1

I have a Windows Server 2019 VM and am trying to collect some specific Windows Event Logs using Get-WmiObject

In order to read an Event Logs channel in Applications and Services, I created a registry key and configured it similar to how this post describes the process. This worked, but when server reboots, the registry key I created disappears. This happens on a brand new image, so I can't tell if there is something specific that is rewriting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\ on a reboot or something else. I haven't been able to locate any documentation which would give the answer. Is there something I can adjust or a standard pattern to recreate the keys on boot?

Thanks!

Edit: This is specifically for Windows Defender so the sub key that get's created is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Windows Defender/Operational

This works well, but when the machine reboots, it disappears. In order to use Get-WmiObject you must create this key to collect events. It isn't a customer event I am making, just using the OOB windows ones in the "Applications and Services" section.

AbeW
  • 11
  • 2
  • What's the exact registry path that you are creating? I've only created keys directly under "eventlog", not with the "analytic" or "operation" sub folder like described in the post you referenced. That has always worked. You may be missing some required registry values. – Lucky Luke Feb 11 '22 at 19:30
  • You can also try to download EventSentry Light (https://www.eventsentry.com) which has a built-in tool to create custom event logs. That has always worked for me as well in the past. If that works then you can just uninstall it after, although you will probably like that tool anyways if you work a lot with event logs. – Lucky Luke Feb 11 '22 at 19:32

0 Answers0