Hi all, this maybe common knowledge, it is documented by microsoft, but it confused the hell out of me when I first came across is so thought i'd share the knowledge any way.
I was attempting to copy the Event Logs from a Windows 2008 RS2 Server, so, using FTK Imager Lite I navigated to the Windows\System32\winevt folder. The problem however was the winevt folder wasnt there. I knew it did exist on the system but just wasnt appearing in FTK imager.
I didnt understand the problem for a while and was confused why the folder wasnt there. After a bit of searching I discovered this article http//
Basically, Windows 64 bit Operating Systems reserve System32 for 64 bit applications. When a 32 bit application attemts to access System32 it is automatically redirected to SysWOW64 folder instead, which does not contain the winevt folder.
There is a way around this, instead of putting in C\Windows\System32, you can enter C\Windows\sysnative, this overrides the redirect.
Like i said, this could be common knowledge, but its the first time I have come across it. Hope it helps someone else.