Searching Event Viewer for a Specific Program Server 2016

Question

Hello,

I have a customer who is running Windows Server 2016 on their server. There's a program running on this server that, according to the manufacturer, is frequently closed by a specific user and needs to be manually restarted. Now, I would like to know when this program is being closed and by whom. How can I filter this information in the Event Viewer? Or should I seek assistance elsewhere?

Answer 1

Hello

You can use the Event Viewer in Windows Server 2016 to filter events related to a specific program. Here’s how you can do it:

Open Event Viewer: You can access it by entering ‘Event’ in Windows Start.

Access Log Filters: Right-click a group and choose the “Filter Current Log” option.

Filter by Event Levels and Keywords: When troubleshooting, you might be interested in Critical, Error, and Warning Event Levels. You can also filter by a time period to look at what other events are happening around that time.

Create a Custom View using XML Filtering: Starting in Windows Vista/2008, you have the ability to modify the XML query used to generate Custom Views. You can create a Custom View based on the username or the program name. Here is an example of an XML query that filters through warnings, errors, and criticals for a specific application:

<QueryList>

  <Query Id="0" Path="Application">

    <Select Path="Application">

      * [System [(Level=1 or Level=2 or Level=3)]] and * [EventData [Data and (Data='YourProgramName')]]

    </Select>

  </Query>

</QueryList>

Replace ‘YourProgramName’ with the name of your program.

Please note that this method requires some familiarity with XML and the structure of Windows event logs.

I hope this helps! Let me know if you have any other questions.