Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
's
Windows NT
Windows NT is a proprietary graphical operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems sc ...
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
that lets administrators and users view the event logs on a local or remote machine. Applications and operating-system components can use this centralized log service to report events that have taken place, such as a failure to start a component or to complete an action. In
Windows Vista
Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...
, Microsoft overhauled the event system.
Due to the Event Viewer's routine reporting of minor start-up and processing errors (which do not, in fact, harm or damage the computer), the software is frequently used by
technical support scam
A technical support scam, or tech support scam, is a type of fraud in which a scammer claims to offer a legitimate technical support service. Victims contact scammers in a variety of ways, often through fake pop-ups resembling error messages or ...
mers to trick the victim into thinking that their computer contains critical errors requiring immediate technical support. An example is the "Administrative Events" field under "Custom Views" which can have over a thousand errors or warnings logged over a month's time.
Overview
Windows NT has featured event logs since its release in 1993.
The Event Viewer uses event IDs to define the uniquely identifiable events that a Windows computer can encounter. For example, when a user's
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
fails, the system may generate Event ID 672.
Windows NT 4.0
Windows NT 4.0 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It is the direct successor to Windows NT 3.51, which was released to manufacturing on July 31, 1996, and then to retail ...
added support for defining "event sources" (i.e. the application which created the event) and performing backups of logs.
Windows 2000
Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...
added the capability for applications to create their own log sources in addition to the three system-defined "System", "Application", and "Security" log-files. Windows 2000 also replaced NT4's Event Viewer with a
Microsoft Management Console
Microsoft Management Console (MMC) is a component of Microsoft Windows that provides system administrators and advanced users an interface for configuring and monitoring the system. It was first introduced in 1998 with the Option Pack for Window ...
Windows Server 2003
Windows Server 2003 is the sixth version of Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, 2 ...
added the AuthzInstallSecurityEventSource() API calls so that applications could register with the security-event logs, and write security-audit entries.
Versions of Windows based on the Windows NT 6.0 kernel (
Windows Vista
Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...
and
Windows Server 2008
Windows Server 2008 is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on Fe ...
) no longer have a 300-megabyte limit to their total size. Prior to NT 6.0, the system opened on-disk files as
memory-mapped file
A memory-mapped file is a segment of virtual memory that has been assigned a direct byte-for-byte correlation with some portion of a file or file-like resource. This resource is typically a file that is physically present on disk, but can also b ...
s in kernel memory space, which used the same memory pools as other kernel components.
Event Viewer log-files with
filename extension
A filename extension, file name extension or file extension is a suffix to the name of a computer file (e.g., .txt, .docx, .md). The extension indicates a characteristic of the file contents or its intended use. A filename extension is typically d ...
evtx typically appear in a directory such as C:\Windows\System32\winevt\Logs\
Command-line interface
Windows XP
Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...
introduced set of three
command-line interface
A command-line interpreter or command-line processor uses a command-line interface (CLI) to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and pro ...
tools, useful to task automation:
* eventquery.vbs – Official script to query, filter and output results based on the event logs. Discontinued after XP.
* eventcreate – a command (continued in Vista and 7) to put custom events in the logs.
* eventtriggers – a command to create event driven tasks. Discontinued after XP, replaced by the "Attach task to this event" feature.
Windows Vista
Event Viewer consists of a rewritten event tracing and logging architecture on Windows Vista. It has been rewritten around a structured
XML
Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing arbitrary data. It defines a set of rules for encoding documents in a format that is both human-readable and machine-readable ...
log-format and a designated log type to allow applications to more precisely log events and to help make it easier for support technicians and developers to interpret the events.
The XML representation of the event can be viewed on the ''Details'' tab in an event's properties. It is also possible to view all potential events, their structures, registered ''event publishers'' and their configuration using the ''wevtutil'' utility, even before the events are fired.
There are a large number of different types of event logs including Administrative, Operational, Analytic, and Debug log types. Selecting the ''Application Logs'' node in the ''Scope'' pane reveals numerous new subcategorized event logs, including many labeled as diagnostic logs.
Analytic and Debug events which are high frequency are directly saved into a trace file while Admin and Operational events are infrequent enough to allow additional processing without affecting system performance, so they are delivered to the Event Log service.
Events are published asynchronously to reduce the performance impact on the ''event publishing'' application. Event attributes are also much more detailed and show EventID, Level, Task, Opcode, and Keywords properties.
Users can filter event logs by one or more criteria or by a limited
XPath 1.0
XPath (XML Path Language) is an expression language designed to support the query or transformation of XML documents. It was defined by the World Wide Web Consortium (W3C) and can be used to compute values (e.g., strings, numbers, or Boolean v ...
expression, and custom views can be created for one or more events. Using XPath as the query language allows viewing logs related only to a certain subsystem or an issue with only a certain component, archiving select events and sending traces on the fly to support technicians.
Filtering using XPath 1.0
# Open Windows Event Log
# Expand out ''Windows Logs''
# Select the log file that is of interest (In the example below, the ''Security'' event log is used)
# Right-click on the Event Log and select ''Filter Current Log...''
# Change the selected tab from ''Filter'' to ''XML''
# Check the box to ''Edit query manually'
# Paste the query into the text box. Sample queries can be found below.
Here are examples of simple custom filters for the new Window Event Log:
# Select all events in the Security Event Log where the account name involved (TargetUserName) is "JUser"
#:
# Select all events in the Security Event Log where any Data node of the EventData section is the string "JUser"
#:
# Select all events in the Security Event Log where any Data node of the EventData section is "JUser" or "JDoe"
#:
# Select all events in the Security Event Log where any Data node of the EventData section is "JUser" and the Event ID is "4471"
#:
#Real-world example for a package called Goldmine which has two @Names
#:
Caveats:
*_There_ar limitations to_Microsoft's_implementation_of_XPath
*_Queries_using_XPath_1.0#String_functions.html" ;"title="rovider[@Name='GoldMine' or @Name='GMService'">ystem[Provider[@Name='GoldMine' or @Name='GMService'">Name='GoldMine'_or_@Name='GMService'.html" ;"title="ystem[Provider[@Name='GoldMine' or @Name='GMService'">ystem[Provider[@Name='GoldMine' or @Name='GMService'/Select>
Caveats:
* There ar limitations to Microsoft's implementation of XPath
* Queries using XPath 1.0#String functions">XPath string functions will result in error
Event subscribers
Major ''event subscribers'' include the Event Collector service and
Task Scheduler
Task Scheduler (formerly Scheduled Tasks) is a job scheduler in Microsoft Windows that launches computer programs or scripts at pre-defined times or after specified time intervals. Microsoft introduced this component in the Microsoft Plus! for ...
2.0. The Event Collector service can automatically forward event logs to other remote systems, running
Windows Vista
Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...
,
Windows Server 2008
Windows Server 2008 is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on Fe ...
or
Windows Server 2003 R2
Windows Server 2003 is the sixth version of Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, 2 ...
on a configurable schedule. Event logs can also be remotely viewed from other computers or multiple event logs can be centrally logged and monitored without an agent and managed from a single computer. Events can also be directly associated with tasks, which run in the redesigned
Task Scheduler
Task Scheduler (formerly Scheduled Tasks) is a job scheduler in Microsoft Windows that launches computer programs or scripts at pre-defined times or after specified time intervals. Microsoft introduced this component in the Microsoft Plus! for ...
and trigger automated actions when particular events take place.
See also
*
List of Microsoft Windows components
The following is a list of Microsoft Windows computer program, components.
Configuration and maintenance
User interface
Applications and utilities
Windows Server components
File systems
Core components
Services
This list i ...
*
Microsoft Management Console
Microsoft Management Console (MMC) is a component of Microsoft Windows that provides system administrators and advanced users an interface for configuring and monitoring the system. It was first introduced in 1998 with the Option Pack for Window ...
*
Technical support scam
A technical support scam, or tech support scam, is a type of fraud in which a scammer claims to offer a legitimate technical support service. Victims contact scammers in a variety of ways, often through fake pop-ups resembling error messages or ...