How to start Event Viewer in running Win10XPE?

Occasionally a certain (added) program crashes in booted Win10XPE system.

In order to find more about the reason I want to call the (normally) built in Event Viewer.
Unfortunately the

eventvwr.msc

cannot be started.

Whats wrong?

If this Event Viewer not added automatically: How can I add it?

I found no corresponding plugin

Hi tobwz,
Adding eventlog is not really complex. I do it in "my" winpe but I build "my" winpe with my own script.
If you can use procmon, you'll quickly find all the missing files and keys. I'll try to make a delta/difference with WimBuilder2.
I forget the "sesame": after adding the files/keys, you need the sequence: net stop eventlog/delete "MiniNt" key/net start eventlog/create MiniNt
I explain a little this in my .pdf file (in microWinpeBuilder somewhere in this forum). Because no one asked me to give more details...

Eventlog service runs and logs in files  even if you can't use eventvwr.msc. Logs are always product.
Even if you can't add eventvw.msc  by yourself, you can also transport log files (application.evtx and system.evtx) from x:\windows\system32\winevt\logs to another machine and open them in eventvwr.msc.

Eventvwr uses data contained in the  system\...\services\eventlog key ( big size ! ). This datas is used to construct the final text. The log file contains only the "variable" data of the text. Your machine on which you are reading these logs may not contain all the datas (too many cases to explain, my poor english ...).

hi tobwz
sorry for my poor english....and i hope i understand your need....

i look in my script and find these files :
;mmc eventvwr
windows\system32\eventvwr.msc
WINDOWS\Microsoft.NET\assembly\GAC_MSIL\EventViewer\v4.0_10.0.0.0__31bf3856ad364e35\EventViewer.dll
Windows\Microsoft.NET\assembly\GAC_MSIL\EventViewer.Resources\
Windows\Microsoft.NET\assembly\GAC_MSIL\MiguiControls\
Windows\Microsoft.NET\assembly\GAC_MSIL\MiguiControls.Resources\
windows\system32\miguiresource.dll
windows\system32\eventvwr.exe
windows\system32\wevtfwd.dll
windows\system32\els.dll
windows\system32\wecapi.dll
windows\system32\wecsvc.dll
windows\system32\wecutil.exe
;mmc gac_msil :
WINDOWS\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\MMCEx.dll
WINDOWS\assembly\GAC_MSIL\MMCEx.Resources\
WINDOWS\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35\MMCFxCommon.dll
WINDOWS\assembly\GAC_MSIL\MMCFxCommon.Resources\
WINDOWS\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\Microsoft.ManagementConsole.dll
With procmon, i quickly view these  files are missing in an ISO build with wimbuilder2
Because i can't use other builders (too complexe for me) i don't know if it's enought for your need.
And because "my" builder is different than other builders i can't affirm ti's good for you.
It's a biginning. You can try to add and look with procmon...
Hope this can help you

@noelblanc:

Unfortunately this all seems to be very difficult.
I wonder why the EventViewer is not active by default.
At least EventViewer stuff should be addable in PEBakery Build as a checkbox option

Hi tobwz,

Event Viewer in XPE does not log events because the Windows Event Collector Service is not present, the .EVT* are not even created, it needs .NET2.0 and a whole lot of files/registry entries. I think that it is because it is WinRE based, I tried adding wecsvc and it wont start.

So I stopped trying to make it work. Most of the time I use Alternatives that does not rely on the .NET Framework under PE, so I use Event Log Explorer to access offline Windows Logs and it works Perfectly.

I was too lazy to make my plugin portable but... Finally I did it. If you Want to give it a try...

I distribute the software without a licence key. You can get it from the download page of the software for the free home edition or enter your standard/enterprise version key.

@Malok:

Thank you. But as far as I understand Event Log Explorer just collects and displays whats is written into Event logs.

So when there is not event logging available in Win10 core then Event Log Explorer tool cannot show something.

Even if you have a working event log service in most cases the crash event logged in the event log is typically not very useful. Most people use sysinternals procmon to investigate why a given program does not work in windows PE.

You could also use my Event Viewer (PE) program which lists all .evtx files on the host machine e.g. located in C:\windows\system32\winevt\Logs and allows you to view them / filter them etc

Download here - https://www.pcassistsoftware.co.uk/free.html
Plugin here - http://theoven.org/index.php?topic=2607.msg28642#msg28642