document updated 16 years ago, on Sep 8, 2008

Using a LiveCD, it's possible to do a lot of Windows administration offline, you just sometimes need to know where to look.

Event log — usually in Windows\System32\Config\*.evt, but it could be moved elsewhere
Registry — copy ntuser.dat over, mount the hive