Reading a File Saved with the Event Viewer of Another Computer

 Last reviewed: July 24, 1997
Article ID: Q165959
The information in this article applies to:
  • Microsoft Windows NT Server version 4.0
  • Microsoft Windows NT Workstation version 4.0

SUMMARY

The Event Viewer enables the user to save the event logs in a binary file with the EVT extension. Such a file can be opened with the Event Viewer on any other computer running the same version of Windows NT.

Even though the Event Viewer is able to load such a file, it needs the messages DLLs for each component described in the source of the events.

For example, assume that computer A is running Windows NT 4.0 and a service called "aservice". On this computer, save the system event logs under the file System_A.evt. Now assume that computer B is also running Windows NT 4.0. The service "aservice" has not been installed on computer B.

On computer B, you open the file System_A.evt with the Event Viewer. If you double-click a message with the source set to "aservice," you get the following error: 

   The description for Event ID (xxx) in Source (aservice) could not be
   found. It contains the following insertion string(s): ...
Follow the steps in the next section to read the event logs of computer A while on computer B without having to install the components of computer A onto computer B.

MORE INFORMATION

The EVT files include the event log messages as they are stored by the system. Each message is composed of an ID (that is, the message itself) and a number of insertion strings. The IDs are translated into strings through the use of messages DLLs.

All the application event logs messages DLLs are defined under the following registry keys: 

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\
   Application
All the system event logs messages DLLs are defined under the following registry keys: 

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\
   System
For example, the TCP/IP service's message DLL is defined under the following registry entry: 

   Key   = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\
           System\TcpIp
   Value = EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\
           netevent.dll
Therefore, all the TCP/IP event log messages are defined in the DLL netevent.dll.

When the user double-clicks an event for which the message DLL is not defined in the registry, the message string cannot be displayed and the following message is displayed: 

   The description for Event ID (51) in Source (aservice) could not be
   found. It contains the following insertion string(s): ...
Below is a description of a way to read the system event logs of a computer with WINS on a computer without WINS. This sample can be adapted for any application or system component.

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

The following operations are required:

  1. On the computer with WINS, run REGEDIT and select the following registry key: 

          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\
      System\Wins

  2. On the Registry menu, click Export Registry File and select a file name (for example, Winsreg.reg).

  3. On the computer without WINS (for example, the one used to read the system event logs of the computer with WINS), run REGEDIT. On the Registry menu, click Import Registry File and select the file Winsreg.reg previously saved on the other computer.

  4. You should now have the following registry entry on the target computer (that is, the one without WINS): 

          Key   = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
              EventLog\System\Wins
      Value = EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\
              winsevnt.dll

   You now need to copy the file defined in the EventMessageFile registry
   value in your System32 directory. If X: is mapped to
   \\wins_server\admins$, you can run the following command:

      copy x:\System32\winsevnt.dll %SystemRoot%\System32\winsevnt.dll

   Of course, the file may be copied somewhere else, but in this case you
   need to edit the EventMessageFile registry value manually so that it
   points to the directory with the DLL.

  5. Close all the instances of the Event Viewer and rerun the Event Viewer. You should now be able to dump all the WINS events.

Keywords : kbnetwork NTSrvWkst
Version : 4.0
Platform : WinNT
Issue type : kbhowto

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: July 24, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.