Содержание
Display windows event log
System Requirements
FullEventLogView vs MyEventViewer
Versions History
- Version 1.61:
- Fixed some high DPI mode issues.
- Version 1.60:
- Added ‘Tray Balloon On New Event’ option. This feature is active only when both ‘Put Icon On Tray’ and ‘Auto Refresh’ options are turned on. When it’s active, FullEventLogView displays every new event in a tray balloon.
- Added ‘Start As Hidden’ option. When this option and ‘Put Icon On Tray’ option are turned on, the main window of FullEventLogView will be invisible on start.
- Version 1.58:
- Added ‘New FullEventLogView Instance’ under the File menu, for opening a new window of FullEventLogView.
- Version 1.57:
- Added ‘Log File’ column, which displays the log filename if the event was loaded directly from .evtx or .etl file.
- Version 1.56:
- In the the channel and provider fields of the ‘Advanced Options’ window — you can now choose the desired channel/provider from a combo-box.
- Version 1.55:
- When reading .etl files that store the event data inside EventPayload element of the XML, FullEventLogView now automatically converts the EventPayload from hexadecimal string to readable text, and displays it as the decsription of the event.
For example, you can use this feature to view the Windows Update logs from C:\windows\logs\WindowsUpdate on Windows 10. - Added ‘Copy Clicked Cell’ option to the right-click context menu, which copies to the clipboard the text of cell that you right-clicked with the mouse.
- When reading .etl files that store the event data inside EventPayload element of the XML, FullEventLogView now automatically converts the EventPayload from hexadecimal string to readable text, and displays it as the decsription of the event.
- Version 1.53:
- Fixed bug: Wildcards didn’t work when using the ‘Search in full description string’ option.
- Fixed to save the ‘Case Sensitive’ option of the Quick Filter in the .cfg file.
- Version 1.52:
- Added ‘Select All’ and ‘Deselect All’ to the ‘Column Settings’ window.
- Version 1.51:
- Added the ‘Clear All Events Of Selected Channel’ option to the context menu.
- Increase the maximum size of the description filter string.
- Version 1.50:
- Fixed bug: FullEventLogView remained in memory if you closed the main window during events scanning.
- Added ‘Clear All Events Of Selected Channel’ option (Under the file menu). For example: If you select an event that its channel is ‘System’, using this option will delete all system events.
- Added /ClearChannelEvents command-line option, which clears all events of the specified channel, for example:
FullEventLogView.exe /RunAsAdmin /ClearChannelEvents «Microsoft-Windows-Bits-Client/Operational» - Added 2 modes to description filter: ‘Search in description parameters’ and ‘Search in full description string’. In previous versions, the search was made inside description parameters, but some people reported it’s a bug. The search is now made by default inside the full description string, but this search mode is slower because it requires to load the metadata and format the description string before the filtering process.
- Version 1.38:
- Fixed bug: When trying to export events of remote computer from command-line, FullEventLogView loaded the events from local computer.
- Version 1.37:
- Added ‘Case Sensitive’ option to the Quick Filter window.
- Version 1.36:
- Added /RunAsAdmin command-line option for running FullEventLogView as administrator.
- Version 1.35:
- Added new options to the ‘Quick Filter’ feature, including the option to filter the list by Event ID.
- Version 1.32:
- When choosing to load only specific event IDs (From ‘Advanced Options’ window), the loading process is much faster.
- Version 1.31:
- Fixed bug: When connecting a remote computer the following error was displayed — Error 50: The request is not supported.
- Version 1.30:
- Fixed bug: FullEventLogView failed to display the event strings in the lower pane (‘Show Event Data + Description’ mode) and in the columns (‘Show Event Strings In Columns’ option).
- You can now resize the properties window, and the last size/position of this window is saved in the .cfg file.
- You can now send the data to stdout by specifying empty string as filename, for example:
FullEventLogView.exe /scomma «» | more
- Version 1.28:
- Fixed the lower pane to use the right font size in high DPI mode.
- Added option to choose another font (name and size) to display in the main window.
- Version 1.27:
- When exporting items with multiline description to tab-delimited file (Including the ‘Copy Selected Items’ option), FullEventLogView now put the description in quotes to ensure the exported data will be displayed properly in Excel and other programs.
- Version 1.26:
- Added support for saving as JSON file.
- Version 1.25:
- Added ‘Show Event Strings In Columns’ option (Under the Options menu). When it’s turned on, 10 new event string columns are added to the main table (‘String 1’, ‘String 2’, ‘String 3’. ). These columns display the strings from the event decsription and you can click the column header in order to sort the events according to the event strings.
- Version 1.22:
- Fixed bug: On some systems, FullEventLogView missed some of the events when using a time filter.
- Version 1.21:
- Added /cfg command-line option, which instructs FullEventLogView to use a config file in another location instead if the default config file, for example:
FullEventLogView.exe /cfg «%AppData%\FullEventLogView.cfg»
- Added /cfg command-line option, which instructs FullEventLogView to use a config file in another location instead if the default config file, for example:
- Version 1.20:
- Added option to filter according to strings of the event description (In ‘Advanced Options’ window).
- Added ‘Quick Filter’ feature (View -> Use Quick Filter or Ctrl+Q). When it’s turned on, you can type a string in the text-box added under the toolbar and FullEventLogView will instantly filter the events table, showing only lines that contain the string you typed.
- Fixed the lower pane to switch focus when pressing tab key.
- Version 1.12:
- Added option to specify time range in GMT (‘Advanced Options’ window).
- Fix bug: When using /SaveDirect command-line option, the file was always saved according to the default encoding, instead of using the selected encoding in Options -> Save File Encoding.
- Version 1.11:
- Fixed bug: the process of exporting large amount of event log items from command-line was very slow, even when using /SaveDirect.
- Version 1.10:
- Added option to automatically read archive log files (In ‘Choose Data Source’ window). This option works only when you run FullEventLogView as administrator.
- Version 1.06:
- Fixed FullEventLogView to display event description properly when reading .evtx files from shadow copy (e.g: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\winevt\Logs )
- Fixed bug: FullEventLogView displayed error message when trying to read .etl files.
- Version 1.05:
- FullEventLogView now displays an error message if it fails to load events from external evtx file or from remote computer.
- Added ‘Choose Data Source’ icon to the toolbar.
- Version 1.00 — First release.
Start Using FullEventLogView
If you want to load the events from remote computer on your network or from event log files (.evtx), you should use the ‘Choose Data Source’ window (F7).
Lower Pane Display Mode
Refresh (F5) And Smooth Refresh (F8)
Auto Refresh Mode
Run As Administrator
Command-Line Options
| /ChannelFilter [1 — 3] /EventIDFilter [1 — 3] /ProviderFilter [1 — 3] /ChannelFilterStr [Filter String] /EventIDFilterStr [Filter String] /ProviderFilterStr [Filter String] . . . | You can use any variable inside the .cfg file in order to set the configuration from command line, here’s some examples: |
In order to show only events with Event ID 8000 and 8001:
FullEventLogView.exe /EventIDFilter 2 /EventIDFilterStr «8000,8001»
In order show only events from Microsoft-Windows-Dhcp-Client/Admin channel:
FullEventLogView.exe /ChannelFilter 2 /ChannelFilterStr «Microsoft-Windows-Dhcp-Client/Admin»
In order to read events from .evtx files stored in c:\temp\logs :
FullEventLogView.exe /DataSource 3 /LogFolder «c:\temp\logs» /LogFolderWildcard «*»
In order to read events from remote computer:
FullEventLogView.exe /DataSource 2 /ComputerName «192.168.0.70»
In order to export events from remote computer into .csv file:
FullEventLogView.exe /scomma «c:\temp\remote_events.csv» /DataSource 2 /ComputerName «192.168.0.50»
You can find more command-line examples in the following Web pages:
How to export Windows events of remote computer to csv file from command line
How to export Windows events stored in .evtx file to csv file from command line
FullEventLogView.exe /RunAsAdmin /ClearChannelEvents «Microsoft-Windows-WLAN-AutoConfig/Operational»
FullEventLogView.exe /cfg «c:\config\felv.cfg»
FullEventLogView.exe /cfg «%AppData%\FullEventLogView.cfg»
‘ prefix character (e.g: «
Channel») if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns.
Eventlog Key
The event log contains the following standard logs as well as custom logs:
| Log | Description |
|---|---|
| Application | Contains events logged by applications. For example, a database application might record a file error. The application developer decides which events to record. |
| Security | Contains events such as valid and invalid logon attempts, as well as events related to resource use such as creating, opening, or deleting files or other objects. An administrator can start auditing to record events in the security log. |
| System | Contains events logged by system components, such as the failure of a driver or other system component to load during startup. |
| CustomLog | Contains events logged by applications that create a custom log. Using a custom log enables an application to control the size of the log or attach ACLs for security purposes without affecting other applications. |
The event logging service uses the information stored in the Eventlog registry key. The Eventlog key contains several subkeys, called logs. Each log contains information that the event logging service uses to locate resources when an application writes to and reads from the event log.
The structure of the Eventlog key is as follows:
Note that domain controllers record events in the Directory service and File Replication service logs and DNS servers record events in the DNS server.
Each log can contain the following registry values.
| Registry value | Description |
|---|---|
| CustomSD | Restricts access to the event log. This value is of type REG_SZ. The format used is Security Descriptor Definition Language (SDDL). Construct an ACL that grants one or more of the following rights: Clear (0x0004) Read (0x0001) Write (0x0002) To be a syntactically valid SDDL, the CustomSD value must specify an owner and a group owner (for example, O:BAG:SY), but the owner and group owner are not used. If CustomSD is set to a wrong value, an event is fired in the System event log when the event log service starts, and the event log gets a default security descriptor which is identical to the original CustomSD value for the Application log. SACLs are not supported. For more information, see Event Logging Security. Windows Server 2003: SACLs are supported. Windows XP/2000: This value is not supported. |
| DisplayNameFile | This value is not used. Windows Server 2003 and Windows XP/2000: Name of the file that stores the localized name of the event log. The name stored in this file appears as the log name in Event Viewer. If this entry does not appear in the registry for an event log, Event Viewer displays the name of the registry subkey as the log name. This value is of type REG_EXPAND_SZ. The default value is %SystemRoot%\system32\els.dll. |
| DisplayNameID | This value is not used. Windows Server 2003 and Windows XP/2000: Message identification number of the log name string. This number indicates the message in which the localized display name appears. The message is stored in the file specified by the DisplayNameFile value. This value is of type REG_DWORD. |
| File | Fully qualified path to the file where each event log is stored. This enables Event Viewer and other applications to find the log files. This value is of type REG_SZ or REG_EXPAND_SZ. This value is optional. If the value is not specified, it defaults to %SystemRoot%\system32\winevt\logs\ followed by a file name that is based on the event log registry key name.The specific event log file path should be set using the command line utility wevtutil.exe or by using the EvtSetChannelConfigProperty function with EvtChannelLoggingConfigLogFilePath passed into the PropertyId parameter. If a specific file is set, make sure that the event log service has full permissions on the file. This value needs to be a valid file name for a file that is located on a local directory (not a remote computer, not a DOS device, not a floppy, and not a pipe). If the file setting is wrong, an event is fired in the System event log when the event log service starts. Do not use environment variables, in the path to the file, that cannot be expanded in the context of the event log service. Windows Server 2003 and Windows XP/2000: This value defaults to %SystemRoot%\system32\config\ followed by a file name that is based on the event log registry key name. If the File setting is set to an invalid value, the log will either not be initialized properly, or all requests will silently go to the default log (Application). |
| MaxSize | Maximum size, in bytes, of the log file. This value is of type REG_DWORD. The value must be set to a multiple of 64K for a System, Application, or Security log. The default value is 1MB.Windows Server 2003 and Windows XP/2000: The value is limited to 0xFFFFFFFF, and the default value is 512K. |
| PrimaryModule | This value is not used.Windows Server 2003 and Windows XP/2000: This value is the name of the subkey that contains the default values for the entries in the subkey for the event source. This value is of type REG_SZ. |
| Retention | This value is of type REG_DWORD. The default value is 0. If this value is 0, the records of events are always overwritten. If this value is 0xFFFFFFFF or any nonzero value, records are never overwritten. When the log file reaches its maximum size, you must clear the log manually; otherwise, new events are discarded. You must also clear the log before you can change its size.Windows Server 2003 and Windows XP/2000: This value is the time interval, in seconds, that records of events are protected from being overwritten. When the age of an event reaches or exceeds this value, it can be overwritten. |
| Sources | This value is not used. Windows Server 2003 and Windows XP/2000: Names of the applications, services, or groups of applications that write events to this log. This value should only be read and not altered. The event log service maintains the list based on each program listed in a subkey under the log. This value is of type REG_MULTI_SZ. |
| AutoBackupLogFiles | This value is of type REG_DWORD, and is used by the event log service to determine whether an event log should be automatically saved. The default value is 0, which disables auto-backup. The service will back up the log file only if the retention value is -1 (0xFFFFFFFF). Other values will be ignored.Windows Server 2003: Retention can be set to -1 (0xFFFFFFFF) or 1 (0x00000001) for AutoBackupLogFiles to work. Other values will be ignored. |
| RestrictGuestAccess | This value is not used. Windows XP/2000: This value is of type REG_DWORD, and the default value is 1. When the value is set to 1, it restricts the Guest and Anonymous account access to the event log, and when this value is 0, it allows Guest account access to the event log. |
| Isolation | Defines the default access permissions for the log. This value is of type REG_SZ. You can specify one of the following values:
The default isolation is Application. The default permissions for Application are (shown using SDDL): |
Each log also contains event sources. For more information, see Event Sources.
