The Event Viewer in Windows 7 and Windows 8.x allows you to save Filters by using the Create Custom View feature. Greg Shultz explains how.
As you may know, Window's Event Viewer contains operational, analytic/debugging, and application logs that contain information generated by program, security, and system events that occur on your computer. This means that just about everything that happens on your Windows system creates an entry in one of those logs. This also means that Event Viewer is a gold mine of information when it comes to a troubleshooting expedition. However, so much information is logged in Event Viewer that it can be an overwhelming task to go looking for the information that you need to investigate your problem.
Fortunately, the Event Viewer in Windows 7 and Windows 8.x comes with a Filters feature that will allow you to separate the wheat from the chaff, so to speak, when you are seeking information on a specific problem. Even better is that Event Viewer allows you to save Filters by using the Create Custom View feature. When you create and save a custom view, you'll save yourself time and effort on future troubleshooting expeditions, because once you create your custom view, you'll be able to use it again. In fact, you can think of a custom view as a saved search or Favorite.
In this article, I'll show you how to use the Create Custom View feature in Windows 7 and Windows 8.x.
There are several ways that you can launch Event Viewer. One of those ways is from the Control Panel. When you open the Control Panel, access the System and Security category, and select the Administrative Tools item. Then, double-click the Event Viewer icon. When Event Viewer launches, you'll see the Overview and Summary panel (Figure A), which displays a list of the most recent events collected from all the logs.
The Overview and Summary panel displays a list of the most recent events.
Creating a Custom View
Once you have Event Viewer up and running, you can create a custom view. To begin, pull down the Action menu and select the Create Custom View command. You can also select the Create Custom View command from the Actions pane that appears in the right side of Event Viewer. Either way, you'll see the Create Custom View dialog box (Figure B).
You'll configure your custom view using the settings on the Filter tab.
When the Create Custom View dialog box appears, you'll see that it has two tabs titled Filter and XML. You'll use the settings on the Filter tab to create your custom view. We'll look at the XML tab in a future article. Right now, let's take a closer look at the Filter tab.
The Logged drop down allows you to specify when the event that you are looking for occurred. By default, this is set to Any time, which means that the view will essentially show you every single occurrence of the event you are looking for. However, you can be much more specific. When you click the drop-down menu, you'll find several options for specifying the number of hours or days (Figure C). There's even a Custom Range setting that will allow you to pick the exact time period you want.
You can select one of the preset options or specify a custom range.
In the Event level section (Figure D), you'll choose the level of the event that you are seeking.
You can choose one or multiple Event levels.
These levels (Table A) are essentially a classification of the event's severity. You can narrow your search by specifying a single level or widen your search by selecting multiple levels.
Using the By log / Event logs drop-down menu allows you to select the individual logs that you want to search. When you access the Event logs drop-down, you'll see a tree view that allows you to select any one of the Windows Logs or the Application and Services Logs (Figure E). Just select any of the check boxes adjacent to the logs that you want to investigate.
You can search the standard Windows Logs or the Applications and Services Logs.
The Windows Logs (Table B) contain the three standard logs (Application, Security, and System) and two newcomers introduced with Windows 7: Setup and Forwarded Events. The Applications and Services Logs vary and will include separate logs from the programs that run on your computer, plus detailed logs that record events from specific Windows services.
Using the By source / Event sources drop-down menu (Figure F), you can narrow your search to specific event sources rather than searching entire logs. An event source is essentially the name of the software component that logs the event. It is often the name of the application or the name of a subcomponent if the application is large. When you make a selection from the By source / Event sources drop-down, Event Viewer automatically selects the appropriate item from the By log / Event logs drop-down.
An event source is essentially the name of the software component that logs the event.
Windows uses event IDs to define the uniquely identifiable events that a system can encounter. Be default, the custom view will display all event IDs. However, if you know the event ID that you want to search for, you can narrow your search by entering an event ID (Figure G). If you want to search for multiple event IDs, separate the IDs with commas. If you want to include a range of IDs, separate the first number from the last with a dash (-). If you want exclude certain event IDs, precede those event IDs with a minus sign.
By default, a custom view will search for all event IDs.
Task categories are defined by the event source — there are no default categories. So, the Task category drop-down will only be populated if the selected event source contains task categories.
For example, if you select Microsoft Windows Security Auditing from the By source / Event sources drop-down, the Task category will become available, and the drop-down menu will be populated with choices (Figure H).
Task categories are defined by the event source — there are no default categories.
If you want to further target your search, you can use keywords. However, contrary to common use of the term, you cannot enter in your own keywords. In this case, a keyword is a term that Microsoft uses to group or classify types of events, and there are a set number of available predetermined keywords.
When you access the Keywords drop-down (Figure I), you can select the check box adjacent to any of the available keywords you want to use.
Keywords are terms that Microsoft uses to classify types of events.
User / Computer(s)
Now, if you have multiple people using the same computer, you can narrow your search down to a specific user by entering the user name in the User text box. The Computer(s) text box is designed for use on a system acting as a server, such as sharing folders or printers on a network (Figure J). In most cases, you can leave these settings at the default values — Any Users and Any Computers.
In most cases you can leave the User and Computer(s) settings at the default values.
Save a Custom View
Once you have configured your Custom View and click OK, you'll see the Save Filter to Custom View dialog box (Figure K). At this point, simply enter a name and click OK.
When you click OK, you'll see the Save Filter to Custom View dialog box.
Now, to use your custom view, just select it from the Custom Views tree, and you'll see the data it found in the main panel (Figure L).
Once you save your Custom View, you can run it anytime by selecting it from the Custom View branch of the Event Viewer tree.
How do you know what to choose?
Now that you know how to create and use a custom view in Event Viewer, you're probably wondering how you know what to choose when creating your own. Well, the answer is that you have to spend some time investigating events.
As you may recall, at the beginning of the article, I told you that when Event Viewer launches, you'll see the Overview and Summary panel, which displays a list of the most recent events collected from all the logs. When you find an event in the Overview and Summary panel that appears to indicate a problem you've encountered, double-click on it, and then access the Event Properties dialog box (Figure M). When you do, you'll find all the information that you need to fill in the Create Custom View dialog box. You'll just need to supply the date and time.
Using the information in the Event Properties dialog box, you can fill in the Create Custom View dialog box.
What's your take?
Have you used Event Viewer as an aid while on a troubleshooting expedition? Have you used the Create Custom View feature? As always, if you have comments or information to share about this topic, please take a moment to let us know in the discussion thread below.