!evlog

The !evlog extension displays, changes, or backs up the event log.

!evlog addsource [-d] [-s Source] [-t Type] [-f MsgFile] 
!evlog backup [-d] [-l EventLog] [-f BackupFile] 
!evlog clear [-!] [-d] [-l EventLog] [-f BackupFile] 
!evlog info 
!evlog option [-d] [-!] [-n Count] [ -l EventLog [ -+ | -r RecordBound ]] [-o Order] [-w Width] 
!evlog read [-d] [-l EventLog] [-s Source] [-e ID] [-c Category] [-t Type] [-n Count] [-r Record] 
!evlog report [-s Source] [-e ID] [-c Category] [-t Type] Message 
!evlog [Option] -?

Parameters

addsource

Adds an event source to the registry. By default, this only adds events from the DebuggerExtensions source (to support !evlog report).

backup

Makes a backup of the specified event log and writes it to a file.

clear

Erases the specified event log, and optionally creates a file recording its old contents.

info

Displays summary information about the event log.

option

Sets the default search options. These options will be used in future !evlog read commands.

read

Displays a list of events logged to the specified event log. Details of this display -- such as the number of records displayed and the chronological order of the display -- can be controlled by the !evlog read parameters or by a previous use of !evlog option.

report

Writes an event record to the application event log.

-d

Specifies that all default values should be used. The -d option is only required if you are omitting all other parameters. However, with the !evlog option command this option displays the existing default settings.

-!

With !evlog option, this resets all defaults. With !evlog clear, this prevents a backup file from being written.

Source

Specifies the event source. The default value is DebuggerExtensions.

Type

Specifies the success type. Possible Type values are 1 (Error), 2 (Warning), 4 (Information), 8 (Audit_Success), or 16 (Audit_Failure). A value of 0 represents Success. For !evlog read and !evlog report, the default is Success (0). For !evlog addsource, these bits can be combined, and the default is all bits (31).

MsgFile

Specifies the path and file name of the message file. If the path is omitted, the directory of the current Uext.dll is used.

EventLog

For !evlog read, !evlog backup, and !evlog clear, EventLog specifies the event log from which to read. The possible values are Application, System, and Security. The default is Application.

For !evlog option, EventLog specifies the event log whose maximum count is to be set. The possible values are All, Application, System, and Security. The default is All.

BackupFile

Specifies the path and file name of the backup file. The default location is the current directory. The default file name is EventLog_backup.evt, where EventLog is the event log used in this command. If this file already exists, the command will be terminated.

Count

Specifies the maximum number of records to retrieve. The default is 20.

-+

Specifies that the current maximum record number should be the highest record number retrieved in future !evlog read commands. (In other words, no records will be shown as long as the search is performed forward.)

RecordBound

Specifies the highest record number to retrieve in future !evlog read commands. If zero is specified, no bound is set -- this is the default.

Record

If -n Count is not included, -r Record specifies the record number to retrieve. If -n Count is included, Record specifies the record number at which the display should begin.

Order

Specifies the search order, either Forwards or Backwards. The default is Forwards. A backward search order causes searches to start from the most recent record logged to the event log, and continue in reverse-chronological order as matching records are found.

Width

Specifies the data display width, in characters. This is the width displayed in the Data section. The default is 8 characters.

ID

Specifies the prefix to display before the event. Possible values are 0 (no prefix), 1000 (Information), 2000 (Success), 3000 (Warning), and 4000 (Error).

The default is 0.

Category

Specifies the event category.

Possible values are 0 (no category), 1 (Devices), 2 (Disk), 3 (Printers), 4 (Services), 5 (Shell), 6 (System_Event), and 7 (Network). The default is 0.

Message

Specifies a text message to add to the event description.

Option

Specifies the !evlog option whose help text is to be displayed.

-?

Displays some brief Help text for this extension or one of its options in the Debugger Command window.

DLL

Windows 2000

Uext.dll

Windows XP and later

Uext.dll

 

The !evlog extension can only be used during live debugging.

Remarks

After you have added an event source to the registry with !evlog addsource, you can view the values with !dreg. For example:

0:000> !dreg hklm\system\currentcontrolset\services\eventlog\Application\<source>!* 

The !evlog option command is used to set new defaults for the !evlog read command. This lets you avoid retyping all the parameters every time you use !evlog read. Setting a maximum record bound with the -+ parameter or the -r Records parameter allows you to terminate all searches after a known record number is encountered. This can be useful if you are only interested in all records logged after a certain event.

Before using !evlog report, you should use !evlog addsource to configure an event source in the registry. After this has been configured, the event viewer will recognize the various event IDs.

Here is an example of the !evlog info extension:

0:000> !evlog info -?
--------------------------------
Application Event Log:
  # Records       : 4362
  Oldest Record # : 1
  Newest Record # : 4362
  Event Log Full  : false
--------------------------------
System Event Log:
  # Records       : 2296
  Oldest Record # : 1
  Newest Record # : 2296
  Event Log Full  : false
--------------------------------
Security Event Log:
  # Records       : 54544
  Oldest Record # : 1
  Newest Record # : 54544
  Event Log Full  : false
--------------------------------

0:000> !evlog option -n 4
Default EvLog Option Settings:
--------------------------------
Max Records Returned: 4
Search Order:         Backwards
Data Display Width:   8
--------------------------------
Bounding Record Numbers:
  Application Event Log: 0
  System Event Log:      0
  Security Event Log:    0
--------------------------------

0:000> !evlog read -l application
-------------- 01 --------------
Record #: 4364

Event Type:      Error (1)
Event Source:    Userenv
Event Category:  None (0)
Event ID:        1000 (0xC00003E8)
Date:            06/06/2002
Time:            18:03:17
Description:     (1 strings)
The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (87).

-------------- 02 --------------
Record #: 4363

Event Type:      Warning (2)
Event Source:    SceCli
Event Category:  None (0)
Event ID:        1202 (0x800004B2)
Date:            06/06/2002
Time:            18:03:17
Description:     (1 strings)
0x57 : The parameter is incorrect.
Please look for more details in TroubleShooting section in Security Help.

-------------- 03 --------------
Record #: 4362

Event Type:      Error (1)
Event Source:    Userenv
Event Category:  None (0)
Event ID:        1000 (0xC00003E8)
Date:            06/06/2002
Time:            16:04:08
Description:     (1 strings)
The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (87).

-------------- 04 --------------
Record #: 4361

Event Type:      Warning (2)
Event Source:    SceCli
Event Category:  None (0)
Event ID:        1202 (0x800004B2)
Date:            06/06/2002
Time:            16:04:08
Description:     (1 strings)
0x57 : The parameter is incorrect.
Please look for more details in TroubleShooting section in Security Help.
WARNING: Max record count (4) exceeded, increase record count to view more

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft