locked
How to recover event viewer on Windows Server 2012 standard!!! RRS feed

  • Question

  • Dear all,

    Currently, our system got a trouble relate to Server which has Windows Server 2012 standard!!!

    Now, we have to analyst event viewer log to find out the root reason

    But Unfortunately, Event viewer only saved from 6/7/2018 up to now ( Limited eventviewer system size is 20 MB ans was reached)

    Our Server got trouble in 5/7/2018

    So, Could you help me how to recover event viewer log from 2/7/2018 to 5/7/2018 ?

    Or Are there any system log on Windows server 2012 which save all changing actions?

    Please help me to solve it!!!

    Thank you in advance!!!

    Friday, July 20, 2018 2:30 AM

Answers

  • It is unlikely that you can recover the event files unless you had created and saved a txt file.

    At this time you can collect the event files and post them into the thread for troubleshooting.

    To evaluate the computer environment please post logs for troubleshooting.

    Using administrative command prompt copy and paste this whole command.

    Make sure the default language is English so that the logs can be scanned and read.

    https://www.tenforums.com/tutorials/3813-language-add-remove-change-windows-10-a.html

    The command will automatically collect the computer files and place them on the desktop.

    Then use 7zip to organize the files and one drive or drop box to place share links into the thread for troubleshooting.

    https://support.office.com/en-us/article/Share-OneDrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07

    This command will automatically collect these files:  msinfo32, mini dumps, drivers, hosts, install, uninstall, services, startup, event viewer files, etc.

    Open administrative command prompt and copy and paste the whole command:

    copy %SystemRoot%\minidump\*.dmp "%USERPROFILE%\Desktop\"&dxdiag /t %Temp%\dxdiag.txt&copy %Temp%\dxdiag.txt "%USERPROFILE%\Desktop\SFdebugFiles\"&type %SystemRoot%\System32\drivers\etc\hosts >> "%USERPROFILE%\Desktop\hosts.txt"&systeminfo > "%USERPROFILE%\Desktop\systeminfo.txt"&driverquery /v > "%USERPROFILE%\Desktop\drivers.txt" &msinfo32 /nfo "%USERPROFILE%\Desktop\msinfo32.nfo"&wevtutil qe System /f:text > "%USERPROFILE%\Desktop\eventlog.txt"&reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall "%USERPROFILE%\Desktop\uninstall.txt"&reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components" "%USERPROFILE%\Desktop\installed.txt"&net start > "%USERPROFILE%\Desktop\services.txt"&REM wmic startup list full /format:htable >"%USERPROFILE%\Desktop\startup.html"&wmic STARTUP GET Caption, Command, User >"%USERPROFILE%\Desktop\startup.txt"

    There is 1 file for you to find manually:  dxdiag

    In the left lower corner search type:  dxdiag > When the DirectX Diagnostic Tool opens click on the next page button so that each tab is opened > click on save all information > save to desktop > post one drive or drop box share link into the thread

    .

    .

    .

    Please remember to vote and to mark the replies as answers if they help.

    .

    .

    .

    Friday, July 20, 2018 3:00 AM

All replies

  • If the file properties were set to a fixed max log size and overwrite events as needed then they're gone.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, July 20, 2018 2:51 AM
  • It is unlikely that you can recover the event files unless you had created and saved a txt file.

    At this time you can collect the event files and post them into the thread for troubleshooting.

    To evaluate the computer environment please post logs for troubleshooting.

    Using administrative command prompt copy and paste this whole command.

    Make sure the default language is English so that the logs can be scanned and read.

    https://www.tenforums.com/tutorials/3813-language-add-remove-change-windows-10-a.html

    The command will automatically collect the computer files and place them on the desktop.

    Then use 7zip to organize the files and one drive or drop box to place share links into the thread for troubleshooting.

    https://support.office.com/en-us/article/Share-OneDrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07

    This command will automatically collect these files:  msinfo32, mini dumps, drivers, hosts, install, uninstall, services, startup, event viewer files, etc.

    Open administrative command prompt and copy and paste the whole command:

    copy %SystemRoot%\minidump\*.dmp "%USERPROFILE%\Desktop\"&dxdiag /t %Temp%\dxdiag.txt&copy %Temp%\dxdiag.txt "%USERPROFILE%\Desktop\SFdebugFiles\"&type %SystemRoot%\System32\drivers\etc\hosts >> "%USERPROFILE%\Desktop\hosts.txt"&systeminfo > "%USERPROFILE%\Desktop\systeminfo.txt"&driverquery /v > "%USERPROFILE%\Desktop\drivers.txt" &msinfo32 /nfo "%USERPROFILE%\Desktop\msinfo32.nfo"&wevtutil qe System /f:text > "%USERPROFILE%\Desktop\eventlog.txt"&reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall "%USERPROFILE%\Desktop\uninstall.txt"&reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components" "%USERPROFILE%\Desktop\installed.txt"&net start > "%USERPROFILE%\Desktop\services.txt"&REM wmic startup list full /format:htable >"%USERPROFILE%\Desktop\startup.html"&wmic STARTUP GET Caption, Command, User >"%USERPROFILE%\Desktop\startup.txt"

    There is 1 file for you to find manually:  dxdiag

    In the left lower corner search type:  dxdiag > When the DirectX Diagnostic Tool opens click on the next page button so that each tab is opened > click on save all information > save to desktop > post one drive or drop box share link into the thread

    .

    .

    .

    Please remember to vote and to mark the replies as answers if they help.

    .

    .

    .

    Friday, July 20, 2018 3:00 AM
  • So, I cannot recover the previous time point :(

    Could you help me are there any other system log on Windows Server which we can collect and analyst?

    Thank you

    Friday, July 20, 2018 3:01 AM
  • So, I cannot recover the previous time point :(

    Not unless you have saved or backed them up or happen to have a server backup that includes the EVTX files.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, July 20, 2018 3:11 AM