Event Viewer

eventquery.vbs, eventcreate, eventtriggers
Developer(s)	Microsoft
Initial release	October 25, 2001;22 years ago
Operating system	Microsoft Windows
Type	Command
License	Proprietary commercial software
Website	docs.microsoft.com/en-us/windows-server/administration/windows-commands/eventcreate

Event Viewer Log
	Event Viewer in Windows 10
Developer(s)	Microsoft
Operating system	Microsoft Windows
Service name	Windows Event log (eventlog)
Type	Utility software

Last updated April 07, 2024

Event Viewer is a component of Microsoft's Windows NT operating system that lets administrators and users view the event logs, typically file extensions .evt and .evtx, on a local or remote machine. Applications and operating-system components can use this centralized log service to report events that have taken place, such as a failure to start a component or to complete an action. In Windows Vista, Microsoft overhauled the event system.^[1]

Due to the Event Viewer's routine reporting of minor start-up and processing errors (which do not, in fact, harm or damage the computer), the software is frequently used by technical support scammers to trick the victim into thinking that their computer contains critical errors requiring immediate technical support.^[2] An example is the "Administrative Events" field under "Custom Views" which can have over a thousand errors or warnings logged over a month's time.

Overview

Windows NT has featured event logs since its release in 1993.

The Event Viewer uses event IDs to define the uniquely identifiable events that a Windows computer can encounter. For example, when a user's authentication fails, the system may generate Event ID 672.

Windows NT 4.0 added support for defining "event sources" (i.e. the application which created the event) and performing backups of logs.

Windows 2000 added the capability for applications to create their own log sources in addition to the three system-defined "System", "Application", and "Security" log-files. Windows 2000 also replaced NT4's Event Viewer with a Microsoft Management Console (MMC) snap-in.

Windows Server 2003 added the AuthzInstallSecurityEventSource() API calls so that applications could register with the security-event logs, and write security-audit entries.^[3]

Versions of Windows based on the Windows NT 6.0 kernel (Windows Vista and Windows Server 2008) no longer have a 300-megabyte limit to their total size. Prior to NT 6.0, the system opened on-disk files as memory-mapped files in kernel memory space, which used the same memory pools as other kernel components.

Event Viewer log-files with filename extension evtx typically appear in a directory such as C:\Windows\System32\winevt\Logs\

Command-line interface

Windows XP introduced set of three command-line interface tools, useful to task automation:

eventquery.vbs – Official script to query, filter and output results based on the event logs.^[4] Discontinued after XP.
eventcreate – a command (continued in Vista and 7) to put custom events in the logs.^[5]
eventtriggers – a command to create event driven tasks.^[6] Discontinued after XP, replaced by the "Attach task to this event" feature, that is, from within the list of events, Right-Click on a single event and select from the pop-up menu.

Windows Vista

Event Viewer consists of a rewritten event tracing and logging architecture on Windows Vista.^[1] It has been rewritten around a structured XML log-format and a designated log type to allow applications to more precisely log events and to help make it easier for support technicians and developers to interpret the events.

The XML representation of the event can be viewed on the Details tab in an event's properties. It is also possible to view all potential events, their structures, registered event publishers and their configuration using the wevtutil utility, even before the events are fired.

There are a large number of different types of event logs including Administrative, Operational, Analytic, and Debug log types. Selecting the Application Logs node in the Scope pane reveals numerous new subcategorized event logs, including many labeled as diagnostic logs.

Analytic and Debug events which are high frequency are directly saved into a trace file while Admin and Operational events are infrequent enough to allow additional processing without affecting system performance, so they are delivered to the Event Log service.

Events are published asynchronously to reduce the performance impact on the event publishing application. Event attributes are also much more detailed and show EventID, Level, Task, Opcode, and Keywords properties.

Users can filter event logs by one or more criteria or by a limited XPath 1.0 expression, and custom views can be created for one or more events. Using XPath as the query language allows viewing logs related only to a certain subsystem or an issue with only a certain component, archiving select events and sending traces on the fly to support technicians.

Filtering using XPath 1.0

Open Windows Event Log
Expand out Windows Logs
Select the log file that is of interest (In the example below, the Security event log is used)
Right-click on the Event Log and select Filter Current Log...
Change the selected tab from Filter to XML
Check the box to Edit query manually'
Paste the query into the text box. Sample queries can be found below.

Here are examples of simple custom filters for the new Window Event Log:

Select all events in the Security Event Log where the account name involved (TargetUserName) is "JUser"
<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data[@Name="TargetUserName"]="JUser"]]</Select></Query></QueryList>
Select all events in the Security Event Log where any Data node of the EventData section is the string "JUser"
<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data="JUser"]]</Select></Query></QueryList>
Select all events in the Security Event Log where any Data node of the EventData section is "JUser" or "JDoe"
<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data="JUser" or Data="JDoe"]]</Select></Query></QueryList>
Select all events in the Security Event Log where any Data node of the EventData section is "JUser" and the Event ID is "4471"
<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[EventID="4471"]] and *[EventData[Data="JUser"]]</Select></Query></QueryList>
Real-world example for a package called Goldmine which has two @Names
<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[Provider[@Name='GoldMine' or @Name='GMService']]]</Select></Query></QueryList>

Caveats:

There are limitations to Microsoft's implementation of XPath^[7]
Queries using XPath string functions will result in error^[8]

Event subscribers

Major event subscribers include the Event Collector service and Task Scheduler 2.0. The Event Collector service can automatically forward event logs to other remote systems, running Windows Vista, Windows Server 2008 or Windows Server 2003 R2 on a configurable schedule. Event logs can also be remotely viewed from other computers or multiple event logs can be centrally logged and monitored without an agent and managed from a single computer. Events can also be directly associated with tasks, which run in the redesigned Task Scheduler and trigger automated actions when particular events take place.

Related Research Articles

Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and designed for businesses as the direct successor to Windows NT 4.0. It was released to manufacturing on December 15, 1999, officially released to retail on February 17, 2000, and released on September 26, 2000, for Windows 2000 Datacenter Server. It was Microsoft's business operating system until the introduction of Windows XP Professional in 2001.

New Technology File System (NTFS) is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. It superseded File Allocation Table (FAT) as the preferred filesystem on Windows and is supported in Linux and BSD as well. NTFS reading and writing support is provided using a free and open-source kernel implementation known as NTFS3 in Linux and the NTFS-3G driver in BSD. By using the convert command, Windows can convert FAT32/16/12 into NTFS without the need to rewrite all files. NTFS uses several files typically hidden from the user to store metadata about other files stored on the drive which can help improve speed and performance when reading data. Unlike FAT and High Performance File System (HPFS), NTFS supports access control lists (ACLs), filesystem encryption, transparent compression, sparse files and file system journaling. NTFS also supports shadow copy to allow backups of a system while it is running, but the functionality of the shadow copies varies between different versions of Windows.

Windows Management Instrumentation (WMI) consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. WMI is Microsoft's implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM) standards from the Distributed Management Task Force (DMTF).

File Explorer, previously known as Windows Explorer, is a file manager application and default desktop environment that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems, as well as user interface elements such as the taskbar and desktop.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy allows Group Policy Object management without Active Directory on standalone computers.

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, it uses packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.

Compared with previous versions of Microsoft Windows, features new to Windows Vista are very numerous, covering most aspects of the operating system, including additional management features, new aspects of security and safety, new I/O technologies, new networking features, and new technical features. Windows Vista also removed some others.

Indexing Service was a Windows service that maintained an index of most of the files on a computer to improve searching performance on PCs and corporate computer networks. It updated indexes without user intervention. In Windows Vista it was replaced by the newer Windows Search Indexer. The IFilter plugins to extend the indexing capabilities to more file formats and protocols are compatible between the legacy Indexing Service how and the newer Windows Search Indexer.

Microsoft Management Console (MMC) is a component of Microsoft Windows that provides system administrators and advanced users an interface for configuring and monitoring the system. It was first introduced in 1998 with the Option Pack for Windows NT 4.0 and later came pre-bundled with Windows 2000 and its successors.

In Windows NT operating systems, a Windows service is a computer program that operates in the background. It is similar in concept to a Unix daemon. A Windows service must conform to the interface rules and protocols of the Service Control Manager, the component responsible for managing Windows services. It is the Services and Controller app, services.exe, that launches all the services and manages their actions, such as start, end, etc.

The NTFS file system defines various ways to redirect files and folders, e.g., to make a file point to another file or its contents without making a copy of it. The object being pointed to is called the target. Such file is called a hard or symbolic link depending on a way it's stored on the filesystem.

Performance Monitor is a system monitoring program introduced in Windows NT 3.1. It monitors various activities on a computer such as CPU or memory usage. This type of application may be used to determine the cause of problems on a local or remote computer by measuring performance of hardware, software services, and applications. The program can define thresholds for alerts and automatic actions, generate reports, and view past performance data.

Windows Vista has many significant new features compared with previous Microsoft Windows versions, covering most aspects of the operating system.

Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.

Task Scheduler is a job scheduler in Microsoft Windows that launches computer programs or scripts at pre-defined times or after specified time intervals. Microsoft introduced this component in the Microsoft Plus! for Windows 95 as System Agent. Its core component is an eponymous Windows service. The Windows Task Scheduler infrastructure is the basis for the Windows PowerShell scheduled jobs feature introduced with PowerShell v3.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

Windows Search is a content index desktop search platform by Microsoft introduced in Windows Vista as a replacement for both the previous Indexing Service of Windows 2000 and the optional MSN Desktop Search for Windows XP and Windows Server 2003, designed to facilitate local and remote queries for files and non-file items in compatible applications including Windows Explorer. It was developed after the postponement of WinFS and introduced to Windows constituents originally touted as benefits of that platform.

References

1 2 "New tools for Event Management in Windows Vista". TechNet . Microsoft. November 2006.
↑ Anderson, Nate (October 4, 2012). ""I am calling you from Windows": A tech support scammer dials Ars Technica". Ars Technica.
↑ "AuthzInstallSecurityEventSource Function". MSDN . Microsoft . Retrieved October 5, 2007.
↑ LLC), Tara Meyer (Aquent. "Eventquery.vbs". docs.microsoft.com.
↑ LLC), Tara Meyer (Aquent. "Eventcreate". docs.microsoft.com.
↑ LLC), Tara Meyer (Aquent. "Eventtriggers". docs.microsoft.com.
↑ "Microsoft's Implementation and Limitations of XPath 1.0 in Windows Event Log". MSDN . Microsoft . Retrieved August 7, 2009.
↑ "Powershell script to filter events using an Xpath query" . Retrieved September 20, 2011.

External links

Official sources:
- Event Viewer - Inside Show on Microsoft Learn
- Events and Errors (Windows Server 2008) on Microsoft Learn

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Eventlog-1] 1 2 "New tools for Event Management in Windows Vista". TechNet . Microsoft. November 2006.

[2] Anderson, Nate (October 4, 2012). ""I am calling you from Windows": A tech support scammer dials Ars Technica". Ars Technica.

[3] "AuthzInstallSecurityEventSource Function". MSDN . Microsoft . Retrieved October 5, 2007.

[4] LLC), Tara Meyer (Aquent. "Eventquery.vbs". docs.microsoft.com.

[5] LLC), Tara Meyer (Aquent. "Eventcreate". docs.microsoft.com.

[6] LLC), Tara Meyer (Aquent. "Eventtriggers". docs.microsoft.com.

[7] "Microsoft's Implementation and Limitations of XPath 1.0 in Windows Event Log". MSDN . Microsoft . Retrieved August 7, 2009.

[8] "Powershell script to filter events using an Xpath query" . Retrieved September 20, 2011.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

v t e Windows command-line programs and shell builtins
COMMAND.COM Command Prompt Windows PowerShell Recovery Console
File system navigation	cd (chdir) dir popd pushd tree
File management	attrib cacls cipher compact copy del (erase) deltree icacls mkdir (md) mklink move openfiles recover ren (rename) replace rmdir (rd) robocopy takeown xcopy
Archiving	expand extrac32 extract makecab pax tar
Disk management	chkdsk convert defrag diskcomp diskcopy diskpart diskraid diskshadow drvspace fdisk format fsutil label manage-bde refsutil subst scandisk sys vol vssadmin
Processes	at exit kill powercfg runas sc schtasks shutdown start taskkill tasklist
Registry	assoc ftype reg regini regsvr32
User environment	chcp cmdkey date graftabl mode path set setver setx time title ver where whoami
File contents	comp edit edlin fc find findstr print type
Scripting	choice clip cscript doskey echo for forfiles goto if more pause prompt rem timeout
Networking	arp bitsadmin curl getmac hostname ipconfig nbtstat net netsh netstat nslookup PathPing ping rpcping route scp setspn sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan tracert winrm winrs
Maintenance and care	auditpol dispdiag driverquery eventcreate eventtriggers logman mofcomp msiexec ntbackup pnpunattend pnputil REAgentC relog sfc sxstrace systeminfo tracerpt typeperf w32tm WBAdmin wecutil wevtutil winmgmt winsat wmic
Boot management	bcdedit bootcfg bootsect fixboot fixmbr
Software development	debug exe2bin QBasic
Miscellaneous	break cls dism dpath gpresult gpupdate help MSCDEX pentnt tpmtool tpmvscmgr wsl
List of DOS commands Environment variables Windows Support Tools