Bill Tydeman reported a new event log on the Windows Forensic Analysis group at Yahoo! and on his new blog. The weird thing is, this log seemingly is not properly configured and the log file is garbled.
Interestingly, Microsoft remembered its own logging technology after it lived in the shadows for more than a decade. On Windows XP the new Power Shell (formerly codenamed Monad) has got an event log of its own (which is working, by the way.) Now there's also a log for the Microsoft Internet Explorer 7 - but it doesn't work.
In a first post Bill describes his finding, the file Internet.evt. A second post provides some interesting details like the configuration and a hex view of the log file. Note that there should be a File value in the registry pointing to the log file - but there is none. The file header indicates an empty log, the first record is expected to start at offset 0x30.
The cursor however looks strange: the offset of the first event record is set to 0x2c288, the next event record will be written at offset 0x2c0c4. Also according the cursor event records are numbered from 10022 to 11840.
On one of my computers, XP SP2 with a German locale, things look similar: the file is named Windows .evt (note the space!) instead of Internet.evt. Offsets and record numbers given in the cursor are different, but also don't make sense.
Too me this looks like a failed attempt to install a new event log. I tried to "repair" the log on my test system by adding the usual configuration like file name, file size, retention time and a primary module. So far the log file is still empty. So I ask: Has anybody encountered a properly configured and non-empty IE7 event log?
05/24/2007: Frank Heyne describes some other interesting observations, which are mostly related to viewing Vista logs remotely through an NT Event Viewer applet.