Where does Event viewer store its Custom view definitions

I cannot find where Event viewer saves its Custom view definitions so I cannot include them in my routine backups.
- I have looked for files with the name of some of my Custom views but have not found anything.
- I have looked the Registry for the name of some of my Custom views but have not found anything.
- I have searched the Registry for Event viewer settings but they contain nothing that seems to a Custom view definition.
- I have also searched TenForums for relevant info but have found nothing.

My backups depend on my remembering to export Custom view definitions manually when I create or alter a Custom view.
- This situation is not exactly the end of the world but I have made mistakes.

Denis

That's great. Thanks very much.

Denis

I've written a backup procedure that backs up each of the Custom view definition files [the C:\ProgramData\Microsoft\Event Viewer\Views xml files] then renames each one using its Custom view's name.

For example, my WU - System log incl Apps custom view definition file
C:\ProgramData\Microsoft\Event Viewer\Views\View_3.xml
becomes
F:\BackupStuff\EventViewer\Backup & repository\WU - System log incl Apps.xml
- I think this naming scheme makes it possible to understand what is what.
- I will also use my backups to import into Event viewer on my other computers and, thereafter, to make sure all can benefit from any new Custom view set up on one of them.

The backup procedure is a tandem pair, a batch file and a vbs file. BackupCustomViews.zip
- The batch file manages the backup overall. The vbs file extracts the Custom view name for the batch file to use.
- They need to be in the same folder.
- As you'll see, I have left in so many explanatory remarks that there are more of them than there are active lines of code.
- My attitude to where you can stick your scripts is explained in the annex to Make Task scheduler run a batch file minimised and with a specific icon - TenForums
- The only customisation changes required are to the two entries in the batch file's Parameters to set up section. You'll need to check your two chosen folder paths yourself because I did not include any path validation in the scripts.

The batch file is
BackupCustomViews.bat

Code:

:: This RoboCopies EventViewer, Custom views to back them up then renames the files to match their Custom view names
:: - previous backups are first moved into a common archive so that deleted views are not kept within the main backup but can be referred to in the future
:: - using RoboCopy preserves the Custom view's Creation date-time but that is not useful because it does not change if a Custom view definition is altered
:: - Modified dates-times are not of any use because Event viewer changes them to the date-time it was last closed
:: This code might seem to be inefficient but globally archiving then replacing the previous backups is necessary because there is no parameter that marks out a definitions file as having been changed since its previous backup

:: Inter-computer use
:: - I can manually compare backup filenames to spot new ones and deleted ones
:: - dates-times will always suffer from a lag between making a view on one computer and importing it into another so the comparison cannot be automated
:: Method of using Custom views
:: - If I change a Custom view definition, I must always change its name so it is listed as a separate item in my backup
:: - Name changes, even if a definiiton is not altered, will be listed as a separate item in my backup

:: When read by a script, the .xml definition file is a very, very long text string without any line structure
:: - This text string is not suited to batch file processing so I called a vbs script to extract  the ViewName
:: - The portion of interest is often <Name>TestView1</Name>
:: - but can also be in the form <Name LanguageNeutralValue="TestView1X">TestView1</Name>
::   [I think the strange form is caused by having renamed a Custom view]
:: The ingenious method of passing a variable back from the vbs to this batch file was posted by Tom Lavedas in 2008 
:: - this is the earliest statement of this method that I've been able to find so I think Tom invented it

prompt $g
Title Backup Event viewer, Custom views

:::::::::: Parameters to set up ::::::::::
:: BackupFolder, ArchiveFolder are decided by the user
:: Check that the chosen folder paths exist and that they can be written to so that I can avoid having to validate them in this batch file
:: - The code can cope with paths containing spaces
:: - The quotation marks enclosing both the variables name and its value are needed in case the paths contain ampersands.  They can be left in place in all cases
Set "BackupFolder=F:\BackupStuff\EventViewer\Backup & repository"
Set "ArchiveFolder=%BackupFolder%\Archive"

:::::::::: Archiving ::::::::::
:: Move previous backups to the Archive folder, overwriting any filenames that match
Move /Y "%BackupFolder%\*.xml" "%ArchiveFolder%"

:::::::::: Backup ::::::::::
:: RoboCopy all Custom view definitions to the chosen Backup folder
Set SourceFolder=C:\ProgramData\Microsoft\Event Viewer\Views
RoboCopy "%SourceFolder%" "%BackupFolder%" *.xml  /MT:32

:::::::::: Renaming ::::::::::
:: Rename each xml file after the name of the Custom view it defines
:: Call a vbs script to extract the ViewName then rename each xml file
FOR /F "tokens=*" %%X IN (' Dir "%BackupFolder%\*.xml" /b ') Do call :ReNaming "%%X"
GoTo EndEVCVBackup

:ReNaming
for /f "delims=" %%a in ('cscript //nologo ExtractViewName.vbs "%BackupFolder%\%~1" ') do (set ViewName=%%a)
Ren "%BackupFolder%\%~1" "%ViewName%.xml"
GoTo :EOF

:EndEVCVBackup
::Pause at EndEVCVBackup during testing

The VBS file is
ExtractViewName.vbs

Code:

' The batch file passes the Target file path-filename for this script to use

Set fso = CreateObject("Scripting.FileSystemObject")
XMLContents = fso.OpenTextFile(wsh.arguments(0)).ReadAll

'' XMLContents is a very, very long string without any line structure
'' - The portion of interest is often <Name>TestView1X</Name>
'' - but can also be in the form <Name LanguageNeutralValue="TestView1X">TestView1X</Name>

''''' Find </Name> and extract everything to its left
FindEndingPos = InStr(1,XMLContents,"</Name>",1)
Truncated1 = left(XMLContents,FindEndingPos-1)

'''''Find <Name and extract everything to its right
FindNamePos = InStr(1,Truncated1,"<Name",1)
LenPortionReq = len(Truncated1) - FindNamePos
Truncated2 = right(Truncated1,LenPortionReq)

''''' Find > and extract everything to its right - the View name will be all that remains
FindArrowPos = InStr(1,Truncated2,">",1)
LenPortionReq = Len(Truncated2) - FindArrowPos
ViewName = right(Truncated2,LenPortionReq)

''''' Echoing the variable allows the batch file to pick it up
wscript.echo ViewName

Denis

If you are interested in the Tom Lavedas method of returning a string variable back from a vbs script to the batch file that called it then you could run this demonstrator.
- Tom Lavedas method.zip
- Put both scripts in the same folder and run the batch file.

Controller.bat

Code:

prompt $g
for /f "delims=" %%a in ('cscript //nologo Worker.vbs') do (set ScriptOut=%%a)
echo Script result is %ScriptOut%
Pause to check the ScriptOut result

Worker.vbs

Code:

Result = "Blah Blah Blah"
wscript.echo Result

I first found this suggested in a 2008 post by Tom Lavedas in the thread
Return value from VBScript to cmd file - Vistax64

Denis

Anad,


My xml files contain the Description.

Here's a sample

Code:

xml version="1.0"?>
-<ViewerConfig>

-<QueryConfig>

-<QueryParams>

-<Simple>
<Channel>Application</Channel>
<RelativeTimeInfo>0</RelativeTimeInfo>
<Source>Outlook</Source>
<BySource>False</BySource>
</Simple>
</QueryParams>

-<QueryNode>
<Name LanguageNeutralValue="Outlook events">Office - Outlook events</Name>
<Description>now filtered to list Outlook events only</Description>

-<QueryList>

-<Query Path="Application" Id="0">
<Select Path="Application">*[System[Provider[@Name='Outlook']]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>

-<ResultsConfig>

-<Columns>
<Column Path="Event/System/Level" Visible="" Type="System.String" Name="Level">271</Column>
<Column Path="Event/System/Keywords" Type="System.String" Name="Keywords">70</Column>
<Column Path="Event/System/TimeCreated/@SystemTime" Visible="" Type="System.DateTime" Name="Date and Time">321</Column>
<Column Path="Event/System/Provider/@Name" Visible="" Type="System.String" Name="Source">231</Column>
<Column Path="Event/System/EventID" Visible="" Type="System.UInt32" Name="Event ID">231</Column>
<Column Path="Event/System/Task" Visible="" Type="System.String" Name="Task Category">231</Column>
<Column Path="Event/System/Security/@UserID" Type="System.String" Name="User">50</Column>
<Column Path="Event/System/Opcode" Type="System.String" Name="Operational Code">110</Column>
<Column Path="Event/System/Channel" Type="System.String" Name="Log">80</Column>
<Column Path="Event/System/Computer" Type="System.String" Name="Computer">170</Column>
<Column Path="Event/System/Execution/@ProcessID" Type="System.UInt32" Name="Process ID">70</Column>
<Column Path="Event/System/Execution/@ThreadID" Type="System.UInt32" Name="Thread ID">70</Column>
<Column Path="Event/System/Execution/@ProcessorID" Type="System.UInt32" Name="Processor ID">90</Column>
<Column Path="Event/System/Execution/@SessionID" Type="System.UInt32" Name="Session ID">70</Column>
<Column Path="Event/System/Execution/@KernelTime" Type="System.UInt32" Name="Kernel Time">80</Column>
<Column Path="Event/System/Execution/@UserTime" Type="System.UInt32" Name="User Time">70</Column>
<Column Path="Event/System/Execution/@ProcessorTime" Type="System.UInt32" Name="Processor Time">100</Column>
<Column Path="Event/System/Correlation/@ActivityID" Type="System.Guid" Name="Correlation Id">85</Column>
<Column Path="Event/System/Correlation/@RelatedActivityID" Type="System.Guid" Name="Relative Correlation Id">140</Column>
<Column Path="Event/System/Provider/@EventSourceName" Type="System.String" Name="Event Source Name">140</Column>
</Columns>
</ResultsConfig>
</ViewerConfig>

I copied my xml files to my other computers and imported them. The sample is taken from one of those others.
- I have not entered the Description manually, it was in the xml.
- The sample is also shown in Event viewer itself the normal manner on that other computer [in the Custom view's Properties].



I do not know why you have a different experience.

Welcome to TenForums,
Denis

There is a delayed save-to-disk when you update a view. Is is persisted when you exit the Event Viewer, not when you update it. This is only true for updates, not when you create from start. I think this delayed save-to-disk is the problem.

I was watching updates made by another person on the same server and the data was on his screen but I couldn't see it, since he hadn't exit the Event Viewer.

Anders

This post appears to be an illogical response because Anad responded to my

Try3 said:

You are closing Event viewer before reading the xmls?
- That's when it seems to update them

(below) by completely rewriting his previous post from scratch with entirely different content & with an entirely different meaning.

---

Anders,

I do not know why our experiences are different.

Original


Description added in EventVwr


Description changed in EventVwr


You are closing Event viewer before reading the xmls?
- That's when it seems to update them

This is the Custom view definition used in the above examples. I have checked that the Description field is there and that it works properly on my computer.
ChkDsk - Manual and bootup scans.zip

Denis