Repairing Windows XP/2003 Corrupted Event Log Databases
At this stage, you should have a clear understanding of the circumstances that will cause a Windows XP and Server 2003 event log file to be reported as corrupt by a utility that relies on the Windows event log service API. In short, this will occur when the four critical fields appearing in both the header and the floating footer are out of synch and when the file status byte is other than 0x00 or 0x08. It stands to reason, then, that the tweak required to render such a file viewable is to copy the four fields from the floating footer and paste them into the corresponding fields in the header and to change the file status byte to 0x08 (or 0x00).
Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
