4

I'm an admin on the box. I've turned off all the folder options "Hide protected operating system files" and turned on "Show hidden files and folders".

I can see this folder in Windows Explorer: C:\Windows\System32\winevt\Logs

but I cannot see it from Event Log Viewer MMC snap-in BizTalk Admin Console. In that tool, and others such as GamutLog-Viewer, when I do "file Open", and paste in the same directory, I get: \ C:\Windows\System32\winevt\Logs - Path does not exist - Check the path and try again.

From Windows Notepad, I can do "File Open", paste same, and I get the directory.

Why is it different from one tool to the other?

Should I just create a C:\EventLogArchive and archive all my logs there?

Here's a couple of screen shots from NotePad and NotePad++ showing how NotePad can navigate to the directory, and NotePad++ cannot:

enter image description here

enter image description here

NealWalters
  • 1,333
  • 8
  • 19
  • 39
  • I've added two screenshots to the original question. What other details do you suggest I provide. It's a physical machine (not-VM) running our production BizTalk environment. Wouldn't this be either a security permissions issue, a UAC issue, or something like that? – NealWalters Jan 31 '14 at 14:47

2 Answers2

7

Use C:\Windows\Sysnative\winevt

In most cases, whenever a 32-bit application attempts to access %windir%\System32, the access is redirected to %windir%\SysWOW64.

32-bit applications can access the native system directory by substituting %windir%\Sysnative for %windir%\System32. WOW64 recognizes Sysnative as a special alias used to indicate that the file system should not redirect the access. This mechanism is flexible and easy to use, therefore, it is the recommended mechanism to bypass file system redirection. Note that 64-bit applications cannot use the Sysnative alias as it is a virtual directory not a real one.

From the File System Redirector technet article, here.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Dusan Bajic
  • 2,056
  • 1
  • 18
  • 21
  • 1
    +1 - A 32-bit program needs to use "SysNative" to access the "real" System32 directory. – Evan Anderson Jan 31 '14 at 15:10
  • Did you try it with IE or NotePad++? I browsed to c:\windows then tried typing in sysnative, and get "file not found". Same with c:\Windows\SysNative. Maybe that works in code, but not from the browser dialogs windows? – NealWalters Jan 31 '14 at 15:15
  • Yes, from notepad++, looking at it as I write (there is no folder to click at though, you have to type/paste) – Dusan Bajic Jan 31 '14 at 15:19
  • Okay, more interesting results. If I type exactly as you provided, C:\Windows\Sysnative\winevt it works. If I break it into chunks, and do C:\Windows, then try to type Sysnative, it does not work. Great answer, thanks! – NealWalters Jan 31 '14 at 15:21
0

I can re-produce this issue on my Windows 8.1 x64 as well with the latest version of Notepad++. As more careful people noticed that is because Notepad++ is x32 app and replacing 'system32' with 'sysnative' does the trick. if I type 

C:\Windows\sysnative\winevt\logs\

I can see the files just fine. enter image description here

Adil Hindistan
  • 419
  • 4
  • 8
  • I used NotePad and NotePad++ just as easy-to-reproduce examples. We recently bought a tool called Event Log Explorer that also has the issue; it's my tool of choice. Maybe these programs are using a different API to build the dialog/browser. But it seems like if the directory is there, not protected, visible, etc... that it should be able to be seen by all tools in any "open dialog" window. – NealWalters Jan 31 '14 at 14:59
  • Yes...as long as they are using the exact same methods/APIs. – Adil Hindistan Jan 31 '14 at 15:00
  • A file open in Sql 2008 SSMS cannot see it either, so even some Microsoft Tools are impacted. Of course, I would never open an event log in SQL, but just an example of a Microsoft tool having the same issue. Likewise IE 8 cannot see the directory with File Open. – NealWalters Jan 31 '14 at 15:03
  • 1
    The problem is a 32-bit program accessing the real "System32" directory and the "redirection" that takes place "behind the scenes" in WOW64. – Evan Anderson Jan 31 '14 at 15:11
  • You are right, Evan! – Adil Hindistan Jan 31 '14 at 15:19