{"id":276,"date":"2017-03-20T11:34:02","date_gmt":"2017-03-20T11:34:02","guid":{"rendered":"http:\/\/eventlogxp.com\/blog\/?p=276"},"modified":"2017-03-20T13:33:03","modified_gmt":"2017-03-20T13:33:03","slug":"access-event-logs-from-windows-recovery-mode","status":"publish","type":"post","link":"https:\/\/eventlogxp.com\/blog\/access-event-logs-from-windows-recovery-mode\/","title":{"rendered":"Access event logs from Windows recovery mode"},"content":{"rendered":"

Sometimes this happens. Your computer stops booting correctly and needs to be fixed. Even safe mode doesn’t help. You don’t know the reason of the fault \u2013 it may be a hardware failure or a driver bug, but you don’t want to reinstall the operating system. There is a good chance that Windows logs may contain some useful information for troubleshooting. However, you cannot boot into the system to read the logs. What can you do?<\/p>\n

As a rule, you can disconnect your hard drive, connect it to another computer and read event logs as files there. But sometimes it is impossible (e.g. your drive is unremovable, inaccessible or you don’t have another computer with the same connection interface).<\/p>\n

You may try to start your PC with the recovery console and then use Command Prompt.<\/p>\n

The easiest way to access recovery console on Windows 7 is:<\/strong><\/p>\n

    \n
  1. Remove all removable disks (CDs, DVDs) from your computer, power on your computer.<\/li>\n
  2. Press and hold the F8 key as your computer starts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you need switch your PC off and restart it again.
    \n\"Windows<\/a><\/li>\n
  3. Select Repair Your Computer
    \n    \"Windows<\/a><\/li>\n<\/ol>\n

    Now you can\u00a0click on Command Prompt. Voila, you may run Windows applications now!<\/p>\n

    You may get more information at
    \n    https:\/\/support.microsoft.com\/en-us\/help\/17101\/windows-7-system-recovery-options<\/a><\/p>\n

    Unfortunately, this approach commonly may fail with Windows 8 and Windows 10 (although it’s worth to try!). Please check this article which explains this issue:
    \n    https:\/\/blogs.msdn.microsoft.com\/b8\/2012\/05\/22\/designing-for-pcs-that-boot-faster-than-ever-before\/<\/a><\/p>\n

    To load into recovery console Microsoft suggests to boot your computer either with previously created recovery drive or use the installation media.
    \nHowever I discovered that if you forcibly restart your computer several times when booting, Windows detects that something goes wrong and suggests to repair.
    \n    \"Windows<\/a><\/p>\n

    Click “See advanced repair option”, then click Troubleshoot and then click “Advanced Options”.<\/p>\n

    On Advanced Options screen you can see different options to recover your PC, but since we decided to check logs first, select Command Prompt Option.<\/p>\n

    Now you are in.
    \n    \"Command<\/a><\/p>\n

    You may be surprised, but you will see X: drive in the command prompt. \u00a0This is a recovery drive and you can see it only in the recovery session.<\/p>\n

    Another surprise is that C: drive contains no data!<\/p>\n

    Your original C: drive would be probably drive D: now. You can check it by viewing its contents e.g. by typing
    \nDIR D:\\<\/p>\n

    Let’s try to view events. First we need to run Event Log Explorer. You may think that you can run Event Viewer, but Windows won’t be able to start neither eventvwr.exe nor eventvwr.msc.<\/p>\n

    If you have Event Log Explorer originally installed in C:\\Program Files (x86)\\Event Log Explorer, it’s now on D: drive and you can run it as follows:<\/p>\n

    “D:\\Program Files (x86)\\Event Log Explorer\\elex.exe” (don’t forget to use double quotes or such paths).
    \n    \"event<\/a><\/p>\n

    You can see a strange computer name in the tree and you will see no logs under this name. This happens because you are in recovery mode and Windows started in minimal configuration (eventlog service is disabled, Windows gives a random name to the PC).<\/p>\n

    However you can still access the original event logs as files. They are on the system drive in \\Windows\\System32\\winevt\\Logs\\ \u00a0folder.<\/p>\n

    So let’s try to open System log. It will be D:\\Windows\\System32\\winevt\\Logs\\System.evtx file. You can use any open method \u2013 all of them should work correctly. I would recommend use New API since it’s a native method for modern Windows.
    \n    \"Viewing<\/a><\/p>\n

    Now you can explore your event logs and hopefully you will be able to locate and troubleshoot\u00a0the problem.<\/p>\n

     <\/p>\n\"Facebook\"<\/a>\"twitter\"<\/a>\"reddit\"<\/a>\"pinterest\"<\/a>\"linkedin\"<\/a>\"mail\"<\/a>","protected":false},"excerpt":{"rendered":"

    Sometimes this happens. Your computer stops booting correctly and needs to be fixed. Even safe mode doesn’t help. You don’t know the reason of the fault \u2013 it may be a hardware failure or a driver bug, but you don’t want to reinstall the operating system. There is a good chance that Windows logs may contain some useful information for troubleshooting. However, you cannot boot\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":283,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[39],"tags":[50,9],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/276"}],"collection":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/comments?post=276"}],"version-history":[{"count":5,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/276\/revisions"}],"predecessor-version":[{"id":288,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/276\/revisions\/288"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media\/283"}],"wp:attachment":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media?parent=276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/categories?post=276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/tags?post=276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}