All of the windows event logs are files stored with the extension .evt, and are located in %SystemRoot%\system32\winevt\Logs\ under Win 7, and I believe %systemroot%\system32\config or something similar in windows XP and 2003. You can find out for sure where your event logs are by checking the file key of the subdirectorys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog. From there, I would imagine it to be a simple file recovery. Another thought, if it's a server or Vista+ PC, you could also check for shadow copies. ShadowExplorer is a good program for checking that, as the Explorer interface is a bit difficult. Let me know if that helps any.
From: [email protected] [mailto:[email protected]] On Behalf Of Aa'ed Alqarta Sent: Tuesday, November 03, 2009 4:49 AM To: [email protected] Subject: [Pauldotcom] Recover deleted Windows "Audit Logs" Hello Everyone, I'd like to know is it possible to recover deleted "Audit Logs" after being erased by some administrator?
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
