifically, there might be a month or so of dated entries, and then on
a
rare occasion after rebooting, there may "magically" be only a day's
worth
or so of entries showing up in Event Viewer. It's like almost all of
the
previous day entries were truncated. (I do not have that option
selected
in Event Viewer)


C:\WINDOWS\system32\config

AppEvent.Evt 524,288 bytes Created: January 15, 2009, 4:08:40 PM
Internet.evt 65,536 bytes
SecEvent.Evt 65,536 bytes
SysEvent.Evt 524,288 bytes Created: January 15, 2009, 4:08:40 PM

A casual look inside, they look like
circular buffers (FIFO). Pointers would
need to be kept somewhere, for location
of head and tail. I can tell they are circular,
because one event starts near the end
of the file, and the rest of it seems to be
at the start of the file.

I suspect the two small ones, never had anything
written in them.

Each entry probably takes a few bytes,
and isn't very compact. I'm guessing probably
room for 2000 or so entries, in the 512KB space.

My Application stretches from 6/23/2012 to 6/13/2013
My System stretches from 5/13/2013 to 6/13/2013

The "Properties" for each type, has a setting
for delete policy. But that doesn't seem to align
with the above dates in any meaningful way. Maybe
if I had a runaway event thing, it would be different ?

The properties set the max file size at 512KB.

I wonder if your file got corrupted, and the log
started over ?

Is your creation date "old" or "recent" ? Mine
looks like it could be from install time, but I
don't have any records as to when that might have
been.

Paul

Creation dates are old. File sizes are the same as yours, except that only
the Internet.evt one is 64K in my case. I tried looking at them in Notepad,
but boy it's not easy to make much sense of it, due to all the non-text
stuff. :-) I'm wondering if you had a better "editor" to examine it

I'm thinking maybe it somehow got corrupted and started over. The security
one is the only one that had older date entries left in it (a few days
worth).

At any rate, just to play it safe, I'm gonna restore the previous image
backup, of a couple of days ago, which I think was ok in that regard. (I
generally remake an image backup of C: every few days, but keep a select few
older ones around just in case)

Thanks, Paul.

I use both a hex editor and wordpad, frequently at the same time,
to probe binary files like that. I could see a recurring string,
which I considered to be a record delimiter. Sometimes (but not always),
Wordpad makes it easier to read some of the text.

If I had to, I could try the "strings" program from Sysinternals.
I didn't bother with that this time. I don't know if "strings" handles
16 bit Unicode strings properly or not.

The description here does mention Unicode, so if you have the time
to waste, run one of those .evt files through that.

http://technet.microsoft.com/en-us/s...rnals/bb897439

The "strings" program is a standard part of Unix and Linux, and
I've spent many happy hours using it on other platforms in the past.
At least, before the Unicode era came along.

Paul