How to Jump to a Specific Event Log (Channel) Directly in Event Viewer

The event logging service in Windows records important software and hardware events from various sources and stores them in a collection named event log. There are various event log channels in addition to the well-known built-in channels like Application, System, Security, etc. The Event Viewer (eventvwr.msc or eventvwr.exe) enables you to view these logs.

Here is a sample list of the channels or logs seen in the Event Viewer window.

  • Microsoft-Windows-Store/Operational
  • Microsoft-Windows-GroupPolicy/Operational
  • Microsoft-Windows-StateRepository/Operational
  • Microsoft-Windows-AppXDeploymentServer/Operational
  • Microsoft-Windows-EapHost/Operational
  • Microsoft-Client-Licensing-Platform/Admin
  • Microsoft-Windows-TaskScheduler/Operational
  • Microsoft-Windows-FileHistory-Engine/File History backup log

For instance, to view Microsoft-Windows-FileHistory-Engine/File History backup log, usually, one would open the Event Viewer and then navigate to the following branch manually:

Applications and Service Logs → Microsoft → Windows → FileHistory-Engine → File History backup log

event viewer jump to a log directly

SIMILAR: Jump to a Registry Key (Stored in Clipboard) Directly Using RegJump

Jump Directly to a Specific Event Log in Event Viewer

If you’re going to check this File History event log channel many times in a day, then there is an easier option for you. Simply create a desktop shortcut with the following command-line.

The command-line would open the Event Viewer and jump to the mentioned log or channel directly.

mmc.exe eventvwr.msc /c:"Microsoft-Windows-FileHistory-Engine/BackupLog"

Event Viewer command-line parameters (full list)

eventvwr command-line parameters list

Eventvwr [<computer name>] [/v:<query or view file>] [/l:<log file>] [/c:<channel>] [/f:<filter>] [/?]

  • <computer name> — Specifies the computer name of the machine to view events for. If this is not given, local machine is assumed.
  • /v:<query or view file> — Specifies a query or a view file created by event viewer. Query file must contain a valid Crimson XML query, starts with <QueryList>; View file contains the XML query string along with other settings, but doesn’t contain events. This option is mutually exclusive with /c and /l.
  • /l:<log file> — Specifies the log file to be opened. This log file should be an exported evtx, evt or etl file. This option is mutually exclusive with /v and /c.
  • /c:<channel> — Specifies the name of the channel to be selected when the viewer starts. This option is mutually exclusive with /v and /l.
  • /f:<filter> — If used in conjunction with /c or /l, this specifies the filter to be applied to the channel or log, in the form of an XPath query; if not in conjunction with /c or /l, this must be a valid Event Log XML query that starts with <QueryList>. If the query contains a space, then the entire query must be enclosed in double quotes. If the query itself contains double quotes, then you must change the double quotes in the query to single quotes. For example, the XML query <QueryList><Query Id=”0” Path=”SystemA”><Select Path=”SystemB”>*[System[(Level=2)]]</Select></Query></QueryList> must be specified as /f:” <QueryList><Query Id=’0′ Path=’System’><Select Path=’System’>*[System[(Level=2)]]</Select></Query></QueryList>\”
  • /? — Shows this usage message.
RELATED: Wevtutil Error “The specified channel could not be found” when clearing an Event Log File

What about custom views?

If you’ve created custom views to view/filter specific events, they’re listed under the Custom Views section of the Event Viewer.

event viewer jump to a log directly

Each custom view is linked to an XML file located in one of the following folders:

%ProgramData%\Microsoft\Event Viewer\Views

%LocalAppData%\Microsoft\Event Viewer\Views

The file names are View_0.xml, View_1.xml, View_2.xml, and so forth. To know the corresponding XML file name of a custom view item, you may have to view each XML file in those folders manually.

event viewer jump to a log directly

To jump directly to a custom view, you need to use the eventvwr.msc command-line with the /v parameter. And, you need to mention the XML file name of that particular custom view item.

For instance, the “Errors during last 24 hrs” custom view is powered by the XML file named View_8.xml. So, I’d use this command-line to open Event Viewer directly to that custom view item.

mmc.exe eventvwr.msc /v:"C:\ProgramData\Microsoft\Event Viewer\Views\View_8.xml"

Though you’re able to jump to a specific channel or custom view directly using this method, you may not see improvement in the Event Viewer load time.

One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)
Tweet
Share
Share
0 Shares

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

...

Leave a Comment