Windows NT and Windows 2000 Security Log Settings

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

To change location of the Windows NT or Windows 2000 Security event log you can use the Event Viewer to indirectly modify the registry or to apply the registry hack directly:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name: File
Type: REG_EXAND_SZ
Value: %SystemRoot%\system32\config\SecEvent.Evt default

Appication and System registries follow same pattern. Use this to change where the logs are stored. These keys give you the flexibility to put it wherever you want.

To change the maximum size of the Windows NT or Windows 2000 Security event log file (in kilobytes) you can use the Event Viewer to indirectly modify the registry or to apply the registry hack directly:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name: MaxSize
Type: REG_DWORD
Value: 512 default=512K

To change the Retention period of security events for the Windows NT or Windows 2000 Security event log file (in seconds) you can use the Event Viewer to indirectly modify the registry or to apply the registry hack directly:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name: Retention
Type: REG_DWORD
Value: 604,800 default (seconds)
Retention is how long events are must be maintained. Older events can be overwritten but newer events cannot. If a new event needs to be written to the log (security, application. or system) and maxsize has been reached AND there are no events older than the retention period, a log full event occurs.

To determine whether the security events are enabled and what services and applications are enabled to write to the security log, view the Sources value which is dynamic and maintained by the EventLog service:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security
Name: Sources
Type: REG_EXAND_SZ

The actual error messages recorded in the event logs comes for system or application DLLs. The CategoryMessageFile value contains the path and file name of the file that contains the category descriptions for security event log events:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\EventLog\Security\[appname]
Name: CategoryMessageFile
Type: REG_EXAND_SZ

EventMessageFile seems to follow exactly the same pattern.

There is an important implication derived from these esoteric settings. The message files are read from DLLs. If you backup an event log in native .evt format and restore it later (say after a service pack), the message text displayed could very well have changed.

Event Log Tips:

Archiving Event Logs
Event Log explained
How to Delete Corrupt Event Viewer Log Files
Forensics: CrashOnAuditFail
Restrict access to Application and System event logs
Security Event Descriptions
Security Events Logon Type Definitions
Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List

Frank Heyne has made available a Windows NT Eventlog FAQ .

See Also

Featured Links