# Event Log Structure ( .evtx Files)

* **Format:** Modern Windows event logs (`.evtx` files) use a proprietary binary XML-based format. This format allows for structured logging and efficient storage.
* **Channels:** Windows organizes events into different logs, known as *channels*, based on their source or purpose. Key channels frequently examined during screenshares include:
  * **Application:** Contains events logged by various installed applications (non-OS specific). Error reporting often appears here.
  * **Security:** Records security-related events based on the system's audit policy settings. This includes login attempts (success/failure), account management actions, object access (if enabled), policy changes, and importantly, **log clearing events (Event ID 1102)**. Accessing this log often requires administrator privileges.
  * **System:** Logs events generated by Windows system components themselves. This includes service start/stop events, driver loading issues, hardware errors, and **system time changes (Event ID 4616)**, and **non-security log clearing (Event ID 104)**.
  * **Setup:** Records events related to the installation and setup of applications and Windows updates.
  * **ForwardedEvents:** Used in enterprise environments to collect events forwarded from other computers.
  * **Applications and Services Logs:** A broader category containing numerous specific logs for individual applications, services, or Windows features (e.g., Microsoft-Windows-TaskScheduler/Operational, Microsoft-Windows-PowerShell/Operational, Microsoft-Windows-Ntfs/Operational for USN Journal deletion). Navigating these requires knowing which specific log might contain relevant information.