Windows NT and Windows 2000 Security Log Settings


To change location of the Windows NT or Windows 2000 Security event log you can
use the Event Viewer to indirectly modify the registry or to apply the registry
hack directly:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name:
File
Type: REG_EXAND_SZ
Value: %SystemRoot%\system32\config\SecEvent.Evt default

Appication and System registries follow same pattern. Use this to change
where the logs are stored. These keys give you the flexibility to put it
wherever you want.

To change the maximum size of the Windows NT or Windows 2000 Security event
log file (in kilobytes) you can use the Event Viewer to indirectly modify the
registry or to apply the registry hack directly:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name:
MaxSize
Type: REG_DWORD
Value: 512
default=512K

To change the Retention period of security events for the Windows NT or
Windows 2000 Security event log file (in seconds) you can use the Event Viewer
to indirectly modify the registry or to apply the registry hack directly:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name:
Retention
Type: REG_DWORD
Value: 604,800 default (seconds)
Retention is how long
events are must be maintained. Older events can be overwritten but newer events
cannot. If a new event needs to be written to the log (security, application. or
system) and maxsize has been reached AND there are no events older than the
retention period, a log full event occurs.

To determine whether the security events are enabled and what services and
applications are enabled to write to the security log, view the Sources value
which is dynamic and maintained by the EventLog service:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name:
Sources
Type: REG_EXAND_SZ

The actual error messages recorded in the event logs comes for system or
application DLLs. The CategoryMessageFile value contains the path and file name
of the file that contains the category descriptions for security event log
events:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security\[appname]
Name:
CategoryMessageFile
Type: REG_EXAND_SZ

EventMessageFile seems to follow exactly the same pattern.

There is an important implication derived from these esoteric settings. The
message files are read from DLLs. If you backup an event log in native .evt
format and restore it later (say after a service pack), the message text
displayed could very well have changed.

Event Log Tips:

Archiving Event Logs
Event Log explained
How to Delete
Corrupt Event Viewer Log Files

Forensics:
CrashOnAuditFail

Restrict access to Application
and System event logs

Security Event
Descriptions

Security Events Logon Type
Definitions

Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List

Frank Heyne has made
available a Windows NT Eventlog FAQ .

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top