Log File Registry Entries

[This is preliminary documentation and subject to change.]

The Windows NT Event Log service maintains a section in the Windows NT registry for each log file that it creates. The log file section contains four values and appears under the following hierarchy of keys:

HKEY_LOCAL_MACHINE
  SYSTEM
    CurrentControlSet
      Services
        Eventlog
          <name of logfile>

The four values are described in the following table:

Value Type Description
File REG_SZ_EXPAND Path to the log file. This value can include environment variables.
MaxSize REG_DWORD Log file's maximum size in bytes. This value must be between 64 KB and 419,240 KB and can only be incremented in 64 KB chunks.
Retention REG_DWORD Overwrite policy of the log file.
Sources REG_MULTI_SZ List of event sources registered for the log file.

The Retention value can be set to:

If the log file becomes full and no events are old enough to be overwritten, the log file must be cleared manually; otherwise, new events are discarded until an event becomes old enough to be overwritten.