Tuesday, May 1, 2007

Backing Up Your EVT Files

Occasionally, we have admins send us EVT files that they have restored from live server backups (or recovered from the hard disk of a server that crashed) that cannot be opened in the Microsoft Event Viewer. This often generates a substantial amount of concern on their part, and so it merits discussion here.

When a Microsoft Windows NT, Windows 2000, Windows XP, or Windows 2003 Server is running, the EventLog service maintains an open handle to each of the active event logs on the system. From what we understand, each active event log is treated like a memory-mapped file. Simply performing a live backup of the event log files in the \system32\config folder, even if the backup software can work with open file handles, is ineffective. The linked data structures in the active event log file may not be "finalized" so that they can be read by the OpenBackupEventLog function, and so attempts to read these logs as if they were properly saved may fail.

Here's a quick way to test this sort of behavior. On your workstation, navigate to the \Windows (or Winnt)\System32\Config folder using Windows Explorer. Copy the active security event log file (e.g. SecEvent.evt) to your desktop. Then, open the Microsoft Event Viewer, and try and open the SecEvent.evt file you copied onto your desktop. The Event Viewer will tell you that the file is corrupt.

So that being said, how is it that you can still read active event log files via the Microsoft Event Viewer when the computer is online? Simple - the request to read the file is made directly to the EventLog service, as opposed to trying to read the data directly out of the active file itself. The EventLog service, in addition to logging new records to active event logs, also acts as a proxy "log record fetcher" for the benefit of authorized users that need to read the contents of the active logs.

A very interesting phenomenon can be observed, however, if you attempt to read an "active" event log file from the \system32\config directory on a hard disk partition when the operating system is not loaded. If the operating system located on that partition was shutdown properly (e.g. it didn't crash), the EVT files in this directory should be able to be read by the Microsoft Event Viewer as saved event log files. It would appear that the EventLog service, when shut down normally, makes sure that the linked data structures in the file are organized properly before the file is closed.

What can we learn from this?

1.) Normal backup software, even software that can backup open files, is not a reliable way to archive your EVT files should you need to access them in the future.

2.) Likewise, trying to read EVT files in the \system32\config folder on a hard disk partition where the last operating system session crashed, or where the computer was shut down dirty, may fail.

3.) The EVT files in the \system32\config folder on a hard disk partition where the last operating system session was shut down properly can most likely be read as saved EVT files in the Microsoft Event Viewer. So, provided the machine was shut down normally before the hard disk was removed (e.g. in a forensic examination for instance), chances are good the log data will be accessible.

To combat these sorts of issues, we introduced our Event Archiver(tm) software many years ago. Event Archiver can archive EVT files correctly via the EventLog service on multiple computers, so that they will be accessible for review many years down the road. Of course, this is one small aspect of its feature set, but is a very important feature nonetheless.

No comments: