Is there an exhaustive list of what Windows logs or can log?

Question

I know that there is the event log, but that's not where it stops. There are logs for MSI executables, device logs, setup and installation, performance logs, and so on. It's probably quite a long list; however, where can I find such an exhaustive list of what Windows logs?

By preference it would be handy to have a list that goes further than just what's on by default; as to know what each logger does, which ones are not on by default, which ones can('t) be turned of, ...

Do you know of any such list? Anyone up for building such a list?

Answer 1

Centralized Log Locations

• %WINDIR%\System32\config or %WINDIR%\System32\winevt\Logs
  Contain most of the event logs accessible from the Event Viewer.

• %WINDIR%\Logs
  Contains a lot of textual log files.

Microsoft Security Essentials

• %PROGRAMDATA%\Microsoft\Microsoft Antimalware\Support
  Runtime Logs

• %PROGRAMDATA%\Microsoft\Microsoft Security Client\Support
  Installation Logs

Temporary Installation and Windows Defender Logs

• %WINDIR\Temp\*.log
  Contains information about MSI installations as well as for Windows Defender starting / scanning.

• %AppData%\Local\Temp\*.log
  Contains information about MSI installations ran in the context of the current user.

Windows Installation Logs

• %AppData%\Local\Microsoft\Websetup (Windows 8)
  Contains details about the web setup phase of Windows 8.

• %AppData%\setupapi.log (Windows XP and earlier)
  Contains information about device and driver changes and important system changes, like installation of service packs and hotfixes.

• %SYSTEMROOT%\$Windows.~BT\Sources\Panther\*.log,xml
  Contains information about setup actions, errors, structure, SIDs and early setup devices. When the installation is rolled back, these files will contain rollback information.

• %WINDIR%\PANTHER\*.log,xml
  Contains information about setup actions, errors, structure, SIDs and later setup devices.

• %WINDIR%\INF\setupapi.dev.log
  Contains information about Plug and Play devices and driver installations.

• %WINDIR%\INF\setupapi.app.log
  Contains information about the installations of applications.

• %WINDIR%\Performance\Winsat\winsat.log
  Contains performance test results.

Windows Time Service

• To enable logging of the Windows Time Service:

  w32tm /debug /enable /file:"C:\time-service.log" /entries:1000 /size:10485760
  

• To disable logging of the Windows Time Service run:

  w32tm /debug /disable
  

Windows Update

• %WINDIR%\WindowsUpdate.log
  Contains all events related to Windows Update

• %WINDIR%\SoftwareDistribution\ReportingEvents.log
  Contains events related to software update status reports.

Deployment Image Service and Management Tool (DISM)

• %WINDIR%\Logs\DISM\dism.log
  Contains information about events that happen when interacting with the Windows image.

Component-Based Servicing (CBS)

• %WINDIR%\Logs\CBS\CBS.log
  Contains information about events that happen when interacting with Windows components and features.

Answer 2

Windows event logs are a mythical unicorn, there's no comprehensive list, and no way to figure out what machine will log for what, the closest thing I've found was running:

auditpol /backup /file:c:\SYSTEM_AUDITPOLICY.csv   

Answer 3

I think you are asking for the impossible. There are numerous log sections within the Windows Event Log, accessed by Windows and non-Windows applications and services alike, and it differs from one Windows version to the next. On top of that, there are numerous other logging options, including text (e.g. .log) files and in the Windows Internal Database.

The list would be vast and varied, and would depend on the particular OS you have and how it is configured.

Answer 4

Run

wevtutil el

at the command prompt.

C:\Users\rvlan500\Desktop>wevtutil el /?
List the names of all logs.

Usage:

wevtutil { el | enum-logs }

Example:

The following example lists the names of all logs.

wevtutil el

C:\Users\rvlan500\Desktop>