Windows 7 event codes. What needs to be configured? What is the described application?

Sometimes events happen that require us to answer a question. "who did it?" This can happen “rarely, but accurately,” so you should prepare for the answer to the question in advance.

Almost everywhere, there are design departments, accounting departments, developers and other categories of employees working together on groups of documents stored in a publicly accessible (Shared) folder on a file server or on one of the workstations. It may happen that someone deletes an important document or directory from this folder, as a result of which the work of an entire team may be lost. In this case, the system administrator faces several questions:

When and what time did the problem occur?

What is the closest backup to this time to restore the data from?

Maybe there was a system failure that could happen again?

Windows has a system Audit, allowing you to track and log information about when, by whom and using what program documents were deleted. By default, Audit is not enabled - tracking itself requires a certain percentage of system power, and if you record everything, the load will become too large. Moreover, not all user actions may interest us, so Audit policies allow us to enable tracking only of those events that are really important to us.

The Audit system is built into all operating systems MicrosoftWindowsNT: Windows XP/Vista/7, Windows Server 2000/2003/2008. Unfortunately, in Windows Home series systems, auditing is hidden deeply and is too difficult to configure.

What needs to be configured?

To enable auditing, log in with administrator rights to the computer that provides access to shared documents and run the command Start→Run→gpedit.msc. In the Computer Configuration section, expand the folder Windows Settings→ Security Settings→ Local Policies→ Audit Policies:

Double click on policy Audit object access (Object access audit) and select the checkbox Success. This setting enables a mechanism to monitor successful access to files and the registry. Indeed, we are only interested in successful attempts to delete files or folders. Enable Auditing only on computers where the monitored objects are directly stored.

Simply enabling the Audit policy is not enough; we must also specify which folders we want to monitor. Typically, such objects are folders of common (shared) documents and folders with production programs or databases (accounting, warehouse, etc.) - that is, resources with which several people work.

It is impossible to guess in advance who exactly will delete the file, so tracking is indicated for Everyone. Successful attempts to delete monitored objects by any user will be logged. Call the properties of the required folder (if there are several such folders, then all of them in turn) and on the tab Security → Advanced → Auditing add subject tracking Everyone his successful access attempts Delete And Delete Subfolders and Files:

Quite a lot of events can be logged, so you should also adjust the log size Security(Safety), in which they will be recorded. For
run this command Start→ Run→ eventvwr. msc. In the window that appears, call the properties of the Security log and specify the following parameters:

Maximum Log Size = 65536 K.B.(for workstations) or 262144 K.B.(for servers)

Overwrite events as needed.

In fact, the indicated figures are not guaranteed to be accurate, but are selected empirically for each specific case.

Windows 2003/ XP)?

Click Start→ Run→ eventvwr.msc Security. View→ Filter

• Event Source:Security;
• Category: Object Access;
• Event Types: Success Audit;
• Event ID: 560;

Browse the list of filtered events, paying attention to the following fields within each entry:

• ObjectName. The name of the folder or file you are looking for;
• ImageFileName. The name of the program that deleted the file;
• Accesses. The set of rights requested.

A program can request several types of access from the system at once - for example, Delete+ Synchronize or Delete+ Read_ Control. A significant right for us is Delete.

So, who deleted the documents (Windows 2008/ Vista)?

Click Start→ Run→ eventvwr.msc and open the magazine to view Security. The log may be filled with events that are not directly related to the problem. Right-click the Security log and select View→ Filter and filter your viewing by the following criteria:

• Event Source: Security;
• Category: Object Access;
• Event Types: Success Audit;
• Event ID: 4663;

Do not rush to interpret all deletions as malicious. This function is often used during normal program operation - for example, executing a command Save(Save), package programs MicrosoftOffice First, they create a new temporary file, save the document into it, and then delete the previous version of the file. Likewise, many database applications first create a temporary lock file when launched (. lck), then delete it when exiting the program.

I have had to deal with malicious actions of users in practice. For example, a conflicted employee of a certain company, upon leaving his job, decided to destroy all the results of his work, deleting files and folders to which he was related. Events of this kind are clearly visible - they generate tens, hundreds of entries per second in the security log. Of course, restoring documents from ShadowCopies(Shadow Copies) or an automatically created archive every day is not difficult, but at the same time I could answer the questions “Who did this?” and “When did this happen?”

In the Windows OS line, all major events that occur in the system are recorded and then recorded in the log. Errors, warnings and just various notifications are recorded. Based on these records, an experienced user can correct the operation of the system and eliminate errors. Let's learn how to open the event log in Windows 7.

The event log is stored in a system tool called "Event Viewer". Let's see how you can get there using different methods.

Method 1: "Control Panel"

One of the most common ways to launch the tool described in this article, although far from the easiest and most convenient, is done using "Control Panels".

Method 2: Run Tool

It is much easier to initiate activation of the described tool using the tool "Run".

The basic disadvantage of this fast and convenient method is the need to remember the command to call the window in your mind.

Method 3: Start Menu Search Box

A very similar method of calling the tool we are studying is carried out using the search field of the menu "Start".

Method 4: "Command Line"

Calling the tool via "Command line" quite inconvenient, but such a method exists, and therefore it is also worth special mention. First we need to call the window "Command line".

Method 5: Directly start the eventvwr.exe file

You can use such an “exotic” option for solving the problem as directly starting a file from "Conductor". However, this method can be useful in practice, for example, if the failures have reached such a scale that other options for launching the tool are simply not available. This happens extremely rarely, but it is quite possible.

First of all, you need to go to the location of the eventvwr.exe file. It is located in the system directory at this path:

C:\Windows\System32

Method 6: Entering the file path in the address bar

With help "Conductor" we can launch the window we are interested in faster. In this case, you don’t even have to look for eventvwr.exe in the directory "System32". To do this, in the address field "Conductor" you just need to specify the path to this file.

Method 7: Create a shortcut

If you don't want to remember different commands or section jumps "Control Panels" If you consider it too inconvenient, but at the same time you often use the magazine, then in this case you can create an icon on "Desktop" or in another place convenient for you. After this, launch the tool "Event Viewer" will be carried out as simply as possible and without the need to remember anything.

Problems opening the magazine

There are cases when problems arise with opening a journal using the methods described above. Most often this happens because the service responsible for the operation of this tool is deactivated. When trying to run the tool "Event Viewer" A message appears indicating that the Event Log service is unavailable. Then you need to activate it.

1. First of all, you need to go to "Service Manager". This can be done from the section "Control Panels" which is called "Administration". How to get into it was described in detail when considering Method 1. Once in this section, look for the item "Services". Click on it.

   

   IN "Service Manager" you can go using the tool "Run". Call him by typing Win+R. Enter in the input area:

   Click "OK".



2. Regardless of whether you made the transition through "Control Panel" or used the command input in the tool field "Run", starts "Service Manager". Look for an element in the list "Windows Event Log". To make your search easier, you can arrange all the objects in the list in alphabetical order by clicking on the field name "Name". Once the desired row is found, look at the corresponding value in the column "State". If the service is enabled, then there should be an inscription "Works". If it is empty, this means that the service is deactivated. Also look at the value in the column "Startup type". In normal condition there should be an inscription there "Automatically". If there is a value there "Disabled", this means that the service is not activated when the system starts.



3. To fix this, go to the service properties by double-clicking on the name LMB.



4. A window opens. Click on the area "Startup type".



5. Select from the drop-down list "Automatically".



6. Click on the inscriptions "Apply" And "OK".



7. Returning to "Service Manager", mark "Windows Event Log". In the left area of ​​the shell, click on the inscription "Run".



8. The service has started. Now in the corresponding column field "State" value will be displayed "Works", and in the column field "Startup type" the inscription will appear "Automatically". Now the magazine can be opened in any of the ways that we described above.

There are quite a few options to activate the event log in Windows 7. Of course, the most convenient and popular methods are to go through "Toolbar", activation using the tool "Run" or menu search fields "Start". For easy access to the described function, you can create an icon on "Desktop". Sometimes there are problems starting the window "Event Viewer". Then you need to check whether the corresponding service is activated.

As you know, most "normal" applications record their events in the Windows Event Log (Application Event Log). This is an excellent place for centralized storage and viewing of application events, however, often when there is a need to log events from a specific application in this log, we may encounter the fact that due to the large number and excessive detail of events, working with the standard Windows application log becomes very difficult. uncomfortable. In this case, it would be convenient to create your own event log for this application, and configure various parameters for it, such as log size, filters, etc., and the standard Application log can be used as usual, without clogging it with unnecessary information. Windows operating systems have a feature that allows you to create your own event log.

First, let's create a new log file. This can be done using the registry. Launch the registry editor regedit and go to the branch:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog

Right click on the Eventlog node and create a new key (New > Key)

The key name in this case will also be the name of the new journal. By default, a new log (.evt file) is created here:

C:\WINDOWS\System32\Config\New Key #1.evt

You can rename it by changing the string parameter in the registry as you wish.

Next, you need to add event Sources for the new log. Create a new key of the Multi-String type with the name “Sources”, specify as parameters the names of all applications that will use this log (each application on a new line).

Next, you need to transfer your application associations from the standard Application log to your new log. Expand the “Application” branch located at:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application

And copy all the branches that relate to the applications you are interested in into a new registry branch of the new log:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\CustomLog

Because the copy/paste command in the registry editor does not work, they can be re-created manually (if there are few of them), or the transfer can be carried out using the procedure for exporting/importing registry branches with manual editing of the .reg file. Make sure that after the transfer you delete the registry keys of your applications from the Application branch, otherwise Windows will not understand that you need to write events to the new log. If you are using a new event source for the log, you will need to create a DWORD parameter named CustomSource with a value of 1:

In my example, I created my own .NET 2.0 application, and I want it to write events to the log we created. To do this, I'll create a new registry key, EventMessageFile, and set it to the path to the .NET 2.0 logging library:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll

Then you need to restart Windows, and after the system boots you will see a new event log in the Event Viewer section. If your application for some reason does not write events to the new log, you can test its operation manually by opening a command line and going to the directory:

CD C:\WINDOWS\system32

Then type:

Eventcreate /l CustomLog /t Information /so Application1 /id 1 /d "Test message"

If you did everything correctly, a window should appear indicating that the event was successfully recorded in the log, or an error message and the reasons for its occurrence.

A small update to the article based on letters from readers:

The above instructions for creating your own magazine are aimed at server operating systems of the Microsoft family. A more general method that should work on most Windows is the following (registry paths and keys differ):

We create a new section in the registry (the name of the section is the name of the log being created), the path to the created one will be like this:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ NewEventLog, in which you need to create the following keys:

• “AutoBackupLogFiles” - DWORD type, whether to create log backups or not (0 - do not create)
• “MaxSize” - DWORD type, maximum log size in bytes, the value must be a multiple of 64Kb
• “Retention” – DWORD type, the storage time for records in case of log overflow.
• “File” - type REG_EXPAND_SZ, a string containing the path to the log on the hard drive, for example %SystemRoot%\System32\config\ NewEventLog.evt)
• “Sources” - type REG_MULTI_SZ, here is a list of event sources whose logs should go into this log, each source on a new line

The Windows operating system, version seven, has a function for tracking important events that occur in the operation of system programs. At Microsoft, the concept of “events” refers to any incidents in the system that are recorded in a special log and signaled to users or administrators. This could be a utility program that doesn't want to run, an application crashing, or devices not being installed correctly. All incidents are recorded and saved by the Windows 7 event log. It also arranges and shows all actions in chronological order, helps to carry out system control, ensures the security of the operating system, corrects errors and diagnoses the entire system.

You should periodically review this log for new information and configure the system to save important data.

Window 7 - programs

The Event Viewer computer application is the main part of Microsoft utility utilities that are designed to monitor and view the event log. This is a necessary tool for monitoring system performance and eliminating emerging errors. The Windows utility that manages the documentation of incidents is called the Event Log. If this service is started, then it begins to collect and log all important data in its archive. The Windows 7 Event Log allows you to do the following:

Viewing data recorded in the archive;

Using various event filters and saving them for further use in system settings;

Creating and managing subscriptions for specific incidents;

Assign specific actions when certain events occur.

How to open Windows 7 event log?

The program responsible for recording incidents is launched as follows:

1. The menu is activated by pressing the “Start” button in the lower left corner of the monitor, then the “Control Panel” opens. In the list of controls, select “Administration” and in this submenu click on “Event Viewer”.

2. There is another way to view the Windows 7 event log. To do this, go to the Start menu, type mmc in the search window and send a request to search for the file. Next, the MMC table will open, where you need to select the paragraph indicating adding and removing equipment. Then the “Event Viewer” is added to the main window.

What is the application described?

The Windows 7 and Vista operating systems have two types of event logs: system archives and application service log. The first option is used to capture system-wide incidents that are related to the performance of various applications, startup and security. The second option is responsible for recording the events of their work. To control and manage all data, the Event Log service uses the View tab, which is divided into the following items:

Application – events that are associated with a specific program are stored here. For example, postal services store in this place the history of sending information, various events in mailboxes, and so on.

The “Security” item stores all data related to logging in and out of the system, using administrative capabilities and accessing resources.

Installation - This Windows 7 event log records data that occurs during the installation and configuration of the system and its applications.

System - records all operating system events, such as failures when launching service applications or when installing and updating device drivers, various messages regarding the operation of the entire system.

Forwarded events – if this item is configured, then it stores information that comes from other servers.

Other sub-items of the main menu

Also in the “Administration” menu, where the event log in Windows 7 is located, there are the following additional items:

Internet Explorer – events that occur during the operation and configuration of the browser of the same name are recorded here.

Windows PowerShell – incidents related to the use of PowerShell are recorded in this folder.

Equipment events – if this item is configured, then the data generated by the devices is logged.

The entire structure of the "seven", which ensures the recording of all events, is based on the Vista type on XML. But to use the event log program in Window 7, you don't need to know how to use this code. The Event Viewer application will do everything itself, providing a convenient and simple table with menu items.

Incident characteristics

A user who wants to know how to view the Windows 7 event log must also understand the characteristics of the data that he wants to view. After all, there are different properties of certain incidents described in the “Event Viewer”. We will look at these characteristics below:

Sources – a program that records events in a log.

The names of applications or drivers that influenced a particular incident are recorded here.

Event code is a set of numbers that determine the type of incident. This code and event source name are used by system software technical support to correct errors and resolve software failures.

Level – the degree of importance of the event. The system event log has six levels of incidents:

1. Message.

2. Caution.

3. Error.

4. Dangerous mistake.

5. Monitoring successful error correction operations.

6. Audit of unsuccessful actions.

Users – records the data of the accounts on whose behalf the incident occurred. These can be the names of various services, as well as real users.

Date and time – records the timing of the occurrence of the event.

There are many other events that occur while the operating system is running. All incidents are displayed in the “Event Viewer” with a description of all related information data.

How to work with the event log?

A very important point in protecting the system from crashes and freezes is to periodically review the “Application” log, which records information about incidents, recent actions with a particular program, and also provides a selection of available operations.

By going to the Windows 7 event log, in the “Application” submenu you can see a list of all programs that caused various negative events in the system, the time and date of their occurrence, the source, and the degree of problem.

Having learned how to open the Windows 7 event log and how to use it, you should next learn how to use the Task Scheduler application with this useful application. To do this, you need to right-click on any incident and in the window that opens, select the menu for linking a task to an event. The next time such an incident occurs in the system, the operating system will automatically launch the installed task to process the error and correct it.

An error in the log is not a reason to panic

If, while looking at the Windows 7 system event log, you see system errors or warnings appearing periodically, then you should not worry or panic about this. Even with a perfectly functioning computer, various errors and failures may be recorded, most of which do not pose a serious threat to the performance of the PC.

The application we are describing was created to make it easier for the system administrator to control computers and troubleshoot emerging problems.

Conclusion

Based on all of the above, it becomes clear that the event log is a way that allows programs and the system to record and save all events on the computer in one place. This log stores all operational errors, messages and warnings from system applications.

Where is the event log in Windows 7, how to open it, how to use it, how to correct errors that appear - we learned all this from this article. But many will ask: “Why do we need this, we are not system administrators, not programmers, but ordinary users who don’t seem to need this knowledge?” But this approach is wrong. After all, when a person gets sick with something, before going to the doctor, he tries to cure himself in one way or another. And many often succeed. Likewise, a computer, which is a digital organism, can “get sick”, and this article shows one of the ways to diagnose the cause of such a “disease”; based on the results of such an “examination”, you can make the right decision on methods of subsequent “treatment”.

So information about the method of viewing events will be useful not only to the system specialist, but also to the ordinary user.