Windows Vista User Guide: Event Viewer, Screenshots, Preview, Help, Aero, Sidebar, Microsoft, XP, Server, Linux, Mac

Event viewer is part of the Microsoft Management Console (MMC) and allows you to track various events occuring on your PC in the form of logs. There are 3 parts to the event viewer:

Application logs

Security logs

System logs

These logs can be saved as a file for viewing on other programs or to create charts. The format which the event viewer now uses is the .elf format that other applications other than event viewer also uses. The older event viewer from XP used .evt files, but can still be read by the new event viewer as it is backwards compatible.

You can choose to filter the logs in many ways using filter properties or choose to view certain log information from all your applications that generate logs.

To get started with event viewer, you need to open up the start menu and right click on Computer, then click manage

You will then be presented with the Management Console that can perform many other tasks in addition to the event viewer. Some other tasks include setting up and troubleshooting devices in the device manager aswell as displaying information about shared directories and drives in the computer. the options are all displayed in a tree form to the left of the window.

Doubleclick on the Event Viewer; the 4 option from the top, and you should be able to see the Overview and Summary section of the event viewer as well as some updated actions under the actions pane on the right:

You can see that under the summary of administrative events that there are critical, error, warning, information and audit success logs. You can also see if there have been any events under those categories in the last hour, last 24 hours and more. If you would like to see more information on any particular type of log you can do so by doubleclicking the event type. If you right click on the event type you can also choose to view all instances of the event type. This can be a very long list for some event types, however you can make use of filters and custom views for better viewing of larger sized lists:

Once you click on view all instances of an event, event viewer will show you a custom view of all of those events under a section called Custom Views. The Custom Views in the screenshot below contains two sub categories containing events, one is named Administrative Events and one is the Summar page events. The Summary Page events contains the events for the critical event type that we chose to view all instances of. If we chose to view all instancs of Audit Successes for example, we would see a list of all audit successes under the Summar page events and so on.

The Administrative events shows Critical, Error and Warning events from all administrative logs. The administrative events was not created manually but is present by defaut by the system to show the administrator a cross view of all the logs featuring certain types of events. There is the ability in event viewer to allow you to view cross views of logs with your own specifications to make the task of locating certain events much easier.

If you would like more information about the event you can view that below the events lists under the general or details tab, You can also set up event triggers for particular tasks or types of tasks by right clicking on the particular event and chosing Attatch Task to this Event. This bring up the Create Basic Task Wizard:

The first option in the Create Basic Task Wizard is to choose a name for the task, we left the default name as it was sufficient and you can enter a description if you want to be reminded about certain information about the task for example. Then click Next:

The specifics of the event have been detailed here, press Next:

Above, you can see the actions that can be performed for the task. Start a program would start a program that you have chosen by browsing for one, and it would start when the particular event occurs. Send an e-mail will e-mail you notifying you about the event, this can be very useful for security events which you may need to be notified of immediately or a certain critical error or event. Display a message will display a warning style message whenever the events occurs, but can be tailored to your own requirements. We have chosen to display a message in this example:

Now you can finish off the wizard by clicking Next and finish. You can check to see the event at any time to verify that it is running or to modify the parameters also by going to the Task Scheduler. This can be found above the Event viewer on the tree in the left pane. Double click the task scheduler and under the Event Viewer Tasks you should see the event with the status being Ready:

There are many options that can still be changed even though you finished off the wizard before. These can be viewed underneath the event in the properties pane:

You can also right click on the particular event and choose properties to get the same settings options as seen on the bottom half of the screenshot above.

You can edit the event trigger by clicking on edit, but you can also perform additional tasks such as choosing another event to trigger off the same response such as a similar error event can trigger off that same task. To do this click the New.. button. There is also the option to Delete triggers that are no longer needed.

There are also similar optins for the Actions tab in that you can have more than one option. You can have more than one message displayed which can each have their own properties as well as e-mails being sent in addition to the message or instead of. The option to run a program can also be done through the Actions tab.

There are many options for Conditions also. You can change the settings for when the computer is idle for certain amounts of time or if the computer is not idle. You can also choose settings to do with the computers power, such as the computer using a battery. There is an option for network settings which can be useful if you want the task to be to e-mail someone, so you would only run that task if you had network connectivity for example.

For the Settings tab, you have various settings for ensuring that the task does in fact run even if there is some kind of error stopping it. You can choose to have the task retry many times and select intervals for the retries. You can also limit the amount of time the task will attempt to retry itself. You can also ensure that the task will make sure to end itself. Other options include purging the task if inactive within a certain time so it will not use up any more space on the machine or on the task list. You can also choose options for when the task is running such as not starting a new instance.

The last tab is the history tab, which shows you information about the task such as when you created it, as well as when it was started in addition to other information regarding it such as when various actions were performed. An example of the message box that would be displayed when the task was run and the action was performed can be seen below. You can choose any test for the title bar as well as the message text during the Create Basic Task Wizard as well as afterwards by editing the properties for the task as details in the above screenshots.

To create a custom view, you can do so in at least 2 ways. The first is to click on the Custom Views folder on the left pane and then click Create Custom View... on the actions pane (the pane on the right). The other way is to right click on the Custom Views folder on the left pane and choose Create Custom View. Once you have opened the custom view editor you are presented with many options to view the exact information that you require. The Create Custom View window looks like this:

From the above window you have the choice of what range you wish to see the data from in the Logged section. You can choose the type of the event you wish to look for in Event Level. You can choose whether to view by log or by source where many options are available to choose fromsuch as Windows logs and Applications and Service logs. Once you have chosen the type of log, you can then choose the particular event IDs or just view all event IDs. You can also choose specific or listed task categories and Keywords as well as choose which users to view the information about and on a network, which Computer or Computers to view the information about. Once you have finished selecting options you can click OK.