Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, July 11, 2016 9:15 AM | 1 vote
Hello team,
I would like to know, what can I find in files placed into C:\Windows\System32\winevt\Logs .
The list is below.
I know that :
Application.evtx contains application events.
System.evtx contans system events.
/../ But what about:
- Microsoft-Windows-Dhcp-Client%4Admin.evtx ?? Or another from list ?
Is there any knowledgebase?
I am interested in Windows 7, 8, 8.1 and 10 (the most) version.
Directory of C:\Windows\System32\winevt\Logs
19.05.2016 12:52 <DIR> .
19.05.2016 12:52 <DIR> ..
07.07.2016 13:57 1 048 576 AirSpaceChannel.etl
07.07.2016 11:09 13 701 120 Application.evtx
19.05.2016 12:26 4 096 DebugChannel.etl
11.04.2016 16:19 69 632 HardwareEvents.evtx
11.04.2016 16:19 69 632 Internet Explorer.evtx
07.07.2016 11:39 69 632 isaAgentLog.evtx
11.04.2016 16:19 69 632 Key Management Service.evtx
07.07.2016 19:52 1 052 672 Microsoft-Client-Licensing-Platform%4Admin.evtx
07.07.2016 11:07 4 096 Microsoft-RMS-MSIPC%4Debug.etl
07.07.2016 11:09 1 052 672 Microsoft-Windows-AAD%4Operational.evtx
12.04.2016 10:06 69 632 Microsoft-Windows-All-User-Install-Agent%4Admin.evtx
17.05.2016 11:57 69 632 Microsoft-Windows-AllJoyn%4Operational.evtx
17.05.2016 11:57 69 632 Microsoft-Windows-AppHost%4Admin.evtx
/.../
07.07.2016 11:09 9 506 816 Security.evtx
26.06.2016 11:18 69 632 Setup.evtx
17.05.2016 11:57 69 632 SMSApi.evtx
10.07.2016 23:56 6 361 088 System.evtx
04.07.2016 12:12 2 166 784 Windows PowerShell.evtx
291 File(s) 162 209 792 bytes
2 Dir(s) 213 417 062 400 bytes free
All replies (7)
Thursday, July 14, 2016 7:11 AM ✅Answered
Hi,
Windows Logs
The Windows Logs category includes the logs that were available on previous versions of Windows: the Application, Security, and System logs. It also includes two new logs: the Setup log and the ForwardedEvents log. Windows logs are intended to store events from legacy applications and events that apply to the entire system.
Application log
The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. Program developers decide which events to log.
Security log
The Security log contains events such as valid and invalid logon attempts, as well as events related to resource use, such as creating, opening, or deleting files or other objects. Administrators can specify what events are recorded in the security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the security log.
Setup log
The Setup log contains events related to application setup.
System log
The System log contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined by Windows.
ForwardedEvents log
The ForwardedEvents log is used to store events collected from remote computers. To collect events from remote computers, you must create an event subscription. To learn about event subscriptions, see Event Subscriptions.
Applications and Services Logs
Applications and Services logs are a new category of event logs. These logs store events from a single application or component rather than events that might have system wide impact.
This log was named by the Windows components or services (services.msc)
These logs in Event viewer corresponds evtx file under the system folder as you mentioned.
Please mark the reply as an answer if you find it is helpful.
If you have feedback for TechNet Support, contact [email protected]
Monday, July 11, 2016 9:25 AM | 1 vote
The title pretty much tells you what the log is for. In DHCP-client administration it lists the requests, and services relating to DHCP on particular interfaces. Logs that are ~68K are empty.
Can you be more specific?
Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)
Monday, July 11, 2016 9:58 AM | 1 vote
I would like to collect programmatically important informations from event logs for my customer.
I need to choose, which events (and from) I should read.
For example, I would like to read:
Lan connect/disconnect informations
Drivers / Devices / HDD / CPU / RAM errors
User login/switching sessions
Events of connection / disconnection external devices (eg. storage)
If I would know full description of each evtx file I will offer him richer set of information.
Best regards,
PP
Monday, July 11, 2016 10:21 AM
You can use filter & sort to find the information you want. You might want to take a look at event viewer explorer.
Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)
Monday, July 11, 2016 10:35 AM | 1 vote
Yeah, but I need to know which event log shoud be filtered/sorted to get result by this functionality. :)
Eg., in Application.evtx log I will NOT FIND wireless connection/disconnection reported states.
I have to know which file has specified description (it is key), then I can do searching / sorting / filtering.. whatever...
Monday, July 11, 2016 11:18 AM | 2 votes
You are going to have to figure this out on your own. I honestly have no idea EXACTLY what you are trying to do.
Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)
Monday, July 11, 2016 12:14 PM | 1 vote
My question is very simple - where can I find definitions of meanning for each evtx file.
I thought that Microsoft has placed that info (wherever) in techwiki.