Windows 10: Event Viewer: Filter Administrative Events?

The Administrative Events window quickly fills up with DistributedCOM warnings and errors. I tried to fix this, but in the end, couldn't get past the final step:

Fixing DistributedCOM error 10016

Failing that (any other ideas folks on how to fix rather than hide the errors??), I would at least like to filter out all event IDs 10010 and 10016: there are so many after a few weeks that it's hard to navigate through the mass of them to find other information. I should be able to go to Administrative Events and in Actions choose 'Filter Current Custom View'. But everything is greyed out (nothing at all is clickable) in the 'Filter Current Custom View' window, even though I log into Event Viewer as Administrator.

How do I proceed in order to filter those events from Administrative Events?

(Creating a new custom filter is not what I want to do BTW, and in any case (having tried it), setting -10010,-10016 as the filter removes a whole lot of other events present in Administrative Events, for some reason).

Thank you.

Windows 10 Pro 18363.1379

:)

 

Win 10 Event Viewer -- cannot save filter in Custom Views

I try to keep up a custom view for the Event Viewer. Since Win 10 was upgraded I can add exclusions such as ...-1234,-567,-89... but these are not saved upon exit from Event Viewer. Many repeated events are reported and most are not important.

Nor can I find where the filter data is stored: registry, sys32, etc.

Steps: Launch Event Viewer -- find one or more events in the custom view log -- launch Filter Current Custom View -- Add the events to be filtered out (including a (-)minus sign and comma separation. (note that in the current session, the events are
removed as is expected) -- close the Filter Current Custom View (note that there is no Apply button) -- close and restart Event Viewer.

Results: added event filter numbers are removed from the filter list -- any filter brought over from Win 8 upgrade still remain.

Fixing this would be great. Knowing where the data is stored would also be fine.

 

Export All Administrative Events to Excel

To analyze events, from the Windows Event Viewer, there is a simple way to export all Administrative Events to Excel, with PowerShell.

Exporting all Administrative Events to Excel is a simple two Step process, as described here:

Step 1 - Create the Administrative Events View .xml file

1. Open Eventviewer (%windir%\system32\eventvwr.msc)
2. Navigate to: Event Viewer (Local) > Custom Views > Administrative Events
3. In the “Actions” pane select “Filter Current Custom View”.
4. Select the the XML tab.
5. Press Ctrl+A to select all the XML code of the Custom View.
6. Open a notepad, paste the selected code and save the file to your Desktop as AdmEvtView.xml

Step 2 - Create the csv file with the events

1. Download the ExportEvtCSV.zip file, which contains the script ExportEvtCSV.ps1 and unzip it, on your Desktop.
   It's not a fancy script, just basic PowerShell commands to create a csv file on the Desktop.
2. In Windows Search, type “ISE” (without the quotes) to open “Windows PowerShell ISE” and Run as administrator
   
3. To allow running the script, change the ExecutionPolicy, for this session. To do that, in the Console pane type:
   Code:
4. In the Windows PowerShell ISE, open and run the script: ExportEvtCSV.ps1
   The script will create a csv file with a name YYYYMMDD.HHMM.csv on the Desktop
5. When done, open the newly created .csv file, format the columns as needed and optionally save it as .xlsx, if you wish.

That’s it! You now have all the Administrative Events in Excel for filtering and further analysis.

Now to the more technical hard stuff... *Confused

There is a reason for running the script from within PowerShell ISE!

It would be great if everything was also working perfectly, when running the script from an elevated PowerShell too.

We can run it from an elevated PowerShell, which means that you just follow the Step 1, as above but for the Step 2 instead of the ISE you run the script from an elevated PowerShell.

The problem is that it will work only for anybody who has en-US format for the dates. Everyone else, who has another format (i.e. en-GB, fr-FR, el-GR etc.), the dates are not translated properly by Excel (although the script uses the –UseCulture switch) and remain as text in the en-US format.

I'm not sure if this a bug of the "export-csv" cmdlet, but although it runs the way it supposed to from within the ISE, from PowerShell there is a problem with the dates format.
As I haven’t found a way to overcome this obstacle, any suggestion from the PowerShell gurus of the forum (like my good friend Shawn @Brink, for instance), is welcome.

 

Filter in the event viewer.

Hi,
is it possible to create a filter by manually editing the XML query in the event viewer and have the entered query remain stored in the log even if I close the event viewer?
Thanks