Events in Windows Event Log

  • Article

An event in Windows Event Log is an entity that describes some interesting occurrence in a computer system. Events contain a numeric identification code, a set of attributes, and optional user-supplied data. Events are defined in an instrumentation manifest by an event publisher (using the EventManifest Schema). At runtime, an event publisher raises an occurrence of the event and uses an event identifier. The Windows Event Log service then represents the occurrence of the event as XML so that the event data can easily be consumed or read.

The XML representation of event data to event consumers is structured according to the Event Schema. The elements in the schema contain pieces of event information that can be displayed to identify the event, find the cause of the event, and get the event message. For more information, see Event Representation for Event Consumers. For more information about how event consumers select events from a specific event log, see Event Selection.

Events are defined and created for event publishers in an event manifest (an XML document) by using the EventManifest Schema elements. For more information, see Instrumentation Manifests for Event Providers.

By default, events use the fully qualified domain name (FQDN) of a computer to specify the computer on which the event was published. To change this behavior to use the NETBIOS name rather than the FQDN (which is called setting the compatibility mode for the Event Log service), you must create a DWORD registry value named CompatFlags under the following registry key, and set the value of CompatFlags to 0x2.

  
    HKEY_LOCAL_MACHINE
    SOFTWARE
        Microsoft
            Windows
                CurrentVersion
                    WINEVT

Event Ordering

Event publishers publish events in a specific channel. Events associated with the same channel are ordered based on the order in which the eventing system processed the events. This ordering may, in some exceptional cases, be different from the order in which the events are raised to an event channel. The system preserves the order of the events that are raised by the same thread to the same channel.

It is not certain that the order is preserved for the events that are published from different threads. However, as long as the threads are executed by the same processor, the probability of the events being out of order is quite low. The probability that the events are out of order increases when the events are published by threads that are executed by different processors on a multiprocessor system.

See Also

Event Representation for Event Consumers

Instrumentation Manifests for Event Providers

Event Selection

Send comments about this topic to Microsoft

Build date: 5/7/2009