Keeping up with software packages can be a daunting experience. Updates, new versions, buggy software and the like can take up a lot of time, especially if you use many different types of software.
This post is specific to Event Log Explorer version 4. I am running Windows 7 as my main development box, and it's been fairly stable, up to the last few days. I recently rebuilt my system using a new 1GB hard drive, so it's a fairly 'new' system. The system has several USB devices connected, and I've found with all these devices, mostly USB hard drives, the system doesn't want to boot at all when I have them connected to the USB bus. My way around this problem, is to connect all my external USB drives to a 16 port USB hub. When it's time to cold or warm reboot, I disconnect all my USB devices by removing one cable connected to the system. This solution works great, provided I remember to unplug the cable.
Generally, I do not shut my system down, but keep it running constantly. The Windows Power Options keeps everything under control (as far as I l know) by shutting down hard drives after a time I have specified in the Power Options Control Panel Applet. This last week, I am finding the system is locking-up at random times. I'll go away for a few hours, come back, and it's stuck. C-A-D, Crtl-Shift-Esc, nothing, no response from the system at all. The only way to recover, which is not the ideal power-down solution, is to yank the power cable from the back of the computer. I let it sit, off, for about 120 seconds, then power back up. Unfortunately, there isn't any way to get control back of the system. Every time I do this, pull-the-plug act, it's "ouch! ouch! ouch!, and I hate doing that!" This solution is OK for the occasional rare system lockup, but not every day. My fear is, of course, data loss from a shutdown that's nowhere near clean. System lock-up has happened at least five times this past week and I need to find the cause of the problem.
So, I fire-up eventvwr.exe for a look at startup times (clean start-up times, of course, will not show as an entry), anomalies, anything that will give a clue about why this system is misbehaving. The new log file format used by Vista, Windows 7 and Windows Server 2008 is significantly different from previous Microsoft Windows log file formats and includes more detailed log info than previous Windows versions. The down-side to the new format is that there is an enormous amount lot of data to parse through.
Getting back to the point of this posting, which is, the use of a third-party non-Microsoft application for parsing through event logs. Event Log Viewer gets a thumbs-up from me as it offers a clean and easy to use UI to wade through the mountains of data the event log generates.
------------------------------------------------------------------
For more information related to the Windows Log File Format, go to forensicwiki.org. They have a good overview and provide a starting point for additional information.
http://www.forensicswiki.org/wiki/Windows_Event_Log_%28EVT%29
------------------------------------------------------------------
Disclaimer: They, meaning FSPro Labs, do not pay me to write-up their software. I do not work there, nor do I receive any revenue from making mention of them. It is my opinion that FSPro Labs deliver a great product and tool for viewing all versions of Windows Log files.
As usual, and the 'other' standard disclaimer applies, YMMV.
Robert Cazares
Sunday, October 14, 2012
------------------------------------------------------------------
I am a Digital Forensic and Information Security Analyst. I have been working in the IT industry since 1992 and hold a degree in Digital Forensics and Information Security. I also have earned many industry respected certificates.
"Information Security is never an accident."
Find me here and directly at: robertcazares@gmail.com
------------------------------------------------------------------
