Event Logging (Windows Installer)

Windows Events provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event-logging service stores events from various sources in a single collection called an event log. Prior to WindowsВ Vista, you would use either Event Tracing for Windows (ETW) or Event Logging to log events. WindowsВ Vista introduced a new eventing model that unifies both ETW and the Windows Event Log API.

The installer also writes entries into the event log. These record events such as following:

• Success or failure of the installation; removal or repair of a product.
• Errors that occur during product configuration.
• Detection of corrupted configuration data.

If a large amount of information is written, the Event Log file can become full and the installer displays the message, «The Application log file is full.»

The installer may write the following entries in the event log. All event log messages have a unique event ID. All general errors authored in the Error table that are returned for an installation that fails are logged in the Application Event Log with a message ID equal to the Error + 10,000. For example, the error number in the Error table for an installation completed successfully is 1707. The successful installation is logged in the Application Event Log with a message ID of 11707 (1707 + 10,000).

For information about how to enable verbose logging on a user’s computer when troubleshooting deployment, see Windows Installer Best Practices.

Windows Event Logs — Event Log FAQ

What is Windows event log?

Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Whenever these types of events occur, Windows records the event in an event log. Users might find the details in event logs helpful when troubleshooting problems with Windows and other programs.

Unlike UNIX syslog, Microsoft event log is not a text file and it is impossible to view it with simple text editors. Microsoft Windows event log is a binary file that consists of special records – Windows events.

Microsoft Windows runs Event Log Service to manage event logs, configure event publishing, and perform operations on the logs. Windows Event Log service exposes a special API, which allows applications to maintain and manage event logs.

Windows event logging was introduced in Windows NT operating system (version 3.1) in 1993. This Windows edition came with three Windows logs: Application event log, System event log and Security event log. Modern versions of Windows come with more than a hundred of Windows eventlogs, and third party applications can create and integrate into Windows logging their own event logs.

How to view event logs?

You can view eventlogs using Event Viewer (comes with Windows operating system) or third-party Windows event viewers. We recommend using our Event Log Explorer software – it provides a lot of advanced features for event log management.

What is Windows Event Log Service?

Windows Event Log Service is a Windows service that manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata. It helps to display events in both XML and plain text format. This service is enabled and starts automatically by default. You should not stop or disable this service. Stopping Windows Event Log service may compromise security and reliability of the system.

What are Windows event log files?

Windows Event Log Service lets users to save (backup) event logs to files. Windows NT, 2000 and XP/2003 save event logs to EVT format. Windows Vista/2008 and better save logs to EVTX format. Having backup event files are essential for incident investigation.

Windows event logs are also files, but they are commonly locked by Windows (Event Log Service) and it is impossible to open these files on «live» system. But if the computer is started from another disk or the system drive from the analyzed machine is connected to another computer, you can read event logs as files. The default location of event logs on Vista/2008 and better is «C:\Windows\System32\winevt\Logs\». Windows Event Viewer allows you to open event file as follows:

Click Open Saved Log in Actions pane of Event Viewer.

Select your event log file and it will appear in Windows Event Viewer as a log.

Our Event Log Explorer software also works with event files and does it even better than Event Viewer, e.g. it lets you read even damaged event files.

What is Windows Application event log?

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. Program developers decide which events should be logged. E.g. Microsoft SQL Server logs details about important events linked with SQL server, e.g. «out of memory», «backup failure» etc. One application log commonly contains events logged from different sources (applications), so it is incorrect to rely solely on event ID when analyzing the Application log. You should always rely on event ID along with event source. Some applications, such as Internet Explorer, Power Shell create own event log instead of using Windows application event log. Such logs look exactly like standard Windows event logs and Event Viewer (as well as Event Log Explorer) can read these event logs. Application logs are commonly useful for application support teams.

What is Windows System event log?

The System log contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined by Windows. Similarly to Application log, System event log lists events from different sources (system components) so you should not rely only on event ID when analyzing System log, instead you should rely on event ID along with event source. System logs are essential for system administrators and technicians.

Event Log Entry Type Перечисление

Определение

Указывает тип события в записи журнала событий. Specifies the event type of an event log entry.

Ошибка. An error event. Указывает на существенную проблему, о которой необходимо сообщить пользователю; как правило, это потеря данных или функциональных возможностей. This indicates a significant problem the user should know about; usually a loss of functionality or data.

Аудит отказов. A failure audit event. Указывает на событие, происходящее в системе безопасности при сбое контролируемого доступа, такое как сбой при открытии файла. This indicates a security event that occurs when an audited access attempt fails; for example, a failed attempt to open a file.

Уведомление. An information event. Указывает на то, что важная операция успешно выполнена. This indicates a significant, successful operation.

Аудит успехов. A success audit event. Указывает на событие, происходящее в системе безопасности при успешной попытке контролируемого доступа, например при успешном входе в систему. This indicates a security event that occurs when an audited access attempt is successful; for example, logging on successfully.

Предупреждение. A warning event. Указывает на незначительную проблему, которая, однако, может свидетельствовать о наличии предпосылок для возникновения проблем в дальнейшем. This indicates a problem that is not immediately significant, but that may signify conditions that could cause future problems.

Примеры

В следующем примере кода показано, как использовать EventLogEntryType класс для добавления сведений о событиях, активированных в файл журнала. The following code example demonstrates how to use the EventLogEntryType class to add information about triggered events to a log file. В этом примере switch используется оператор для определения типа события. In this example, a switch statement is used to determine the event type. Каждая case инструкция использует EventLogEntryType для указания типа события, получает сообщение и идентификатор, а затем записывает сведения в журнал. Each case statement uses the EventLogEntryType to specify the event type, gets the message and ID, and then writes the information to the log.

Комментарии

Тип записи в журнале событий предоставляет дополнительные сведения для записи. The type of an event log entry provides additional information for the entry. Приложения задают тип записи при записи записи в журнал событий. Applications set the entry type when they write the entry to the event log.

Каждое событие должно принадлежать одному типу; типы событий не могут быть объединены для записи. Each event must be of a single type; the event types cannot be combined for an entry. Средство «Просмотр событий» использует этот тип для определения значка, отображаемого в представлении списка журнала событий. The Event Viewer uses this type to determine which icon to display in the list view of the log.

Get-Event Log

Gets the events in an event log, or a list of the event logs, on the local computer or remote computers.

Syntax

Description

The Get-EventLog cmdlet gets events and event logs from local and remote computers. By default, Get-EventLog gets logs from the local computer. To get logs from remote computers, use the ComputerName parameter.

You can use the Get-EventLog parameters and property values to search for events. The cmdlet gets events that match the specified property values.

PowerShell cmdlets that contain the EventLog noun work only on Windows classic event logs such as Application, System, or Security. To get logs that use the Windows Event Log technology in Windows Vista and later Windows versions, use Get-WinEvent .

Get-EventLog uses a Win32 API that is deprecated. The results may not be accurate. Use the Get-WinEvent cmdlet instead.

Examples

Example 1: Get event logs on the local computer

This example displays the list of event logs that are available on the local computer. The names in the Log column are used with the LogName parameter to specify which log is searched for events.

The Get-EventLog cmdlet uses the List parameter to display the available logs.

Example 2: Get recent entries from an event log on the local computer

This example gets recent entries from the System event log.

The Get-EventLog cmdlet uses the LogName parameter to specify the System event log. The Newest parameter returns the five most recent events.

Example 3: Find all sources for a specific number of entries in an event log

This example shows how to find all of the sources that are included in the 1000 most recent entries in the System event log.

The Get-EventLog cmdlet uses the LogName parameter to specify the System log. The Newest parameter selects the 1000 most recent events. The event objects are stored in the $Events variable. The $Events objects are sent down the pipeline to the Group-Object cmdlet. Group-Object uses the Property parameter to group the objects by source and counts the number of objects for each source. The NoElement parameter removes the group members from the output. The Sort-Object cmdlet uses the Property parameter to sort by the count of each source name. The Descending parameter sorts the list in order by count from highest to lowest.

Example 4: Get error events from a specific event log

This example gets error events from the System event log.

The Get-EventLog cmdlet uses the LogName parameter to specify the System log. The EntryType parameter filters the events to show only Error events.

Example 5: Get events from an event log with an InstanceId and Source value

This example gets events from the System log for a specific InstanceId and Source.

The Get-EventLog cmdlet uses the LogName parameter to specify the System log. The InstanceID parameter selects the events with the specified Instance ID. The Source parameter specifies the event property.

Example 6: Get events from multiple computers

This command gets the events from the System event log on three computers: Server01, Server02, and Server03.

The Get-EventLog cmdlet uses the LogName parameter to specify the System log. The ComputerName parameter uses a comma-separated string to list the computers from which you want to get the event logs.

Example 7: Get all events that include a specific word in the message

This command gets all the events in the System event log that contain a specific word in the event’s message. It’s possible that your specified Message parameter’s value is included in the message’s content but isn’t displayed on the PowerShell console.

The Get-EventLog cmdlet uses the LogName parameter to specify the System event log. The Message parameter specifies a word to search for in the message field of each event.

Example 8: Display the property values of an event

This example shows how to display all of an event’s properties and values.

The Get-EventLog cmdlet uses the LogName parameter to specify the System event log. The Newest parameter selects the most recent event object. The object is stored in the $A variable. The object in the $A variable is sent down the pipeline to the Select-Object cmdlet. Select-Object uses the Property parameter with an asterisk ( * ) to select all of the object’s properties.

Example 9: Get events from an event log using a source and event ID

This example gets events for a specified Source and Event ID.

The Get-EventLog cmdlet uses the LogName parameter to specify the Application event log. The Source parameter specifies the application name, Outlook. The objects are sent down the pipeline to the Where-Object cmdlet. For each object in the pipeline, the Where-Object cmdlet uses the variable $_.EventID to compare the Event ID property to the specified value. The objects are sent down the pipeline to the Select-Object cmdlet. Select-Object uses the Property parameter to select the properties to display in the PowerShell console.

Example 10: Get events and group by a property

The Get-EventLog cmdlet uses the LogName parameter to specify the System log. The UserName parameter includes the asterisk ( * ) wildcard to specify a portion of the user name. The event objects are sent down the pipeline to the Group-Object cmdlet. Group-Object uses the Property parameter to specify that the UserName property is used to group the objects and count the number of objects for each user name. The NoElement parameter removes the group members from the output. The objects are sent down the pipeline to the Select-Object cmdlet. Select-Object uses the Property parameter to select the properties to display in the PowerShell console.

Example 11: Get events that occurred during a specific date and time range

This example gets Error events from the System event log for a specified date and time range. The Before and After parameters set the date and time range but are excluded from the output.

The Get-Date cmdlet uses the Date parameter to specify a date and time. The DateTime objects are stored in the $Begin and $End variables. The Get-EventLog cmdlet uses the LogName parameter to specify the System log. The EntryType parameter specifies the Error event type. The date and time range is set by the After parameter and $Begin variable and the Before parameter and $End variable.

Parameters

Gets events that occurred after a specified date and time. The After parameter date and time are excluded from the output. Enter a DateTime object, such as the value returned by the Get-Date cmdlet.

Type:	DateTime
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Indicates that this cmdlet returns a standard System.Diagnostics.EventLogEntry object for each event. Without this parameter, Get-EventLog returns an extended PSObject object with additional EventLogName, Source, and InstanceId properties.

To see the effect of this parameter, pipe the events to the Get-Member cmdlet and examine the TypeName value in the result.

Type:	SwitchParameter
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Indicates that this cmdlet returns the output as strings, instead of objects.

Type:	SwitchParameter
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Gets events that occurred before a specified date and time. The Before parameter date and time are excluded from the output. Enter a DateTime object, such as the value returned by the Get-Date cmdlet.

Type:	DateTime
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

This parameter specifies a remote computer’s NetBIOS name, Internet Protocol (IP) address, or a fully qualified domain name (FQDN).

If the ComputerName parameter isn’t specified, Get-EventLog defaults to the local computer. The parameter also accepts a dot ( . ) to specify the local computer.

The ComputerName parameter doesn’t rely on Windows PowerShell remoting. You can use Get-EventLog with the ComputerName parameter even if your computer is not configured to run remote commands.

Type:	String [ ]
Aliases:	Cn
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies, as a string array, the entry type of the events that this cmdlet gets.

The acceptable values for this parameter are:

• Error
• Information
• FailureAudit
• SuccessAudit
• Warning

Type:	String [ ]
Aliases:	ET
Accepted values:	Error, Information, FailureAudit, SuccessAudit, Warning
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies the index values to get from the event log. The parameter accepts a comma-separated string of values.

Type:	Int32 [ ]
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies the Instance IDs to get from the event log. The parameter accepts a comma-separated string of values.

Type:	Int64 [ ]
Position:	1
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Displays the list of event logs on the computer.

Type:	SwitchParameter
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies the name of one event log. To find the log names use Get-EventLog -List . Wildcard characters are permitted. This parameter is required.

Type:	String
Aliases:	LN
Position:	0
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	True

Specifies a string in the event message. You can use this parameter to search for messages that contain certain words or phrases. Wildcards are permitted.

Type:	String
Aliases:	MSG
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	True

Begins with the newest events and gets the specified number of events. The number of events is required, for example -Newest 100 . Specifies the maximum number of events that are returned.

Type:	Int32
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	False

Specifies, as a string array, sources that were written to the log that this cmdlet gets. Wildcards are permitted.

Type:	String [ ]
Aliases:	ABO
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	True

Specifies, as a string array, user names that are associated with events. Enter names or name patterns, such as User01 , User* , or Domain01\User* . Wildcards are permitted.

Type:	String [ ]
Position:	Named
Default value:	None
Accept pipeline input:	False
Accept wildcard characters:	True

Inputs

None

You cannot pipe input to Get-EventLog .

Outputs

System.Diagnostics.EventLogEntry. System.Diagnostics.EventLog. System.String

If the LogName parameter is specified, the output is a collection of System.Diagnostics.EventLogEntry objects.

If only the List parameter is specified, the output is a collection of System.Diagnostics.EventLog objects.

If both the List and AsString parameters are specified, the output is a collection of System.String objects.

Notes

The cmdlets Get-EventLog and Get-WinEvent are not supported in the Windows Preinstallation Environment (Windows PE).