log viewer

A couple of things that might be helpful to know…

Which version of Windows are you working with?

What are the full names and paths to these files?

the path is Windows/system32/config and the files are System.log, system.log1, system.log2 and also software.log software.log1 etc.
Thanks

the path is Windows/system32/config and the files are System.log, system.log1, system.log2 and also software.log software.log1 etc.
Thanks

Like I said, knowing the version of Windows is important, as well…but okay. In this case, knowing the version would help make a recommendation as to steps you can take.

Those aren't log files…open one or more in a hex viewer. That's stuff that should be written to the Registry. I posted something to my blog a while back where I found 10 devices connected to a live system, but when parsing the System hive from the config folder, only 6 showed up. When the system is booted, the System file as well as the System.log* files are read.

Sorry the version is windows 7 home
thanks

Sorry the version is windows 7 home
thanks

Good, but still the point is that .log, .log1 etc. n /config, such as system.log are a sort of "transactional log" of the correspondingly named backing file of the OS Registry hives, if you prefer you do not *need* to read those files (as a matter of fact you don't even *want* to read them, in the sense that the *whatever* they contain is highly unlikely to be of any use)
http//mscerts.wmlcloud.com/windows/Windows%207%20%20%20Getting%20to%20Know%20the%20Registry%20(part%202).aspx

jaclaz

If you have access to the hardware, you can open up eventviewer and export each logfile to text, CSV or XML by expanding the "Windows Logs", then rightclicking on the logfile and "save all events as…" and exporting as your preferred format.

You cam also use Microsoft Log Parser to access the data.

If you have access to the hardware, you can open up eventviewer and export each logfile to text, CSV or XML by expanding the "Windows Logs", then rightclicking on the logfile and "save all events as…" and exporting as your preferred format.

You cam also use Microsoft Log Parser to access the data.

@MDCR
Those .log/.log1/log2 files in Windows/system32/config are NOT "events" logs, they are Registry logs (activity in Hives), they are an altogether different beast, not the "normal" .evt or .evtx event logs.

For these latter ones there is the excellent little tool by Nirsoft MyEventViewer
http//www.nirsoft.net/utils/my_event_viewer.html
that can read also events "offline".

jaclaz

Sorry the version is windows 7 home
thanks

Good, but still the point is that .log, .log1 etc. n /config, such as system.log are a sort of "transactional log" of the correspondingly named backing file of the OS Registry hives, if you prefer you do not *need* to read those files (as a matter of fact you don't even *want* to read them, in the sense that the *whatever* they contain is highly unlikely to be of any use)
http//mscerts.wmlcloud.com/windows/Windows%207%20%20%20Getting%20to%20Know%20the%20Registry%20(part%202).aspx

jaclaz

Although this is an old thread, I want to place a warning here -)

Transaction log files may contain remnant registry data (e.g. a previous registry value that was overwritten a day ago). And starting from Windows 8.1 and Windows Server 2012 R2, transaction log files are as important as primary files when dealing with an image taken from a live system or taken after pulling the plug; this is because a Windows kernel delays writing to a primary file up to an hour, and you have to read transaction log files to get current registry data from such an image.

This is the reason why examiners want to and need to read these files.

Although this is an old thread, I want to place a warning here -)

Transaction log files may contain remnant registry data (e.g. a previous registry value that was overwritten a day ago). And starting from Windows 8.1 and Windows Server 2012 R2, transaction log files are as important as primary files when dealing with an image taken from a live system or taken after pulling the plug; this is because a Windows kernel delays writing to a primary file up to an hour, and you have to read transaction log files to get current registry data from such an image.

This is the reason why examiners want to and need to read these files.

Which is good. ) (though the OP system is 7 and in that OS AFAIK writes changes immediately)

What tools/methods/approach do you suggest or recommend to read those Registry transaction logs?

jaclaz