Access event logs from Windows recovery mode

By | March 20, 2017

Sometimes this happens. Your computer stops booting correctly and needs to be fixed. Even safe mode doesn’t help. You don’t know the reason of the fault – it may be a hardware failure or a driver bug, but you don’t want to reinstall the operating system. There is a good chance that Windows logs may contain some useful information for troubleshooting. However, you cannot boot into the system to read the logs. What can you do?

As a rule, you can disconnect your hard drive, connect it to another computer and read event logs as files there. But sometimes it is impossible (e.g. your drive is unremovable, inaccessible or you don’t have another computer with the same connection interface).

You may try to start your PC with the recovery console and then use Command Prompt.

The easiest way to access recovery console on Windows 7 is:

  1. Remove all removable disks (CDs, DVDs) from your computer, power on your computer.
  2. Press and hold the F8 key as your computer starts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you need switch your PC off and restart it again.
    Windows 7 advanced boot options
  3. Select Repair Your Computer
    Windows 7 recovery options

Now you can click on Command Prompt. Voila, you may run Windows applications now!

You may get more information at
https://support.microsoft.com/en-us/help/17101/windows-7-system-recovery-options

Unfortunately, this approach commonly may fail with Windows 8 and Windows 10 (although it’s worth to try!). Please check this article which explains this issue:
https://blogs.msdn.microsoft.com/b8/2012/05/22/designing-for-pcs-that-boot-faster-than-ever-before/

To load into recovery console Microsoft suggests to boot your computer either with previously created recovery drive or use the installation media.
However I discovered that if you forcibly restart your computer several times when booting, Windows detects that something goes wrong and suggests to repair.
Windows didn't load correctly - repair options

Click “See advanced repair option”, then click Troubleshoot and then click “Advanced Options”.

On Advanced Options screen you can see different options to recover your PC, but since we decided to check logs first, select Command Prompt Option.

Now you are in.
Command Prompt

You may be surprised, but you will see X: drive in the command prompt.  This is a recovery drive and you can see it only in the recovery session.

Another surprise is that C: drive contains no data!

Your original C: drive would be probably drive D: now. You can check it by viewing its contents e.g. by typing
DIR D:\

Let’s try to view events. First we need to run Event Log Explorer. You may think that you can run Event Viewer, but Windows won’t be able to start neither eventvwr.exe nor eventvwr.msc.

If you have Event Log Explorer originally installed in C:\Program Files (x86)\Event Log Explorer, it’s now on D: drive and you can run it as follows:

“D:\Program Files (x86)\Event Log Explorer\elex.exe” (don’t forget to use double quotes or such paths).
event log explorer in recovery console

You can see a strange computer name in the tree and you will see no logs under this name. This happens because you are in recovery mode and Windows started in minimal configuration (eventlog service is disabled, Windows gives a random name to the PC).

However you can still access the original event logs as files. They are on the system drive in \Windows\System32\winevt\Logs\  folder.

So let’s try to open System log. It will be D:\Windows\System32\winevt\Logs\System.evtx file. You can use any open method – all of them should work correctly. I would recommend use New API since it’s a native method for modern Windows.
Viewing event files from recovery mode

Now you can explore your event logs and hopefully you will be able to locate and troubleshoot the problem.

 

Facebooktwitterredditpinterestlinkedinmail