How to restore accidentally deleted log files

[Carol W.]

I accidentally deleted the Windows system log file available through Event Viewer. I was trying to track down how one of our office computers was shut down this morning. Was it a user who didn't know what button she was clicking or was it a spontaneous shutdown possibly caused by hardware?

At any rate, I cleared the log file instead of the filter I had set. Is there any way of getting the log file back? I Googled the issue before I posted here and it doesn't look good but I thought I'd ask the experts before giving up.

Thanks in advance.

[HansV]

Right-click C:\Windows\System32\winevt\Logs in Windows Explorer.
Select Properties from the context menu.
If the Properties dialog has a Previous Versions tab, activate it.
If there is a previous version from after the shutdown, but before you cleared the log, you can open it or copy it to a different location (I wouldn't simply restore it, that probably isn't allowed).

Otherwise, you could try Piriform Recuva to look for *.evtx files.
If Recuva hasn't been installed already on this PC, it's best to download the portable version on another computer and to copy it to a USB stick. Mount the USB stick on the problem computer and run Recuva from there. That way there is less chance of overwriting deleted files.
But don't hold your breath - the space of the deleted log files may already have been reused.

[Carol W.]

Hans,

Thanks for the advice. There were no previous versions available so I downloaded Recuva on to my machine and copied it to an external drive on the problem machine. I access the problem machine remotely via Teamviewer (except for the rare times when I'm in the office) so the USB stick solution didn't work but I thought an external drive would be just as good. Anyway, I pointed Recuva to the folder C:\Windows\System32\winevt\Logs and it found nothing. I'm rerunning it now with the "deep scan" option. I don't hold out a lot of hope.

A related question: Before I stupidly deleted the log file, my colleague and I did see an entry with code 1074 indicating that the machine had been shut down at 9:38 AM. The user in the event was not one of our eight user accounts. I inferred that the shutdown occurred from the "user account" screen on which the eight account icons reside. I don't remember exactly what the user was and I didn't take a screenshot. However, I'd recognize it if I saw it. What would the user be in the log entry if the machine was shut down from the screen before anyone had logged in?

Many thanks.

[HansV]

I hope someone else can answer that, I'm out of my depth here.

[StuartR]

Sorry, I can't help with this one either

[Carol W.]

Update: I was able to recover an old log (with Recuva) that had an entry with event id 1074. See attached screenshot. The user name I was trying to remember is NT Authority\System. This was confirmed by my colleague as being the user in the 11/14 9:38 AM event in question.

Would a shutdown from the "user account screen" (see other screenshot) have produced this log entry? BTW, I misspoke earlier. We have nine user accounts, not eight.

Thanks in advance.

[HansV]

It seems likely, but again, this is not my field.

[HansV]

By the way, MSKB article On a computer running Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 an incorrect shutdown reason code written to SEL on user initiated shutdown suggests that there should be another event with code 1074 that gives a more accurate description than "No title for this reason could be found".

[Carol W.]

Thanks to all who replied. I believe this concludes my detective work.

We have one novice member who consistently can't tell the difference between logging off and shutting down.

[Claude]

We have one novice member who consistently can't tell the difference between logging off and shutting down.

I know exactly how you feel Carol

Glad the puzzle has been solved.

[Carol W.]

Claude,

This is only but one issue we run into managing multiple computers used by a membership of 300+ women. It is definitely enough to make one pull out one's hair.