Working with Vista's new Event Viewer
The Event Viewer is an application that enables you to browse and manage event logs. Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Whenever one of these types of events occur, the system records the event in an event log that you can read by using Event Viewer. The Event Viewer is an indispensable tool for monitoring the health of systems and troubleshooting issues when they arise.
Event Viewer has been around since the days of Windows NT, but has not changed much, up to the arrival of Windows Vista (and Windows Server 2008). In Windows Vista, Event Viewer enables an administrator to perform the following tasks:
- View events from multiple event logs – Unlike previous versions of Windows, in Vista, Event Viewer enables you to filter for specific events across multiple logs, which makes it easier to investigate issues and troubleshoot problems that might be logged in several logs. To specify a filter that spans multiple logs, you need to create a custom view.
- Save useful event filters as custom views that can be reused – Filtering is useful to narrow the searching for events to just those that you are interested in. In previous operating systems, after performing the needed filter on the logs and closing Event Viewer you lost all your work because there was no way to save your filter settings. In Vista, Event Viewer allows you to create custom views. Once you have queried and sorted your way to just the events you wanted to analyze, you can save your search filters and have it available for you to reuse in the future. You can even export the view and use it on other computers or share it with other people.
- Schedule a task to run in response to an event – With the new Vista Using Event Viewer you can automate responses to events. Event Viewer is integrated with Task Scheduler, enabling you to associate tasks to events.
- Create and manage event subscriptions – You can collect events from remote computers and store them locally by specifying event subscriptions.
Note: Windows Event Viewer is a Microsoft Management Console (MMC) snap-in that can be easily added to a custom MMC window. You can open it manually by typing eventvwr.msc in the Run command.
Note: Along with the new Event Viewer, Vista also introduced the Reliability Monitor, a part of the Performance console found in Computer Management or as a stand-alone snap-in. Monitoring the system’s stability with the Reliability Monitor makes it easier for the administrators to visually see the stability rating for the system, and allows them to quickly see what caused the lack of stability. Read more about it in my “Using the Reliability Monitor in Windows Vista” article.
Besides re-designing the interface, the infrastructure that underlies event logging has also been re-written in Windows Vista. Information about each event conforms to an XML schema, and you can access the XML representing a given event.
Like in previous Windows versions, Event Viewer tracks information in several different logs. But unlike pre-Vista operating systems, the Vista Event Viewer has more flexibility in the log types and in the way it displays them. Windows Vista Logs include:
- Application events – These events are either classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that is not necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service.
- Security-related events – These events are called audits and are described as successful or failed, depending on the event, such as whether a user trying to log on to Windows was successful.
- Setup events – Computers that are configured as domain controllers will have additional logs displayed here.
- System events – System events are logged by Windows and Windows system services, and are classified as error, warning, or information.
- Forwarded events – These events are forwarded to this log by other computers.
- Applications and Services Logs vary – Applications and Services logs are a new category of event logs. They include separate logs about the programs that run on your computer, as well as more detailed logs that pertain to specific Windows services.
Running Event Viewer
Note: You must be logged on as an administrator to use Event Viewer’s full capabilities.
To run Event Viewer:
- Open Computer Management by right-clicking the Computer icon on the start menu (or on the Desktop if you have it enabled) and select Manage. Navigate to the Event Viewer. Note: If you did not disable UAC (read my “Disable User Account Control in Windows Vista” article) then you will be prompted to consent to the action you’re about to perform. Click Continue. Note: You can also open the Event Viewer by typing Event Viewer in the Search box and pressing Enter, or typing eventvwr.msc in the Run command.
- Feel free to expand the folders and nodes in the left pane and look around for a while. Note that the new Vista Event Viewer is totally re-designed and has a lot more to offer than the pre-Vista versions.
- Click on Event Viewer (Local) in the left navigation pane.
- Note that, with a glance, you can easily view the number of errors, warnings etc. for the past 24 hours and 7 days.
Filter displayed events
When viewing an event log, you can filter the events being displayed. Like in previous Windows versions, event filtering is temporary by design, meaning you filter for something, then when you close Event Viewer, the filter is no longer applied. You can also remove an applied filter. However, unlike previous OSs, if you create a useful filter that you want to reuse, you can save it as a custom view.
You can read more about Filtering and Custom Views in my upcoming “Working with Filtering and Custom Views in the Vista Event Viewer” article.
Change what event properties are displayed, and their order
With the new Vista Event Viewer, you can customize how events are displayed by configuring the order in which properties appear in the details pane.
To change the order of event properties:
- In the console tree, navigate to and select an event log, custom view, or saved log.
- On the View menu, click Add/Remove Columns.
- In the Add/Remove Columns dialog box, select the event properties you want to show from the Available columns list box and click Add.
- You can hide properties by selecting the event properties you want to hide from the Displayed columns list box, and clicking Remove.
- You can change the order of the displayed event properties by clicking the event property you want to reorder, and then using the Move Up and Move buttons to position the property. Click OK when done.
Group events by a given event property
You can view all events that share the same value for any given event property. For example, you can view all the events that originated from the same source or all the Warning level events. You can sort events by property, but the resulting groupings might be large and difficult to navigate. If you run into that limit with sorting, you can instead use the grouping feature of Event Viewer. When you group events, a descriptive heading appears in the list control above each group. Although all members of all groups are visible by default, you can collapse and expand each distinct group by double-clicking the corresponding group heading.
To group events according to a given property:
- In the console tree, navigate to and select an event log, custom view, or saved log.
- In the header in the event list, right-click the column header that represents the property you want to group by and click Group events by this column.
Run a Task in response to a given event
Another of Vista’s new Event Viewer improvements is the ability to configure a task to run when a specific event logged.
You can read more about assigning tasks to events in my “Assigning Custom Tasks to Events in Vista” article.
Vista’s new Event Viewer comes as a big improvement over previous versions. The various ways in which you can display, work with and place conditions on events is a real benefit for administrators, and although the new interface is quite different than what we were used to in pre-Vista OSs, getting used to it is quite easy.
- Generate a System Health Report
- Can I quickly view other computer’s Event Logs?
- Assigning Custom Tasks to Events in Vista
- Working with Filtering and Custom Views in the Vista Event Viewer
Got a question? Post it on our Windows Vista Forums!