Anyone know why I can't access the winevt folder programmatically in C#?

Question

I've been trying to get into the 'C:\Windows\System32\winevt\Logs' folder programmatically using C# so I can copy the event log files to a backup directory and then clear the event logs as a part of a daily backup apparatus, but I don't seem to be able to get access to this directory.

I've tried changing the application manifest to run under administrator ( ) which gives me the UAC prompt when I execute the program and I've even gone as far as to spawn a shell under NT AUHORITY\SYSTEM identity to execute the code but it still says it's an invalid path, even though I can manually go into the directory under both administrative shell and the SYSTEM shell.

I've isolated it to just not being able to go into the winevt dir. I use this code to see if I can access the directory.

Environment.CurrentDirectory = System.Environment.SystemDirectory + @"\winevt\";

only to receive

System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Windows\system32\winevt\'. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.Directory.SetCurrentDirectory(String path) at System.Environment.set_CurrentDirectory(String value) at dev_EventLog.Program.Main(String[] args) in D:\SourceCodes\dev_EventLog\dev_EventLog\Program.cs:line 30

I've tried many different ways to specify the directory but it's all the same, and I've also tried different subfolder of System32 and of the 10 or so I tried winevt is the only one to act like this.

This has been driving me nuts, anyone know why this isn't working under C# or am I forced to use VBScript to do this, since the following VBScript code works to copy the event log file.

dim filesys set filesys=CreateObject("Scripting.FileSystemObject") filesys.CopyFile "C:\Windows\System32\winevt\Logs\Application.evtx", "C:\rusl\Application.evtx"

Answer 1

Is your application running as a 32-bit application on a 64-bit version of Windows? If so, any access to %windir%\System32 is redirected to %windir%\SystemWOW64 (where there is no winevt directory).

If you use %windir%\Sysnative\winevt you should be able to access it.

Answer 2

Here is the code that I have that works now after I changed system32 to sysnative as per John Rasch suggestion.

string LogFileDirectory = @"C:\Windows\Sysnative\winevt\Logs\";
string LogFileExtension = ".evtx";
string Date = DateTime.Now.Year.ToString() + "-" + DateTime.Now.Month.ToString() + "-" + DateTime.Now.Day.ToString();
string BackupDir = @"C:\Backups\" + Date + "\\";
Directory.CreateDirectory(BackupDir);
foreach (EventLog log in EventLog.GetEventLogs())
{
 string source = LogFileDirectory + log.Log + LogFileExtension;
 string dest = BackupDir + log.Log + LogFileExtension;
 try
 {
  File.Copy(source, dest);
 }
 catch (Exception e)
 {
  Console.WriteLine("Error occured :" + e.Message);
  Console.WriteLine(e);
 }
 finally
 {
  if (!File.Exists(dest))
  {
   Console.WriteLine("Backup Failed for " + log.Log);
  }
  else
  {
   Console.WriteLine("Backup Successful for " + log.Log);
   //log.Clear();  // Commented out during development
  }
 }
}