TL;DR:

The Windows Event Logging Service contains a bug (use of uninitialized memory) that sometimes results in recently deleted (cleared) log entries being stored in other (unrelated) *.evtx journal files. This happens once a rarely-updated *.evtx journal file is cleared: it’s newly allocated and empty (i.e., containing zero log entries) ElfChnk area is filled with remnant data from memory of the event logging service, which may include “resurrected” log entries from other (recently cleared) journals. After the first log entry is allocated in that area, the remnant part is wiped: so, “resurrected” log entries are lost right after the first log entry is stored in that journal file — this is why the bug can be practically observed in rarely-updated journal files only.

Continue reading “Windows event logs were cleared, but resurrected in another file!” →