How to read event logs of an unbootable machine

How to read event logs of an unbootable machineSo you have a Windows machine which is unbootable. Every time you try and boot it up, it blue screens. You try safe mode and last known good techniques but fail. At this time, it becomes critical that you be able to look at Windows event logs to determine what is causing that error to happen. But, how do you read the event logs of a machine that is not even booting up ? In this article, we will show you a very simple technique, by which you will be able to access and read the event logs from a machine that is not booting up, this comes in as a very handy thing if you are a systems administrator or just trying to troubleshoot a Windows problem.

We already know that there is something seriously wrong with the Operating System, as it will not boot up for you to log on. In this scenario we will need to boot up with an alternative operating system to get to the event logs. The easiest way is to use an alternate, "live boot" or "pre boot" rescue CD. There are a lot of flavors of these CD from Linux to Windows. The one that I prefer most is called the Ultimate Boot CD. This CD has a lot of tools you can use to repair Windows related problems. There are multiple download locations where you can download an ISO image of the CD and burn it to a disk.

Now you are ready to boot up your faulty machine with the CD. You need to make sure that the boot order for your machine is set to CD first and then the hard drive in the BIOS. You can also download Ultimate Boot CD images for a USB thumb drive and boot off a USB thumb drive if your BIOS permits so.

After you have access to your NTFS file system from the Boot CD, you need to copy the following three logs either to a floppy, USB Stick or Network location for later analysis:

1. System log at C:\System32\Config\SysEvent.Evt 

2. Application log at C:\System32\Config\AppEvent.Evt

3. Security log at C:\System32\Config\SecEvent.Evt

You can now take these three event log files to another Windows machine and read them in the regular event log viewer. To do so, do the following:

1. Click on the Start Menu, then right click the My Computer icon and click Manage

2. Expand the "Event Viewer" tree

3. Right click on the "Event Viewer" folder and click choose Open Log file, and point it to the three .evt event log files one by one

You should now be able to see the event logs and see what could be causing a problem with your machine. We hope this has been a useful tip for you, if you use any other method to read event logs of a machine that is unbootable, please do share with us!