Change the Location of the Event Log (Standard 7 SP1)
7/8/2014
To improve the performance of Enhanced Write Filter (EWF) on a system that uses an event log, you can relocate the event log to an alternative partition that is not EWF-protected. This requires at least two partitions: one partition that EWF protects, and another partition that is writable.
To change the location of the event log
To change the location of an event log to an unprotected volume, you must update the registry of the run-time image. Modify the following three registry keys, and change the event log to an unprotected volume.
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\
Value Name: File
Type: REG_EXPAND_SZ
Value: <Volume Name and Path>\AppEvent.evt
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\
Name: File
Type: REG_EXPAND_SZ
Value: <Volume Name and Path>\SecEvent.evt
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\
Name: File
Type: REG_EXPAND_SZ
Value: <Volume Name and Path>\SysEvent.evt
In the Value field, change the path of the event file to a nonprotected volume.