0

Screenshot of event viewer usb event log:

Screenshot of event viewer usb event log

When I right click on other event logs, such as AMSI/Operational, I see the option 'disable/enable' but when I right click on the event log about a usb, boxed in red in the screenshot, I don't see any options to disable or enable the log. Furthermore, I'm curious where exactly - as in windows directory - these logs exist. I know that the .evtx event logs themselves exist in c:\windows\system32\winevt but I also want to learn more in depth where the actual location is for logs like the one boxed in red. My ultimate goal is to disable the event log associated with usb configuration and be able to delete them with cmd commands as well so that they don't reappear in the event viewer. I am aware that there is a delete button when I right click on the log, but it would be great if I can understand where in windows the actual log exists, so I could delete it with a cmd command or script. Any help is appreciated.

Improve this question

1 Answer 1

Reset to default
0

You’re not looking at an event log. You’re looking at a view. It does not contain events but only a filter definition. They are saved in the following location:

C:\ProgramData\Microsoft\Event Viewer\Views

When viewing an event, you can see which log it’s from. In your screenshot, that’s Microsoft-Windows-Kernel-PnP/Configuration.

If you then go to this log (under “Applications and Services Logs” where all additional logs are), you can see its location as usual, in the properties window:

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx

You can also disable it and whatnot.

The views you have do not exist by default. They are created when you click “View All Events...” on a device properties window in Device Manager.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .