Windows Vista

Working with Filtering and Custom Views in the Vista Event Viewer

The Event Viewer is an application that enables you to browse and manage event logs. Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. In Windows Vista and Windows Server 2008, Event Viewer has been totally re-designed and now offers a much wider administrative capabilities. Read more about the new Vista Event Viewer in my “Working with Vista’s new Event Viewer” and “Assigning Custom Tasks to Events in Vista” articles.

One of the features of the new Event Viewer is the ability to create custom filters and to save them into custom views for later viewing. When viewing an event log, you can filter the events being displayed. Like in previous Windows versions, event filtering is temporary by design, meaning you filter for something, then when you close Event Viewer, the filter is no longer applied. You can also remove an applied filter. However, unlike previous OSs, if you create a useful filter that you want to reuse, you can save it as a custom view.

Filter displayed events

To filter displayed events:

  1. Open Computer Management by right-clicking the Computer icon on the start menu (or on the Desktop if you have it enabled) and select Manage. Navigate to the Event Viewer. Note: If you did not disable UAC (read my “Disable User Account Control in Windows Vista” article) then you will be prompted to consent to the action you’re about to perform. Click Continue. Note: You can also open the Event Viewer by typing Event Viewer in the Search box and pressing Enter, or typing eventvwr.msc in the Run command.
  2. In the console tree, select the event log you want to filter.
  3. On the Action menu, click Filter Current Log, or right-click the log and select Filter Current Log.  
  4. To filter events based on the date when they occurred, select the time period from the Logged drop-down list. Note: You can also choose Custom range and specify the earliest date and time from which you want events and the latest date and time from which you want events. Click OK.  
  5. Select the check boxes next to the event levels that you want the filter to display.  
  6. Select the check boxes next to the event sources that you want your filter to display in the Event source drop-down list  
  7. In Event IDs, type the event IDs that you want your filter to display, for example, type 6005. Note: If you want to filter based on separate multiple event IDs, you can enter them separated by commas. If you want to include a range of IDs, for example 10000 through 10010, you can type 10000-10010. If you want the filter to display events with all IDs except certain ones, type the IDs of those exceptions, preceded by a minus sign. For instance, to include all Event IDs between 4624 and 4634 except for 4630, type 4624-4634,-4630.
  8. In Task Category, select the check boxes next to the task categories in the drop-down list that you want your filter to display.
  9. In the Keywords drop-down list, select the check boxes next to the keywords that you want your filter to display.  
  10. In User, enter the name of the user accounts you want your filter to display. To enter multiple user accounts, separate them with a comma (,).
  11. In Computer(s), enter the name of computers that you want the filter to display. This field refers to the source computer of the event. Enter multiple computers by separating them with a comma (,).
  12. Click OK to apply the filter.  

Save filter as a custom view

After working hard to set your filter right, in Vista you can now save it as a Custom View so that you can use it again without having to recreate it.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

To save a filter to reuse later:

  1. Start Event Viewer.
  2. Follow the steps in Filter Displayed Events.
  3. On the Action menu, click Save Filter As Custom View.  
  4. In the Name box type the name that you want to use to access the custom view in the future. You can also type a description of the custom view in Description. In the console tree, select the location where you want the saved filter to be stored. To allow all users of the computer to access the view, ensure that the All Users check box is selected. To only allow the currently logged on user to access the view, ensure that the All Users check box is not selected. Click OK.  
  5. Next, look at the Custom Views list, note that your saved filter is located in that list.

Summary

Vista’s new Event Viewer comes as a big improvement over previous versions. One of the main advantages of the new Event Viewer is the ability to create custom filters and to save them for later use, which makes using Event Viewer much easier for busy administrators.

Related Articles

Got a question? Post it on our Windows Vista Forums!

Related Topics:

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: