Is there an exhaustive list of what Windows logs or can log?
Centralized Log Locations
%WINDIR%\System32\config
or%WINDIR%\System32\winevt\Logs
Contain most of the event logs accessible from the Event Viewer.%WINDIR%\Logs
Contains a lot of textual log files.
Microsoft Security Essentials
%PROGRAMDATA%\Microsoft\Microsoft Antimalware\Support
Runtime Logs%PROGRAMDATA%\Microsoft\Microsoft Security Client\Support
Installation Logs
Temporary Installation and Windows Defender Logs
%WINDIR\Temp\*.log
Contains information about MSI installations as well as for Windows Defender starting / scanning.%AppData%\Local\Temp\*.log
Contains information about MSI installations ran in the context of the current user.
Windows Installation Logs
%AppData%\Local\Microsoft\Websetup
(Windows 8)
Contains details about the web setup phase of Windows 8.%AppData%\setupapi.log
(Windows XP and earlier)
Contains information about device and driver changes and important system changes, like installation of service packs and hotfixes.%SYSTEMROOT%\$Windows.~BT\Sources\Panther\*.log,xml
Contains information about setup actions, errors, structure, SIDs and early setup devices. When the installation is rolled back, these files will contain rollback information.%WINDIR%\PANTHER\*.log,xml
Contains information about setup actions, errors, structure, SIDs and later setup devices.%WINDIR%\INF\setupapi.dev.log
Contains information about Plug and Play devices and driver installations.%WINDIR%\INF\setupapi.app.log
Contains information about the installations of applications.%WINDIR%\Performance\Winsat\winsat.log
Contains performance test results.
Windows Time Service
To enable logging of the Windows Time Service:
w32tm /debug /enable /file:"C:\time-service.log" /entries:1000 /size:10485760
To disable logging of the Windows Time Service run:
w32tm /debug /disable
Windows Update
%WINDIR%\WindowsUpdate.log
Contains all events related to Windows Update%WINDIR%\SoftwareDistribution\ReportingEvents.log
Contains events related to software update status reports.
Deployment Image Service and Management Tool (DISM)
%WINDIR%\Logs\DISM\dism.log
Contains information about events that happen when interacting with the Windows image.
Component-Based Servicing (CBS)
%WINDIR%\Logs\CBS\CBS.log
Contains information about events that happen when interacting with Windows components and features.
Related videos on Youtube
Tamara Wijsman
In my free time I visit Stack Exchange to help out people with their questions and help maintain the community. Located in Belgium, I have studied Computer Science at the University of Antwerp and became a Master in Software Engineering. When I think a post can be improved I will try to do so by fixing grammatical or spelling errors, clarifying meaning without changing it, correcting minor mistakes, adding related resources or links. For the less obvious things of those I will leave a note in the edit, click on the date to see this. I will only edit content in posts once, and let the author or other users be free to choose to rollback; when there are opposing views, we can raise this to meta to let the majority decide which revision of the post they want. This will be done with respect of the original author and when I'm sure enough that it would only improve the post. Have a nice day! :)
Updated on September 18, 2022Comments
-
Tamara Wijsman over 1 year
I know that there is the event log, but that's not where it stops. There are logs for MSI executables, device logs, setup and installation, performance logs, and so on. It's probably quite a long list; however, where can I find such an exhaustive list of what Windows logs?
By preference it would be handy to have a list that goes further than just what's on by default; as to know what each logger does, which ones are not on by default, which ones can('t) be turned of, ...
Do you know of any such list? Anyone up for building such a list?
-
MDMoore313 almost 11 yearsIn addition to any answer, one can use powershell to write their own events to the event log, so any created script or in-house Windows application can write to the event log. It's important to remember that 'Windows' is not doing the logging in most cases, but it's up to the individual application to do log its own events.
-
-
Tamara Wijsman almost 12 years+1 We could build up such a list because I doubt if one exists.
-
CJM almost 12 years@TomWijsman - Substitute 'impossible' for 'Unlikely, difficult to be comprehenisve'. And Windows Server is part of the Windows family you included in your tags.
-
Tamara Wijsman over 11 yearsAgreed, although getting together a basic list should already be a good start to have the most trivial logs to look at. Most likely when you're using something very specific, like on Windows Server, you'll have the event log or more specific logs to look at; which is most likely mentioned in documentation.
-
Ƭᴇcʜιᴇ007 almost 11 yearsWelcome! How about some expansion on your answer? How does this help answer the question? Why would someone run it? How is this not just the standard Event log stuff?