The Windows Event Viewer captures a lot of information about your system—so much so that it may sometimes be hard to find what you're looking for. That's why the ability to create custom views is so handy.
For example, let's say you want to create a custom view that shows you only the times when the computer has been shut down or restarted. Start by displaying the Event Viewer. (The easiest way to do this is to use the search capabilities of Windows to look for "Event Viewer", without the quote marks.) (See Figure 1.)
Figure 1. Event Viewer main screen.
Since we're interested in system starts and shutdowns, use the left pane of the screen to navigate to Application and Services Logs | Microsoft | Windows | Diagnostics-Performance | Operational. After drilling down that far, the Event Viewer screen should be quite different from the main one you previously saw. (See Figure 2.)
Figure 2. Navigating to the
In the right pane, near the top, click on Create Custom View. Windows displays the Create Custom View dialog box. The Filter tab should be displayed in the dialog box. (See Figure 3.)
Figure 3. Creating a Custom View.
The controls in the dialog box allow you to specify exactly what you want to see in the view. You can specify the time the event was logged, what event level you're interested in, what log and source are to be used, the Event IDs to include, the keywords will be used to filter the view, and the user and computers related to the view.
Since we are interested in startups and shutdowns at any time, for any event level, and since we've already navigated to the correct event log, we don't need to change anything here. Similarly, we don't care about the event sources or really anything else on the screen except for the Event IDs. As it turns out, a Windows startup is denoted by the Event ID of 100, and a Windows shutdown is denoted by the Event ID of 200. So, all we need to do is enter the two numbers, separated by a comma, into the textbox that currently says "<All Event IDs>.
We enter "100,200" (without the quotes) in the textbox and click OK. Windows displays the Save Filter to Custom View dialog box, which provides the opportunity to specify a name for the view we are creating. (See Figure 4.)
Figure 4. Saving the Custom View.
I'll name the custom view "Restarts" and provide a brief description about the view. Then I click OK to save the new custom view. The name of the view appears in the right pane of the Event Viewer and can easily be displayed by simple double-clicking on it. I now have just the information I want, without all the other events logged by Windows.
This tip (12819) applies to Windows 7, 8, and 10.
The Application event log holds messages generated by applications and services. This tip explains more about it.
Discover MoreYou don't need to worry about event logs filling up your disk, but you still may want to clean them out eventually. This ...
Discover MoreFiltering a log in the Event Viewer allows you quick access to those events you're interested in watching over time. This ...
Discover MoreThere are currently no comments for this tip. (Be the first to leave your comment—just use the simple form above!)
Copyright © 2024 Sharon Parq Associates, Inc.
Comments