The event-logging service uses the information stored in the EventLog registry key. The EventLog key (shown in the following example) contains several subkeys, called logfiles. Logfile registry information is used to locate resources that the event logging service needs when an application writes to and reads from the event log. The default logfiles are Application, Security, and System. The structure is as follows:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
EventLog
Application
Security
System
Applications and services use the Application logfile. Device drivers use the System logfile. Windows NT will generate success and failure audit events in the Security log when auditing is turned on. For more information about auditing security events, see the documentation for the Windows NT User Manager.