Can’t get to the Event Viewer because the machine won’t boot?
Short answer:
wevtutil qe <logfile> /lf:true /f:text /rd:true | more
This command will query (“qe”) the logs from a logfile (“lf:true”) in text format (“f:text”) in reverse chronological order (“rd:true”) and pipe them to ‘more’ so they don’t all scroll off the screen. Hit Q to exit more.
The log files are in C:\Windows\System32\winevt\Logs, except in your case it won’t be C: drive because loading the recovery image will have jumbled up the drive letters. D: or E: perhaps?
For diagnostic purposes, the most interesting log files are:
- System.evtx
- Application.evtx
- Setup.evtx
Fun things I discovered about Windows logging:
- Instead of being plain text, evtx is a binary format that stores the arguments to a format string, but not the format string itself.
- The string tables available vary between Windows installs.
- The evtx file doesn’t list the names or revisions of the string tables it refers to.
- If you read logs from your broken PC on a working PC you may see “N/A” entries where it doesn’t have the same set of string tables.
- This is fine. This is normal. 95% market share.