search

amymor / Forget-log

A batch script to disable almost all loggers
Other
10 stars 2 forks source link

How to Revert the changes made by Script ? #1

Open wealstarr opened 1 year ago

wealstarr commented 1 year ago

Hello,

Found your wonderful script that really works. Now I have no more .etl logs at the locations I know about. But I have one question, how do I revert the changes. I couldn't delete the files in certain folder on system drive and had to run chkdsk, it completed, I deleted the files in question but I would like to review the log.

Or is there any other way to view chkdsk logs ? Does the chkdsk even create logs after running the script ?

Kind regards

amymor commented 1 year ago

glad it worked for you.

  1. sry the script doesnt make any backups and i think the registry settings are slightly different in different versions of Windows. i have an old backup of Windows 10 20h2, i can upload it if you are interested, but i recommend you make a registry backup yourself, you can do it on another computer that has the same version of Windows as yours (so if you are on 19045 then that must be 19045 too), Just open regedit and then go to HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT do right-click on key(folder) in left pane and then choose the Export for restoring i think you need to import it as TrustedInstaller, so use Nsudo or AdvnacedRun to run regedit as TrustedInstaller then File > Import and then choose your registry backup file. also you can edit that script and change value from 0 to 1 so all loggers will be enabled, here is whole script to enable all loggers (paste it to a text file then save it with .bat extension then put it near Nsudo.exe):

    @echo off & cd /d "%~dp0"
setlocal & set runState=user
whoami /groups | findstr /b /c:"Mandatory Label\High Mandatory Level" > nul && set runState=administrator
whoami /groups | findstr /b /c:"Mandatory Label\System Mandatory Level" > nul && set runState=TISYSTEM
echo  Running in state: "%runState%" 
if "%runState%"=="TISYSTEM" (goto gotTISYSTEM) else (nsudo -U:T -P:E -UseCurrentConsole "%~0" %* && exit /b)
:gotTISYSTEM
echo  Running as TtustesInstaller.[
echo.
echo  find all Auto-Loggers and set Enabled to1 
for /f "usebackq tokens=1*" %%a in (`reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger" /s /f "Enabled"^| findstr "HKEY"`) do reg add "%%a %%b" /v "Enabled" /t REG_DWORD /d 1 /f
echo.
echo  find all Auto-Loggers and set Start to 1 
for /f "usebackq tokens=1*" %%a in (`reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger" /s /f "Start"^| findstr "HKEY"`) do reg add "%%a %%b" /v "Start" /t REG_DWORD /d 1 /f
echo.
echo  find all WINEVT and set Enabled to 1 
for /f "usebackq tokens=1*" %%a in (`reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT" /s /f "Enabled"^| findstr "HKEY"`) do reg add "%%a %%b" /v "Enabled" /t REG_DWORD /d 1 /f
echo.
pause
exit

    again i dont recommend it as a permanent solution because many loggers are disabled by default, but you can try it to get Event log back to work and check some logs there and then disable all loggers again after you are done. i sometimes try it for trial and error.

  2. for your second question, idk anything about chkdsk logging, but if you encounter disk problems, i think there are more advanced tools to check for disk problems like bad sectors, i personally use Sergey Strelec's WinPE on my flash dirve. a bootable Windows PE with lots of pre-installed stuffs to check and repair etc... i remember there were several disk check tools.