Event Representation for Event Consumers

  • Article

Events in Windows Event Log contain information that identifies an interesting occurrence in the system. Windows Event Log uses XML as a means of representing this information. The event XML is used by event consumers, such as the Event Viewer (EventVwr.exe), to gather information about the event. You can view an event's XML in the Event Viewer to see how events are represented in XML.

Events in an event log are XML fragments that can be validated against the Event Schema. The XML fragment is divided into seven elements: <System>, <EventData>, <UserData>, <DebugData>, <BinaryEventData>, <ProcessingErrorData>, and <RenderingInfo>. All the elements are optional except for the <System> element. For more information, see EventType Complex Type.

The following elements are mutually exclusive (there can only be one of the five elements in an event).

  • <EventData>

    Used as a generic event template when events do not have a custom template defined in an instrumentation manifest.

  • <UserData>

    Used when a custom event template is provided for the event by the event publisher's instrumentation manifest.

  • <DebugData>

    Used for software tracing events.

  • <BinaryEventData>

    Used for an event with binary data.

  • <ProcessingErrorData>

    Used for an instrumentation event that occurs when there is an error processing event data.

The following XML example shows how an event that contains a custom event template (the UserData element) is structured.

<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TaskScheduler" 
        Guid="{de7b24ea-73c8-4a09-985d-5bdadcfa9017}" />
    <EventID>310</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>310</Task>
    <Opcode>0</Opcode>
    <Keywords>8000000000000000</Keywords>
    <TimeCreated SystemTime="2006-02-28T21:51:44.754Z" />
    <EventRecordID>7664</EventRecordID>
    <Correlation />
    <Execution ProcessID="1068" ThreadID="1496" />
    <Channel>Microsoft-Windows-TaskScheduler</Channel>
    <Computer>MyComputerName</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <UserData>
    <TaskEngineProcessStarted 
        xmlns:auto-ns2="https://schemas.microsoft.com/win/2004/08/events" 
        xmlns="https://manifests.microsoft.com/win/2004/08/windows/eventlog">
      <TaskEngineName>S-1-5-19:NT AUTHORITY\Local Service:Interactive:LUA</TaskEngineName>
      <Command>taskeng.exe</Command>
      <ProcessID>6120</ProcessID>
      <ThreadID>5920</ThreadID>
    </TaskEngineProcessStarted>
  </UserData>
</Event>

The event contains a <System> element, and a <UserData> element. The <System> element defines information about the event, such as the event's level, the name of the event publisher that published the event, the time the event was published, the channel the event was published in, and the event identifier. The <UserData> element contains the reason the event was published. This information is defined through a custom event template (custom XML elements) defined by the event publisher. This particular event contains a <TaskEngineProcessStarted> element, which gives an event consumer information about the event. This event occurred because the Task Scheduler service raised an informational event when the taskeng.exe process was started. This is conveyed through the elements in the <UserData> element.

For more information and descriptions for attributes and child elements in the <System> element, see SystemPropertiesType Complex Type.

The following XML example shows how an event that contains a generic event template is structured. This event contains a <System> element, and an <EventData> element. The <EventData> contains the event message, and other data associated with the event.

<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider 
        Name="Service Control Manager" 
        Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" 
        EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>80000000000000</Keywords>
    <TimeCreated SystemTime="2006-02-28T20:18:14.000Z" />
    <EventRecordID>7671</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>MyComputerName</Computer>
    <Security />
  </System>
  <EventData>
    <Data name="param1">WinHTTP Web Proxy Auto-Discovery Service</Data>
    <Data name="param2">running</Data>
  </EventData>
</Event>

See Also

Events in Windows Event Log

Event Selection

System Event Properties

SystemPropertiesType Complex Type

Send comments about this topic to Microsoft

Build date: 5/7/2009