The Full Wiki

Event Viewer: Wikis


Note: Many of our articles have direct quotes from sources you can cite, within the Wikipedia article! This article doesn't yet, but we're working on it! See more info or our list of citable articles.


From Wikipedia, the free encyclopedia

Event Viewer
Eventvwr icon.png
Windows Vista Event Viewer.png
Event Viewer in Windows Vista SP1
Developer(s) Microsoft
Stable release 6.0.6001 / February 4, 2008
Operating system Microsoft Windows
Type Event Viewer
License Microsoft EULA
Event Viewer in Windows XP.
Event Viewer in Windows Vista.

Event Viewer, a component of Microsoft's Windows NT line of operating systems, lets administrators and users view the event logs on a local or remote machine. In Windows Vista, Microsoft overhauled the event system.[1]



Windows NT has featured event logs since its original release in 1993. Applications and operating system components can make use of this centralized log service to report events that have taken place, such as a failure to start a component or complete an action. The system defines three log sources:

  1. "System"
  2. "Application"
  3. "Security"

Microsoft intends the System and Application log sources for use by the Windows operating system and Windows applications respectively. Only the Local Security Authority Subsystem Service (lsass.exe) can directly write to the Security log.

The Event Viewer uses event IDs to define the uniquely identifiable events that a Windows computer can encounter. For example, when a user's authentication fails, the system may generate Event ID 672.

Windows NT 4.0 added support for defining "event sources" (i.e. the application which created the event) and performing backups of logs.

Windows 2000 added the capability for applications to create their own log sources in addition to the three system-defined "System", "Application", and "Security" log files. Windows 2000 also replaced NT4's Event Viewer with a Microsoft Management Console (MMC) snap-in.

Windows Server 2003 added the AuthzInstallSecurityEventSource() API calls so that applications could register with the security event logs, and write security audit entries.[2]

Versions of Windows based on the Windows NT 6.0 kernel (Windows Vista and Windows Server 2008) no longer have a 300-megabyte limit to their total size. Prior to NT 6.0, the on-disk files were opened as memory-mapped files in kernel memory space, which used the same memory pools as other kernel components.

Windows Vista

Event Viewer consists of a rewritten event tracing and logging architecture on Windows Vista.[1] It has been rewritten around a well-defined structured XML log-format and a designated log type to allow applications to more precisely log events and make it easier for support technicians and developers to interpret the events. The XML representation of the event can be viewed on the Details tab in an event's properties. It is also possible to view all potential events, their structures, registered event publishers and their configuration using the wevtutil utility, even before the events are fired. There are a large number of different types of event logs including Administrative, Operational, Analytic, and Debug log types. Selecting the Application Logs node in the Scope pane reveals numerous new subcategorized event logs, including many labeled as diagnostic logs. Analytic and Debug events which are high frequency are directly saved into a trace file while Admin and Operational events are infrequent enough to allow additional processing without affecting system performance, so they are delivered to the Event Log service. Events are published asynchronously to reduce the performance impact on the event publishing application. Event attributes are also much more detailed and show EventID, Level, Task, Opcode, and Keywords properties.

Users can filter event logs by one or more criteria or by a standard XPath_1.0[3] expression, and custom views can be created for one or more events. Using XPath as the query language allows viewing logs related only to a certain subsystem or an issue with only a certain component, archiving select events and sending traces on the fly to support technicians.


Filtering Using XPath 1.0

  1. Open Windows Event Log
  2. Expand out Windows Logs
  3. Select the log file that is of interest to you (In the example below, we use the Security event log)
  4. Right-click on the Event Log and select Filter Current Log...
  5. Change the selected tab from Filter to XML
  6. Check the box to Edit query manually'
  7. Paste your query into the text box. You will find sample queries below.

it it is program for c#

Here are examples of simple custom filters for the new Window Event Log:

  1. Select all events in the Security Event Log where the account name involved (TargetUserName) is "JUser"
    1. <QueryList><Query id="wikipedia_0" Path="Security"><Select Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data="JUser")]]</Select></Query></QueryList>
  2. Select all events in the Security Event Log where the string "JUser" is present as data anywhere in the EventData section
    1. <QueryList><Query id="wikipedia_0" Path="Security"><Select Path="Security">*[EventData[Data and (Data="JUser")]]</Select></Query></QueryList>
  3. Select all events in the Security Event Log where the strings "JUser" or "JDoe" are present as data anywhere in the EventData section
    1. <QueryList><Query id="wikipedia_0" Path="Security"><Select Path="Security">*[EventData[Data and (Data="JUser" or Data="JDoe")]]</Select></Query></QueryList>
  4. Select all events in the Security Event Log where the string "JUser" is present as data anywhere in the EventData section and the Event ID is "4471"
    1. <QueryList><Query id="wikipedia_0" Path="Security"><Select Path="Security">*[System[(EventID="4771")]] and *[EventData[Data and (Data="JUser")]]</Select></Query></QueryList>

Event Subscribers

Major event subscribers include the Event Collector service and Task Scheduler 2.0. The Event Collector service can automatically forward event logs to other remote systems, running Windows Vista, Windows Server 2008 or Windows Server 2003 R2 on a configurable schedule. Event logs can also be remotely viewed from other computers or multiple event logs can be centrally logged and monitored agentlessly and managed from a single computer. Events can also be directly associated with tasks, which run in the redesigned Task Scheduler and trigger automated actions when particular events take place.

See also


External links


Got something to say? Make a comment.
Your name
Your email address