Logfiles

The event-logging service uses the information stored in the EventLog registry key. The EventLog key (shown in the following example) contains several subkeys, called logfiles. Logfile registry information is used to locate resources that the event logging service needs when an application writes to and reads from the event log. The default logfiles are Application, Security, and System. The structure is as follows:

HKEY_LOCAL_MACHINE
    SYSTEM
     CurrentControlSet
       Services
        EventLog
         Application
          Security
            System

Applications and services use the Application logfile. Device drivers use the System logfile. Windows NT will generate success and failure audit events in the Security log when auditing is turned on. For more information about auditing security events, see the documentation for the Windows NT User Manager.