HennelovaZuzana
commented
1 year ago I have also tried to run the tool after suspending event log services, however it still gives the same error.
Closed HennelovaZuzana closed 1 year ago
HennelovaZuzana
commented
1 year ago I have also tried to run the tool after suspending event log services, however it still gives the same error.
3gstudent
commented
1 year ago The file(c:\Windows\system32\winevt\logs\security) is in use. You can't directly modify it. This program(DeleteRecordofFileEx.cpp) is used to modify the unoccupied log file.
3gstudent
commented
1 year ago HennelovaZuzana
commented
1 year ago Thanx, I see now why the error is raised.
But shouldnt suspending the log services work? I assume those are the only ones which are directly accessing the log files. I tried both SuspendorResumeTid.cpp and SuspendorResumeTidEx.cpp and i also tried Phant0m to stop logging threads, however it didnt help.
It didnt even work on copied logs, which again I believe are not opened by any other service. But that is only assumption.
how can I make the log file unoccupied for this tool to work?
3gstudent
commented
1 year ago run this:
wevtutil.exe epl Setup c:\test\Setup.evtx
Hello, I get openfile error when running DeleteRecordofFile.exe from commandline. What does it mean? Any suggestions how to fix it? I dont have the logs open. Thanx.