Event Viewer

eventquery.vbs, eventcreate, eventtriggers
Developer(s)	Microsoft
Initial release	October 25, 2001;22 years ago
Operating system	Microsoft Windows
Type	Command
License	Proprietarycommercial software
Website	docs.microsoft/en-us/windows-server/administration/windows-commands/eventcreate

Event Viewer Log
	Event Viewer in Windows 10
Developer(s)	Microsoft
Operating system	Microsoft Windows
Service name	Windows Event log (eventlog)
Type	Utility software

Event Vieweris a component ofMicrosoft'sWindows NT operating systemthat lets administrators and users view theevent logs,typically file extensions.evtand.evtx,on a local or remote machine.Applicationsand operating-system components can use this centralized log service to report events that have taken place, such as a failure to start a component or to complete an action. InWindows Vista,Microsoft overhauled the event system.^[1]

Due to the Event Viewer's routine reporting of minor start-up and processing errors (which do not, in fact, harm or damage the computer), the software is frequently used bytechnical support scammersto trick the victim into thinking that their computer contains critical errors requiring immediate technical support.^[2]An example is the "Administrative Events" field under "Custom Views" which can have over a thousand errors or warnings logged over a month's time.

Overview

Windows NT has featured event logs since its release in 1993.

The Event Viewer uses event IDs to define the uniquely identifiable events that a Windows computer can encounter. For example, when a user'sauthenticationfails, the system may generate Event ID 672.

Windows NT 4.0added support for defining "event sources" (i.e. the application which created the event) and performing backups of logs.

Windows 2000added the capability for applications to create their own log sources in addition to the three system-defined "System", "Application", and "Security" log-files. Windows 2000 also replaced NT4's Event Viewer with aMicrosoft Management Console(MMC)snap-in.

Windows Server 2003added theAuthzInstallSecurityEventSource()API calls so that applications could register with the security-event logs, and write security-audit entries.^[3]

Versions of Windows based on the Windows NT 6.0 kernel (Windows VistaandWindows Server 2008) no longer have a 300-megabyte limit to their total size. Prior to NT 6.0, the system opened on-disk files asmemory-mapped filesin kernel memory space, which used the same memory pools as other kernel components.

Event Viewer log-files withfilename extensionevtxtypically appear in a directory such asC:\Windows\System32\winevt\Logs\

Command-line interface

Windows XPintroduced a set of threecommand-line interfacetools, useful to task automation:

eventquery.vbs– Official script to query, filter and output results based on the event logs.^[4]Discontinued after XP.
eventcreate– a command (continued in Vista and 7) to put custom events in the logs.^[5]
eventtriggers– a command to create event driven tasks.^[6]Discontinued after XP, replaced by the "Attach task to this event" feature, that is, from within the list of events,Right-Clickon a single event and select from the pop-up menu.

Windows Vista

Event Viewer consists of a rewrittenevent tracing and loggingarchitecture on Windows Vista.^[1]It has been rewritten around a structuredXMLlog-format and a designated log type to allow applications to more precisely log events and to help make it easier for support technicians and developers to interpret the events.

The XML representation of the event can be viewed on theDetailstab in an event's properties. It is also possible to view all potential events, their structures, registeredevent publishersand their configuration using thewevtutilutility, even before the events are fired.

There are a large number of different types of event logs including Administrative, Operational, Analytic, and Debug log types. Selecting theApplication Logsnode in theScopepane reveals numerous new subcategorized event logs, including many labeled as diagnostic logs.

Analytic and Debug events which are high frequency are directly saved into a trace file while Admin and Operational events are infrequent enough to allow additional processing without affecting system performance, so they are delivered to the Event Log service.

Events are published asynchronously to reduce the performance impact on theevent publishingapplication. Event attributes are also much more detailed and show EventID, Level, Task, Opcode, and Keywords properties.

Users can filter event logs by one or more criteria or by a limitedXPath 1.0expression, and custom views can be created for one or more events. Using XPath as the query language allows viewing logs related only to a certain subsystem or an issue with only a certain component, archiving select events and sending traces on the fly to support technicians.

Filtering using XPath 1.0

Open Windows Event Log
Expand outWindows Logs
Select the log file that is of interest (In the example below, theSecurityevent log is used)
Right-click on the Event Log and selectFilter Current Log...
Change the selected tab fromFiltertoXML
Check the box toEdit query manually'
Paste the query into the text box. Sample queries can be found below.

Here are examples of simple custom filters for the new Window Event Log:

Select all events in the Security Event Log where the account name involved (TargetUserName) is "JUser"
<QueryList><Query Id= "0" Path= "Security" ><Select Path= "Security" >*[EventData[Data[@Name= "TargetUserName" ]= "JUser" ]]</Select></Query></QueryList>
Select all events in the Security Event Log where any Data node of the EventData section is the string "JUser"
<QueryList><Query Id= "0" Path= "Security" ><Select Path= "Security" >*[EventData[Data= "JUser" ]]</Select></Query></QueryList>
Select all events in the Security Event Log where any Data node of the EventData section is "JUser" or "JDoe"
<QueryList><Query Id= "0" Path= "Security" ><Select Path= "Security" >*[EventData[Data= "JUser" or Data= "JDoe" ]]</Select></Query></QueryList>
Select all events in the Security Event Log where any Data node of the EventData section is "JUser" and the Event ID is "4471"
<QueryList><Query Id= "0" Path= "Security" ><Select Path= "Security" >*[System[EventID= "4471" ]] and *[EventData[Data= "JUser" ]]</Select></Query></QueryList>
Real-world example for a package called Goldmine which has two @Names
<QueryList><Query Id= "0" Path= "Application" ><Select Path= "Application" >*[System[Provider[@Name='GoldMine' or @Name='GMService']]]</Select></Query></QueryList>

Caveats:

There arelimitationsto Microsoft's implementation of XPath^[7]
Queries usingXPath string functionswill result in error^[8]

Event subscribers

Majorevent subscribersinclude the Event Collector service andTask Scheduler2.0. The Event Collector service can automatically forward event logs to other remote systems, runningWindows Vista,Windows Server 2008orWindows Server 2003 R2on a configurable schedule. Event logs can also be remotely viewed from other computers or multiple event logs can be centrally logged and monitored without an agent and managed from a single computer. Events can also be directly associated with tasks, which run in the redesignedTask Schedulerand trigger automated actions when particular events take place.

References

^^a ^b"New tools for Event Management in Windows Vista".TechNet.Microsoft.November 2006.
^Anderson, Nate (October 4, 2012).""I am calling you from Windows": A tech support scammer dials Ars Technica ".Ars Technica.
^ "AuthzInstallSecurityEventSource Function".MSDN.Microsoft.RetrievedOctober 5,2007.
^LLC), Tara Meyer (Aquent."Eventquery.vbs".docs.microsoft.
^LLC), Tara Meyer (Aquent."Eventcreate".docs.microsoft.
^LLC), Tara Meyer (Aquent."Eventtriggers".docs.microsoft.
^"Microsoft's Implementation and Limitations of XPath 1.0 in Windows Event Log".MSDN.Microsoft.RetrievedAugust 7,2009.
^"Powershell script to filter events using an Xpath query".RetrievedSeptember 20,2011.

External links

Official sources:
- Event Viewer - Inside ShowonMicrosoft Learn
- Events and Errors(Windows Server 2008) onMicrosoft Learn

[Eventlog-1] "New tools for Event Management in Windows Vista".TechNet.Microsoft.November 2006.

[2] Anderson, Nate (October 4, 2012).""I am calling you from Windows": A tech support scammer dials Ars Technica ".Ars Technica.

[3] "AuthzInstallSecurityEventSource Function".MSDN.Microsoft.RetrievedOctober 5,2007.

[4] LLC), Tara Meyer (Aquent."Eventquery.vbs".docs.microsoft.

[5] LLC), Tara Meyer (Aquent."Eventcreate".docs.microsoft.

[6] LLC), Tara Meyer (Aquent."Eventtriggers".docs.microsoft.

[7] "Microsoft's Implementation and Limitations of XPath 1.0 in Windows Event Log".MSDN.Microsoft.RetrievedAugust 7,2009.

[8] "Powershell script to filter events using an Xpath query".RetrievedSeptember 20,2011.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

v t e Windows command-lineprograms andshell builtins
COMMAND.COM Command Prompt Windows PowerShell Recovery Console
File system navigation	cd(chdir) dir popd pushd tree
File management	attrib cacls cipher compact copy del(erase) deltree icacls mkdir(md) mklink move openfiles recover ren(rename) replace rmdir(rd) robocopy takeown xcopy
Archiving	expand extrac32 extract makecab pax tar
Disk management	chkdsk convert defrag diskcomp diskcopy diskpart diskraid diskshadow drvspace fdisk format fsutil label manage-bde refsutil subst scandisk sys vol vssadmin
Processes	at exit kill powercfg runas sc schtasks shutdown start taskkill tasklist
Registry	assoc ftype reg regini regsvr32
User environment	chcp cmdkey date graftabl mode path set setver setx time title ver where whoami
File contents	comp edit edlin fc find findstr print type
Scripting	choice clip cscript doskey echo for forfiles goto if more pause prompt rem timeout
Networking	arp bitsadmin curl getmac hostname ipconfig nbtstat net netsh netstat nslookup PathPing ping rpcping route scp setspn sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan tracert winrm winrs
Maintenance and care	auditpol dispdiag driverquery eventcreate eventtriggers logman mofcomp msiexec ntbackup pnpunattend pnputil REAgentC relog sfc sxstrace systeminfo tracerpt typeperf w32tm WBAdmin wecutil wevtutil winmgmt winsat wmic
Boot management	bcdedit bootcfg bootsect fixboot fixmbr
Software development	debug exe2bin QBasic
Miscellaneous	break cls dism dpath gpresult gpupdate help MSCDEX pentnt tpmtool tpmvscmgr wsl
List of DOS commands Environment variables Windows Support Tools