Windows 7 / Getting Started

Understanding Views

When Event Viewer is opened, the Overview And Summary screen is displayed, which summarizes all events across all Windows Logs. The total number of events for each type that have occurred are displayed, with additional columns that display the number of events of each type that have occurred over the last seven days, the last 24 hours, or the last hour. Clicking on the + (plus) sign allows you to browse to each event type and display the Event ID, Source, and Log in which the event occurred. Double-clicking a specific event summary takes you directly to that event in the log and automatically creates a filtered view showing all individual events with that event source and event ID, which can be accessed from the left pane.

You can configure persistent event filters by using the Custom Views node in Event Viewer. You can create views automatically by double-clicking events in the summary view, or you can create views manually. A built-in custom view named Administrative Events shows all events on the system that may require administrative action by filtering errors and warnings across all admin logs on the system.

To create a view (filter) manually, follow these steps:

  1. Right-click Custom Views and then select Create Custom View.
  2. In the Create Custom View dialog box, shown here, enter the criteria for which you want events displayed.
    Create Custom View

    You can also click the XML tab and enter the XML filter directly. This may be useful if you are creating an advanced query for which the graphical user interface (GUI) options in the Filter tab are insufficient. Note that when you have edited a filter in the XML tab, you cannot return to the Filter tab for that filter.
  3. Select the fields used to filter events using the following criteria:
    • By Log If you are filtering by log, first select the logs you are interested in. The Event Logs drop-down list adjusts to the list of logs relevant for those sources.
    • By Source If you are filtering by source, pick the sources of interest first. The Sources drop-down list adjusts to just the sources available in those logs.
    • Logged Last Hour, Last 12 Hours, Last 24 Hours, Last 7 Days, or Last 30 Days. Selecting Custom Range brings up the Custom Range dialog box, allowing you to select a much more specific date range, including when events start and when they stop.
    • Event Level Select Critical, Warning, Verbose, Error, or Information.
    • Event Logs Click the drop-down arrow to open the Event Log Selection window. Select the event log or event logs that you want to include in the view.
    • Event Sources Click the drop-down arrow to display a list of available sources for the selected log so that you can specify which event source(s) to include in the view. In some cases, certain sources may not be listed (usually this can happen for event sources from older versions of Windows), in which case you can type in the source name manually.
    • Include/Exclude Event IDs Enter Event ID numbers or ranges to be included or excluded, separated by commas. To exclude a number, include a minus sign in front of it. For example, typing 1,3,5-99,-76 will include event IDs 1, 3, 5 through 99 and exclude 76.
    • Task Category Select a task category to filter for events that specify that task category.
    • Keywords Enter keywords to be included in the filter.
    • User Enter the user name by which to filter the events.
    • Computer Enter the computer name by which to filter events. This will likely be used when filtering saved logs from other computers or when filtering events forwarded from several computers on to a centralized log.
  4. Click OK, name the view, and then select where the view will be saved. Create a new folder, if needed, to better categorize custom views you create for various purposes. By default, custom views defined on a computer will be available to all users on that computer. To define a custom view private to the current user, clear the All Users check box before saving the view. Custom views are saved and you may reuse them any time you run Event Viewer in the future. Furthermore, you can also export custom views into an XML file at a specified location or imported from an XML file. This allows administrators to share interesting event views by exporting them to a shared location and importing into various Event Viewer consoles as needed.
[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 7 Desktop Maintenance
  2. Performance Monitoring
  3. Improvements to Performance Monitoring in Windows 7
  4. Using Performance Monitor
  5. Real-Time Performance Monitoring
  6. Performance Monitor Logging
  7. Creating a Data Collector Set
  8. Configuring a Data Collector Set
  9. Using Data Manager to View Performance Data
  10. Starting and Stopping Data Logging
  11. Viewing Performance Data
  12. Comparing Performance Monitor Logs
  13. Performance Monitor User Rights
  14. Remote Data Collection
  15. Using Windows PowerShell for Performance Monitoring
  16. Resource Monitor
  17. Overview Tab
  18. CPU Tab
  19. Memory Tab
  20. Disk Tab
  21. Network Tab
  22. Reliability Monitor
  23. How Reliability Monitor Works
  24. Windows Performance Tools Kit
  25. Event Monitoring
  26. Understanding the Windows Event Architecture
  27. Channels
  28. Improvements to Event Monitoring in Windows 7
  29. Using Event Viewer
  30. Understanding Views
  31. Viewing Event Logs
  32. Saving Event Logs
  33. Configuring Event Subscriptions
  34. Considerations for Workgroup Environments
  35. Creating a New Subscription
  36. Using the Windows Events Command-Line Utility for Event Monitoring
  37. Using Windows PowerShell for Event Monitoring
  38. Using Task Scheduler
  39. Improvements to Task Scheduler in Windows 7
  40. Understanding Tasks
  41. Understanding the Task Scheduler Architecture
  42. Understanding Task Scheduler Security
  43. Credentials Management
  44. Securing Running Tasks
  45. Understanding AT and Task Scheduler v1.0 Compatibility Modes
  46. Understanding the Task Scheduler Snap-in
  47. Understanding Default Tasks
  48. Creating Tasks
  49. Defining Triggers
  50. At Startup Trigger
  51. On Connection To AND Disconnect From User Session Triggers
  52. On Workstation Lock AND Unlock Triggers
  53. Defining Actions
  54. Defining Conditions
  55. Defining Settings
  56. Managing Tasks
  57. Viewing History
  58. Using SchTasks.exe for Creating and Managing Tasks
  59. Task Scheduler Events
  60. Troubleshooting Task Scheduler
  61. Tasks Won't Run If the Service Is Not Started
  62. The Task Will Run Only When a Certain User Is Logged On
  63. The Task Action Failed to Execute
  64. Interpreting Result and Return Codes
  65. Understanding the Windows System Assessment Tool
  66. Understanding WinSAT Assessment Tests
  67. Examining the WinSAT Features Assessment
  68. Running WinSAT from the Command Line
  69. Understanding WinSAT Command Exit Values
  70. Running WinSAT Using Performance Information and Tools
  71. System Capabilities Section
  72. OEM Upsell And Help Section
  73. Understanding Windows Error Reporting
  74. Overview of Windows Error Reporting
  75. How WER Works
  76. Store Management System
  77. ReportArchive Folder
  78. WER Service
  79. Understanding the Error Reporting Cycle
  80. Understanding WER Data
  81. Configuring WER Using Group Policy
  82. Configuring WER Using the Action Center