Where Are Windows Event Log Files Located on Disk? A Clear, No‑Nonsense Guide

Default Windows event logs live at: %SystemRoot%\System32\winevt\Logs (typically C:\Windows\System32\winevt\Logs)

You can confirm the exact file path for any log with the built-in wevtutil command

Copying .evtx files directly can fail when they’re in use—export them safely instead

Special setup/installation logs live under %WINDIR%\Panther

Admin rights are often required to view, export, or copy logs

The short answer: the default location

On modern Windows versions (Windows 10/11 and Server editions), Event Viewer log files are stored here:

Environment variable form: %SystemRoot%\System32\winevt\Logs

Typical full path: C:\Windows\System32\winevt\Logs

Each log channel corresponds to an .evtx file in that folder (for example, Application.evtx, System.evtx, Security.evtx). This path is widely referenced in practice and documentation, and you can verify it on your system using Microsoft’s wevtutil tool, which exposes the configured file path for any log channel (see References).

Special cases and related locations

While most “Event Viewer” logs live in winevt\Logs, a few adjacent log types sit elsewhere:

Windows Setup (installation) logs: %WINDIR%\Panther (used during setup/upgrade; some entries also surface in Event Viewer) [Microsoft Learn: Windows Setup Log Files].

Forwarded Events: Stored as ForwardedEvents.evtx in the same winevt\Logs directory when using Windows Event Collector.

Custom or operational channels: Most still use winevt\Logs by default, but administrators can change a channel’s file path.

Tip: Environment variables are your friend. %SystemRoot% and %WINDIR% usually resolve to C:\Windows, but they’ll adapt if Windows is installed on a different drive.

How to confirm the path on your machine

You don’t have to guess. Windows can tell you exactly where each log is stored.

Option 1: Event Viewer (GUI)

1. Open Event Viewer (Start menu, search “Event Viewer”).
2. In the left pane, expand Windows Logs or Applications and Services Logs.
3. Right‑click a log (e.g., System) > Properties.
4. Look for the Full Name or Log path field. That’s the .evtx file on disk.

Option 2: Command line (wevtutil)

List all logs:

wevtutil el

Show the configuration (including file path) for a specific log:

wevtutil gl System

wevtutil gl "Microsoft-Windows-GroupPolicy/Operational"

The “get-log” output includes the Path value—the exact .evtx file location [Microsoft Learn: wevtutil].

Exporting or backing up logs safely

Copying .evtx files straight from C:\Windows\System32\winevt\Logs can fail if the Event Log service is writing to them. Safer options:

Use wevtutil export (recommended)

Example: export the System log to a new .evtx file

wevtutil epl System C:\Temp\SystemBackup.evtx

For an operational channel:

wevtutil epl "Microsoft-Windows-GroupPolicy/Operational" C:\Temp\GP-Operational.evtx

Or clear with backup in one step (be careful—this clears the live log):

wevtutil cl System /bu:C:\Temp\System-BeforeClear.evtx

These commands are documented and supported by Microsoft and ensure a clean, consistent copy [Microsoft Learn: wevtutil].

Access permissions, 32/64‑bit notes, and troubleshooting

Permissions: You’ll often need to run Command Prompt or Power

Shell as Administrator to read, export, or modify logs—especially Security.

File locking: If you must copy .evtx files directly, stop the Windows Event Log service first or use Volume Shadow Copy. Exporting via wevtutil is usually easier.

32/64‑bit paths: The logs live under System32 on both 64-bit and 32-bit systems. Don’t be misled by SysWOW64 redirection—stick with %SystemRoot%\System32\winevt\Logs.

Non‑C: installs: If Windows is not on C:, the environment variables (%SystemRoot%, %WINDIR%) will point to the correct drive and folder.

Common log filenames you’ll see

In C:\Windows\System32\winevt\Logs you’ll typically find:

• Application.evtx
• System.evtx
• Security.evtx
• Setup.evtx
• ForwardedEvents.evtx
• Dozens (or hundreds) of additional operational and analytic channels, e.g., Microsoft-Windows-GroupPolicy%4Operational.evtx

Note: Windows setup/upgrade has additional, detailed logs under %WINDIR%\Panther, separate from the Event Viewer channels [Microsoft Learn: Windows Setup Log Files].

Quick checklist

• Need the path? Check with wevtutil gl or Event Viewer > Properties.
• Need a backup? Use wevtutil epl to export safely.
• Seeing access denied? Run as Administrator.
• Unsure which drive? Use %SystemRoot% or %WINDIR% to stay flexible.

Conclusion: What to remember

• Most Event Viewer logs live in %SystemRoot%\System32\winevt\Logs as .evtx files.
• Confirm the exact path anytime with Event Viewer or wevtutil gl.
• Export with wevtutil epl for clean backups without stopping services.
• For setup/installation tracing, check %WINDIR%\Panther.

With these paths and commands, you can find, verify, and safely copy the log data you need—no guesswork required.