First published on TECHNET on Feb 01, 2008
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
Anatomy of a Vista/Server 2008 event
There are three types of Vista/Server 2008 events which are written to various channels in the event log.
1. The ‘pure’ Vista/Server 2008 event
These events are logged using the new Vista/Server 2008 APIs which means they were written specifically for this platform. As such most of these events are not backwards compatible with events from a similar application on downlevel platforms. These events are mostly written to a channel under the “Applications and Services Logs” in the event viewer, though a few creep into the “Windows Logs”.
Example:
<Event xmlns="
http://schemas.microsoft.com/win/2004/08/events/event
">
<System>
<Provider Name="
Microsoft-Windows-GroupPolicy
" Guid="
{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}
" />
<EventID>
8007
</EventID>
<Version>
0
</Version>
<Level>
4
</Level>
<Task>
0
</Task>
<Opcode>
2
</Opcode>
<Keywords>
0x4000000000000000
</Keywords>
<TimeCreated SystemTime="
2008-01-21T19:42:41.009Z
" />
<EventRecordID>
397142
</EventRecordID>
<Correlation ActivityID="
{86F2A78B-6A45-4E77-A34C-2809C9AAC658}
" />
<Execution ProcessID="
976
" ThreadID="
3516
" />
<Channel>
Microsoft-Windows-GroupPolicy/Operational
</Channel>
<Computer>
christow-dev.wingroup.windeploy.ntdev.microsoft.com
</Computer>
<Security UserID="
S-1-5-18
" />
</System>
<EventData>
<Data Name="
PolicyElaspedTimeInSeconds
">
5
</Data>
<Data Name="
ErrorCode
">
0
</Data>
<Data Name="
PrincipalSamName
">
WINGROUPchristow
</Data>
<Data Name="
IsMachine
">
false
</Data>
