Today, I’ve decided to write about unregistering and deleting Windows event logs, because searching the web about this subject brings up some very dangerous results with dangerous consequences.
Problem: A user notices redundant event logs in Event Viewer or PowerShell, i.e. the program with which they were associated are now gone and their contents is irrelevant. These event logs might be occupying valuable disk space, e.g. 128 MB. Deleting them is tempting.
This article requires Windows PowerShell 2.0 or later, which comes with Windows 7 and Windows Server 2008 R2.
If reclaiming disk space is the goal, then empty the log and forget about it. An empty log that occupies a just few bytes is not a problem on a computer that has 165,606 files.
Unregistering and deleting the log file only makes sense when the sheer number of these logs is causing a slowdown (e.g. when there are 100 redundant logs) or when eliminating all traces of an app from a computer is important (e.g. mandated by a corporate policy).
A word of warning
The following event logs are part of Windows; if you unregister them by accident, the ensuing dire consequences may force you to reinstall Windows. You can empty them if you wish, but never unregister them:
- Internet Explorer
- Key Management Service
- Windows PowerShell
Unregistering and deleting via PowerShell
To see a list of registered event logs in PowerShell, issue a
Get-EventLog -List order. Here is an example of the result:
PS C:\Windows\system32> Get-EventLog -list Max(K) Retain OverflowAction Entries Log ------ ------ -------------- ------- --- 20,480 0 OverwriteAsNeeded 32,288 Application 512 1 OverwriteOlder 0 Autodesk REX 512 7 OverwriteOlder 1 COMODO Internet Security 512 7 OverwriteOlder 142 GhostBuster 20,480 0 OverwriteAsNeeded 0 HardwareEvents 512 7 OverwriteOlder 0 Internet Explorer 20,480 0 OverwriteAsNeeded 0 Key Management Service 128 0 OverwriteAsNeeded 671 OAlerts 20,480 0 OverwriteAsNeeded 6,362 Security 20,480 0 OverwriteAsNeeded 55,179 System 512 7 OverwriteOlder 1,211 TuneUp 15,360 0 OverwriteAsNeeded 387 Windows PowerShell
To delete an event log from the list, use
Remove-EventLog -LogName command, as follows:
PS C:\Windows\system32> Remove-EventLog -LogName "Autodesk REX" PS C:\Windows\system32> Remove-EventLog -LogName GhostBuster
There won’t be any message indicating success, but failure would be reported. Below is an example of what happens if you try to delete a non-existing log or try deleting an existing log without administrative privileges.
PS C:\Windows\system32> Remove-EventLog -LogName System2 Remove-EventLog : The Log name "System2" does not exist in the computer "localhost". At line:1 char:1 + Remove-EventLog -LogName System2 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Remove-EventLog], InvalidOperationException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.RemoveEventLogCommand PS C:\Windows\system32> Remove-EventLog -LogName System Remove-EventLog : Requested registry access is not allowed. At line:1 char:1 + Remove-EventLog Security + ~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : SecurityError: (:) [Remove-EventLog], SecurityException + FullyQualifiedErrorId : NewEventlogException,Microsoft.PowerShell.Commands.RemoveEventLogCommand
As a man who has chiefly dealt with desktops, I have had relatively very little experience in regard to laptops. Another thing that I have had relatively very little experience of is foreign languages such as French, Greek or Latin. For example, I often have to refer to a dictionary or at least think a bit to realize that in medias res means in the middle of [another action].
People constantly throw foreign words at me, perhaps to make me think they are well-educated or very intelligent. (Well, they only manage to make me feel they are very annoying!) But I cannot throw foreign words on them as effectively. For instance I can shout at them “Stop using foreign word ad nauseam!” (Ad nauseam means exceedingly to a disgusting extent). But I can’t use foreign words to describe a recent experience. So, if I wanted to tell them that I saw a laptop computer that was hibernated while it was shutting down, should I say “I saw a laptop that was hibernated in medias res shut down”? I don’t know.
In any case, recently I saw a Windows XP laptop that was hibernated in the middle of being shut down! The user had configured it to hibernate when its lid was closed. Then, he had one day ordered the laptop to shut down, had closed the lid afterwards and had gone away. So, when I turned on the laptop next time, it resumed in the middle of a shutdown operation. Shortly after that, the laptop powered down.
The fact that I had to turn on the laptop twice wasn’t that annoying. However, I have heard of other stories about the consequences of disregarding a computer shutdown. One story had it that an application prevented shutdown; the owner didn’t notice, since he packed his laptop before actually seeing it power down. Result: Half a day later, when he unpack his laptop, he found it completely devoid of battery power and had absolutely no clue as to why this had happened. (Only an analysis of Windows Event Log revealed the truth of what had happened.) I think it is wise to watch the computer while it is shutting down. After all, computers often shut down quickly and spending a few seconds ensuring the completion of this process on a laptop is not a wasted time.
There are cases of emergencies when a Windows system administrator wishes to know if system is started up or shutdown in a particular date or time. Fortunately, you can use the Event Viewer in Windows XP to determine the approximate time and date of startup and shutdown. Read the rest of this entry