How to Work with Custom Views in the Event Viewer

In our first tutorial about the Event Viewer I skipped over several items, promising to come back to them later. Now, let’s explore some of those items, to see what the Event Viewer can do for you, besides letting you look at what’s going on. There is definitely more here than meets the eye. In this tutorial we’ll explore how to create and save custom views, so you can keep an eye on any kind of logged information you are interested in.

Let’s get started: How to Access the Custom Views

Start the Event Viewer by typing event viewer into the Start Menu search box or on the Start screen (if you are using Windows 8). As before, it may take a moment to appear, as all the logs are being initialized. You can see that the first menu item in the left pane is Custom Views. Click on that, and you’ll see that Windows 7 has already provided one custom view: Administrative Events. Click on that.

Since Administrative Events was created to show you all the Critical, Error, and Warning events from all the Windows logs, you’ll immediately see a huge list of events with ominous tags. Here, I have used the minimized view so you can see what the whole screen will look like.

Keep in mind that if your computer did not crash and your software did not fail to work properly, these ominous messages don’t mean there’s anything really ominous going on. They’re just for your information, and in most cases Windows has already dealt with the problem before you even saw the messages.

How to Create a Custom View in Event Viewer

What, exactly, is a Custom View, and why would it be worth creating one of your own? Remember the screenshot from the previous tutorial where I showed all the warnings about my DVD-ROM drive? It took quite a while for me to scroll through the log and find them. What if I could create a Custom View that would display only the warnings in the Security log? Let’s try that.

Click on Create Custom View in the right pane. The Create Custom View window will pop up. You want to keep the default Filter tab selected (the XML tab is beyond the scope of this tutorial).

Keep the time frame Any Time selected, and select Warning from the check boxes below. Then drop down the Event Logs list and choose Security.

Since you want to look for information about the optical drive, choose By Source, and select both cdrom and CDROM and click OK.

The next box will ask you to give your new filter a name. Type Drive Warnings, add a description if you like (it’s optional) and click OK. Note that the default is to have your custom views available to all users of your computer. If there are other people who use your computer and you don’t want them to have access to this filter, un-check the All Users box in the lower right corner.

After you’ve clicked OK, your new custom filter will appear in the left pane. Click on it, and see your selected items appear in the center pane.

NOTE: You can also see just selected events by using the Filter Current Log command. Select the log you want to view, and click the Action menu. If you then click Filter Current Log, you’ll get exactly the same box that popped up under Create Custom View.

How to Save Logs in Event Viewer

Let’s say you wanted to keep track of certain events. One reason you might wish to do this is to check to see if some of your hardware is generating a lot of errors, which might mean it will soon need to be replaced. Since my DVD-ROM drive seems to generate a fair number of errors, let’s use that as an example to set up a log to be saved.

Click on the Drive Warnings custom view, and then, just to be sure, click on Refresh in the right pane, to make sure you’ve got the latest information. Right-click on Drive Warnings, and from the menu (or from the right pane, which is a duplicate of the right-click menu) choose "Save All Events in Custom View As". The box that pops up will allow you to choose an appropriate file name and a location where you want this log to be saved. As with the "Save Selected Event" command (covered in the previous tutorial) your event will be saved with the “.evtx" suffix, and double clicking on it will open up Event Viewer.

However, even though you have saved this log, nothing will appear in the Saved Logs menu in the left pane till you specifically put it there. In the right pane, click Open Saved Log. This will take you to the Documents library, by default. If your saved log isn’t there, navigate to the folder where you stored it, locate the ".evtx" file, and double click it or choose Open. You’ll get a box asking you where you want to display the saved log, with Saved Logs as the default (you can change this to another Event Viewer folder if you wish). If you don’t want others looking at this data, un-check All Users in the lower right corner. Then click OK. Your newly saved log will immediately appear under Saved Logs in the left pane.

There is one other choice for saved logs, XML format. Click on the Action menu, and choose Export Custom View. Once again you’ll be shown your Documents library folder, and the file type XML will be selected. Supply a name (and another save location if you wish) and your XML format file will be created.

To see it, use Windows Explorer to open your Documents folder, or wherever you saved the file. Double clicking on the XML file will open the file in Internet Explorer and you’ll be able to see the XML code, but not the actual data in the log.

And there’s more

The other choices in Event Viewer, like attaching tasks to a log and customizing how Windows handles certain kinds of errors, are not for the everyday user. These are designed for very advanced users or IT professionals and are best left alone by the rest of us. However, if you’d like to read an excellent, detailed explanation of the other commands in the Event Viewer, I highly recommend the book Windows 7 Inside Out. Deluxe Edition, which we reviewed on our website. Even with the book’s instructions in hand, though, you need to be absolutely sure you know what you’re doing before you begin.

A good tool regardless of your skill level

Windows makes so many things so easy, that we never need to think about what’s going on in the background. Taking a look at the logs with the Event Viewer can give you an idea of all the housekeeping that you never see, and help you appreciate just how well Windows works. It’s well worth taking a look at what you can do, even if you don’t do anything more than look. Do you think the Event Viewer could be a useful tool for you? Please leave a comment and share your opinions.