Log File Registry Entries

[This is preliminary documentation and subject to change.]

The Windows NT Event Log service maintains a section in the Windows NT registry for each log file that it creates. The log file section contains four values and appears under the following hierarchy of keys:

HKEY_LOCAL_MACHINE
  SYSTEM
    CurrentControlSet
      Services
        Eventlog
          <name of logfile>

The four values are described in the following table:

Value	Type	Description
File	REG_SZ_EXPAND	Path to the log file. This value can include environment variables.
MaxSize	REG_DWORD	Log file's maximum size in bytes. This value must be between 64 KB and 419,240 KB and can only be incremented in 64 KB chunks.
Retention	REG_DWORD	Overwrite policy of the log file.
Sources	REG_MULTI_SZ	List of event sources registered for the log file.

The Retention value can be set to:

0, indicating that any entry can be overwritten when necessary.
1-365, indicating that events that have been in the log file for one year or less can be overwritten.
4294967295, indicating that nothing can be overwritten.

If the log file becomes full and no events are old enough to be overwritten, the log file must be cleared manually; otherwise, new events are discarded until an event becomes old enough to be overwritten.