Saving an Event viewer view to XML using Powershell ?

Similar Messages

• How can I capture delete user event in Active Directory 2008 using Powershell command

  Hi,
  In my Active Directory every user have own home drive in the file server. When I delete user I also need to delete folder from the server. 
  My target is make the process automated, so that when I delete user account form AD, the folder associate with user also delete.
  Can I write any power shell script to grep the delete event  and remove folder from file server.
  Thanks
  Tamim Khan

  You can setup event viewer to provide alerts (email alerts) for event id 630.
  Find an existing Event ID 630 entry, right click on it and "Attach Task To This Event...."
  Follow the wizard.
  ** Event ID Sample **
  Event ID: 630
  Type: Success Audit
  Description: User Account Deleted:
  Target Account Name: %1 Target Domain: %2
  Target Account ID: %3 Caller User Name: %4
  Caller Domain: %5 Caller Logon ID: %6
  Privileges: %7
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

• Event Handler Between Reboot states using Powershell

  Hi,
  I need some help writing an event handler for a powershell script that would meet the following requirement:
  1.  Continue Upon a restart
  2.  Continue Upon a sleep state
  3.  Continue Upon a hibernation state.

  One way that I can see that would meed all three of your requirements is to use a permanent WMI Consumer to watch the event log for each of these type of events and then perform an action.
  http://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/
  It would be best to make a filter for each type of event rather than throwing all into one filter. Depending on your OS, the event IDs may be different, but it is nothing that a quick query via a search engine could find for you.
  Boe Prox
  Blog |
  Twitter
  PoshWSUS |
  PoshPAIG | PoshChat |
  PoshEventUI
  PowerShell Deep Dives Book

• User locks with out any log in event viewer

  Hi,
  In our active directory environment, Domain user gets locked out with out any event saved in event viewer as i am not able to see why these users gets locked.
  Any help?

  Hi,
  Additionally information for you:
  Tracing Account Lockout Source
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/50512220-aeb2-4eb2-b467-2b9ad9a5b2db/tracing-account-lockout-source
  Regards.
  Vivian Wang

• Custom alarm and event view

  Hello
  I tried to create custom alarm&event view. I used "read alarm.vi" and "format alarm data.vi" to fill multicolumn listbox where i changed columns names.  Why alarms disapear when they are not active anymore? How can i change that? I would like to have all alarms in table, new and old ones. How can I change colors when alarm is active, inactive or ack?
  thanks

  Hi
  I did it, but... There is always but. I've changed columns names, switch position of 1st and 2nd, and 3rd and 4th column, and alarms in different state have different color. But its not working properly. Few seconds table is changed and few seconds in not. Maybe my PC is too slow, or is it something else. Please look at picture in attachment. Is there easier way to do it?
  Thanks
  Attachments:
  alarmi.JPG ‏113 KB

• Get the web part properties of documeny lib view web part using power shell

  Hi,
  Am looking to get the propeties of a list view web part - a document library's  list view web  part- using PowerShell
  Manually I am able to do the same: the steps followed by me is given below:
  1) I went to the
  http://srvr1:123/sites/enggtest/mydoclib1/forms/allitems.aspx
  2) Edit the page
  3) Edit the  mydoclib1 view web part
  4) go to the peroperties
  5) Check the Server Render checkbox
  is there   anyway i can do this using power shell.

  The code below assumes that the webpart is at index 0:
  $SiteUrl = "http://aissp2013/sites/TestSite/"
  $pageURL = "http://aissp2013/sites/TestSite/Lists/MyList/AllItems.aspx"
  $web = Get-SPWeb $SiteUrl
  $wpm = $web.GetLimitedWebPartManager($pageURL, [System.Web.UI.WebControls.WebParts.PersonalizationScope]::Shared)
  $wp = $wpm.WebParts[0]
  $wp.ServerRender = $true
  $wpm.SaveChanges($wp)
  Blog | SharePoint Learnings CodePlex Tools |
  Export Version History To Excel |
  Autocomplete Lookup Field

• I can no longer use all of the "Computer Management" tools against a remote computer. "Local Users and Groups", "Event Viewer", "Performance Logs and Alerts" and "Device Manager"

  Hello All,
  I can no longer use all of the "Computer Management" tools against a remote
  computer. "Local Users and Groups", "Event Viewer", "Performance Logs and
  Alerts" and "Device Manager"
  kindly see the below snapshot for assistance
  REGARDS DANISH DANIE

  This link may help....
  http://windowsxp.mvps.org/admintools.htm
  Freeman

• Illustrator crashes randomly. Event Viewer says Save4web.aip module is to blame

  Hello -
  My Illustrator is crashing randomly while im working on it. Anywhere from importing a picture to saving to just opening the program.
  I checked the event viewer and noticed that in all instances the Save4Web.aip module is what's crashing.
  Can someone please help? I tried contacted a support rep but apparently there is no phone support :\
  Below is the Event:
  Log Name:      Application
  Source: Application Error
  Date: 2/26/2015 1:18:46 PM
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User: N/A
  Computer: Graphics3333.RayNeon.lan
  Description:
  Faulting application name: Illustrator.exe, version: 18.1.1.446, time stamp: 0x547efe06
  Faulting module name: Save4Web.aip_unloaded, version: 0.0.0.0, time stamp: 0x547f0f40
  Exception code: 0xc0000005
  Fault offset: 0x000000006871ddf0
  Faulting process id: 0x1714
  Faulting application start time: 0x01d051ef7b1ce35a
  Faulting application path: C:\Program Files\Adobe\Adobe Illustrator CC 2014\Support Files\Contents\Windows\Illustrator.exe
  Faulting module path: Save4Web.aip
  Report Id: e6bd99fa-bde3-11e4-9203-f0795965ef04
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
  <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2015-02-26T18:18:46.000000000Z" />
  <EventRecordID>5806</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Graphics3333.RayNeon.lan</Computer>
      <Security />
    </System>
    <EventData>
      <Data>Illustrator.exe</Data>
      <Data>18.1.1.446</Data>
      <Data>547efe06</Data>
  <Data>Save4Web.aip_unloaded</Data>
      <Data>0.0.0.0</Data>
      <Data>547f0f40</Data>
      <Data>c0000005</Data>
      <Data>000000006871ddf0</Data>
      <Data>1714</Data>
      <Data>01d051ef7b1ce35a</Data>
      <Data>C:\Program Files\Adobe\Adobe Illustrator CC 2014\Support Files\Contents\Windows\Illustrator.exe</Data>
      <Data>Save4Web.aip</Data>
  <Data>e6bd99fa-bde3-11e4-9203-f0795965ef04</Data>
    </EventData>
  </Event>

  samk,
  You could try to reinstall using the full three step way:
  Uninstall (ticking the box to delete the preferences), run the Cleaner Tool, and reinstall.
  http://www.adobe.com/support/contact/cscleanertool.html

• Multiple Event Viewer Error Ids, Corrupt Catalogs, System not working right. Please help.

   Since I could not find a list of the Event Ids that was accurate at all or not too general as to be useless and Microsoft won't let us know how to fix these ourselves without having a programming degree, I am begging for help from anyone who can help
  me get my computer working right again. I have some important things to get done which I can't do without my computer working. I have tried to get what I could get but I am blocked from many files which makes it difficult to get info. Please help. I appreciate
  any help I can get. Thank you,
  WhiteFox42
  I am not sure which one is more important.
  Event id 20
  Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 for x64-based Systems
  (KB2468871).
  Event id 11
  Possible Memory Leak.  Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 476) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)].  [allocate(all_nodes)] parameters are always
  reallocated; if the original pointer contained the address of valid memory, that memory will be leaked.  The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (20).  User Action: Contact your application
  vendor for an updated version of the application.
  Event id 455
  taskhost (1348) WebCacheLocal: Error -1811 (0xfffff8ed) occurred while opening logfile R:\User\App Data\Roaming\Microsoft\Templates\Local\Microsoft\Windows\WebCache\V01.log.
  Event Xml:
  Event id 505
  wuaueng.dll (1012) SUS20ClientDataStore: An attempt to open the compressed file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" for read / write access failed because it could not be converted to a normal file.  The open file operation
  will fail with error -4005 (0xfffff05b).  To prevent this error in the future you can manually decompress the file and change the compression state of the containing folder to uncompressed.  Writing to this file when it is compressed is not supported.
  Event id 513
  Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object
  Event id 1000
  Faulting application name: IEXPLORE.EXE, version: 11.0.9600.16428, time stamp: 0x525b664c
  Faulting module name: IEFRAME.dll, version: 11.0.9600.16476, time stamp: 0x52944cf2
  Exception code: 0xc0000005
  Fault offset: 0x00025f1d
  Faulting process id: 0x1854
  Faulting application start time: 0x01cf0735f0e5f0c7
  Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  Faulting module path: C:\Windows\system32\IEFRAME.dll
  Report Id: e3dc1e9a-733f-11e3-b920-00215a2af202
  Event id 1000
  Faulting application name: msiexec.exe, version: 5.0.7601.17514, time stamp: 0x4ce79d93
  Faulting module name: msvcrt.dll, version: 7.0.7601.17744, time stamp: 0x4eeb033f
  Exception code: 0xc0000005
  Fault offset: 0x00000000000035e1
  Faulting process id: 0x1030
  Faulting application start time: 0x01cf01b77867a358
  Faulting application path: C:\Windows\system32\msiexec.exe
  Faulting module path: C:\Windows\system32\msvcrt.dll
  Report Id: f7253b17-6daa-11e3-b944-00215a2af202
  Event id 1002
  Computer:      w7mar-64  "I don't know why it has computer as this when it should not be."
  Description:
  The IP address lease 192.168.200.195 for the Network Card with network address 0x08002742F261 has been denied by the DHCP server 192.168.200.1 (The DHCP Server sent a DHCPNACK message).
  Event id 1008
  The Windows Search Service is starting up and attempting to remove the old search index {Reason: Index Corruption}.
  Event id 1008
  Computer:      w7mar-64
  Description:
  An errorUser:          LOCAL SERVICE
   occurred in initializing the interface. The error code is: 0x2.
  Event id 1014
  User:          NETWORK SERVICE
  Computer:    
  Description:
  Name resolution for the name wpad.westell.com timed out after none of the configured DNS servers responded.
  Event id 1015
  User:          N/A
  Computer:      w7mar-64
  Description:
  Event ID 1013 for the Windows Search Service has been suppressed 7 time(s) since 12:04:10 PM. This event is used to suppress Windows Search Service events that have occurred frequently within a short period of time.  See Event ID 1013 for further details
  on this event.
  Event id 1015
  Failed to connect to server. Error: 0x8007043C
  Event id 1018
  The description for Event ID 1018 from source EvntAgnt cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  Event id 1020
  Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.
  Event id 1028
  Windows Installer has determined that its configuration data cache folder was not secured properly. The owner of the key must be either Local System or Builtin\Administrators. The existing folder will be deleted and re-created with the appropriate security
  settings.
  Event id 1101
  .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to compile: System.Web.Entity.Design, Version=3.5.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil . Error code = 0x80010108
  Event id 1500
  The description for Event ID 1500 from source SNMP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  Event id 1530
  Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 
  Event id 1530
  Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  
   DETAIL -
   6 user registry handles leaked from \Registry\User\S-1-5-21-2959539970-205720217-4182857889-1000:
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Microsoft\Internet Explorer\Main
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Policies
  Event id 3028
  Context: Windows Application, SystemIndex Catalog
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 3029
  Context: Windows Application, SystemIndex Catalog
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 3036
  The content source <csc://{S-1-5-21-2959539970-205720217-4182857889-1001}/> cannot be accessed.
  Event id 3036
  No protocol handler is available. Install a protocol handler that can process this URL type.  (HRESULT : 0x80040d37) (0x80040d37)
  Event id 4104
  Description:
  The backup was not successful. The error is: Access is denied. (0x80070005).
  Event id 4228
  TCP/IP has chosen to restrict the scale factor due to a network condition.  This could be related to a problem in a network device and will cause  degraded throughput.
  Event id 4321
  The name "WHITEFOXPC     :0" could not be registered on the interface with IP address 192.168.1.21. The computer with the IP address 192.168.1.19 did not allow the name to be claimed by this computer.
  Event id 4373
  The description for Event ID 4373 from source NtServicePack cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  Event id 4879
  MSDTC encountered an error (HR=0x80000171) while attempting to establish a secure connection with system WHITEFOXPC.
  Event id 6000
  The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
  Event id 6006
  The winlogon notification subscriber <TrustedInstaller> took 186 second(s) to handle the notification event (CreateSession).
  Event id 7000
  The Windows Audio service failed to start due to the following error:
  A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view
  the service configuration and the account configuration.
  Event id 7001
  The Computer Browser service depends on the Server service which failed to start because of the following error:
  The dependency service or group failed to start.
  Event id 7010
  The index cannot be initialized.
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 7023
  The Block Level Backup Engine Service service terminated with the following error:
  %%-2147024713
  Event id 7024
  The Windows Search service terminated with service-specific error %%-1073473535.
  Event id 7026
  The following boot-start or system-start driver(s) failed to load:
  aswKbd
  aswRvrt
  aswSnx
  aswSP
  aswTdi
  aswVmm
  discache
  spldr
  Wanarpv6
  Event id 7030 & 7031
  The dldw_device service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
  Event id 7032
  The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Installer service, but this action failed with the following error:
  An instance of the service is already running.
  Event id 7040
  The search service has detected corrupted data files in the index {id=4700}. The service will attempt to automatically correct this problem by rebuilding the index.
  Event id 7042
  The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 8210
  An unspecified error occurred during System Restore: (Installed Java 7 Update 45). Additional information: 0x80070003.
  Event id  9000
  The Windows Search Service cannot open the Jet property store.
  Details:
      0x%08x (0xc0041800 - The content index database is corrupt.  (HRESULT : 0xc0041800))
  Event id 10005
  DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server:
  {000C101C-0000-0000-C000-000000000046}
  Event id 10010
  15 of these with different server codes which I can't copy unless I copy all the details.
  The server {3EEF301F-B596-4C0B-BD92-013BEAFCE793} did not register with DCOM within the required timeout.
  Event id 12348
  Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{8e79517c-6c41-11e3-b621-cb03f0618d54}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning
  properly.  Check security on the volume, and try the operation again.
  Event id 15006
  9 of these.
  Description:
  Owner of the log file or directory \SystemRoot\System32\LogFiles\HTTPERR\httperr1.log is invalid. This could be because another user has already created the log file or the directory.
  Event id 31004
  33 of tese.
  The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
  The End.
  Kimberly D. White-Fox

  Please provide a copy of your System Information file. Type System Information in the Search Box above the start Button and press the ENTER key
  (alternative is Select Start, All Programs, Accessories, System Tools, System Information). Select File, Export and give the file a name noting where it is located. The system creates a new System Information file each time system information is accessed.
  You need to allow a minute or two for the file to be fully populated before exporting a copy. Please upload to your Sky Drive, share with everyone and post a link here. Please say if the report has been obtained in safe mode.
  Please upload and share with everyone copies of your System and Application logs from your Event Viewer to your Sky Drive and post a link here.
  To access the System log select Start, Control Panel, Administrative Tools, Event Viewer, from the list in the left side of the window select Windows
  Logs and System. Place the cursor on System, select Action from the Menu and Save All Events as (the default evtx file type) and give the file a name. Do the same for the Applications log. Do not provide filtered files.
  For help with Sky Drive see paragraph 9.3:
  http://www.gerryscomputertips.co.uk/MicrosoftCommunity1.htm
  Some Event Viewer reports are generated solely because the computer is in safe mode or safe mode with networking. You have at least one example of this in your long list. If you do not see the same report for a time when
  the computer was in normal mode then it can be disregarded.
  You will find some general advice on interpreting Event Viewer reports here:
  http://www.gerryscomputertips.co.uk/syserrors5.htm
  Hope this helps, Gerry

• How do you change the Event Viewer archive location in Server 2008 R2?

  We're wanting to redirect the security and system event viewer logs to the D:\ on a Server 2008 R2 box
  We've got the current logs to save there, however all archived system/security logs are still being saved on the c:\ in their default location in %windir%\system32... and killing the OS partition.
  I can write something up in PoSh and schedule it, but I'd rather use any built-in capabilities first...
  I've taken a peek in the HKLM\Services\CurrentControlSet... hive where the event viewer behavior is configured and do not see an option to set a path for the archive location...

  Unfortunately, you cannot customize the location of archived event logs in Windows. The logs will always be archived to %windir%\system32\Winevt\Logs\Archive-xxxxxx
  There'd be some scripts can help you automatically archived logs to another location. You can find them here: http://gallery.technet.microsoft.com/scriptcenter/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=security
  Regards,
  Zhang     
  TechNet Subscriber Support
  If you are
  TechNet Subscriptionuser
  and have any feedback, please send your feedback here.

• Event viewer filtered log not exported correctly

  Hi all,
  I have a very strange problem, or better, I'm missing something.
  I can open the event viewer and there are many events in there (45'000). I can filter for the last 7 days and this shows me only 1925 events which is correct.
  Now, if I click on SAVE FILTERED LOG FILE AS, I can save the file in XML or TXT format (or others). It's not important the format because the export is incorrect! What I mean is that once the file has been exported to a TXT or others file's format, it contains
  just some events, in this case maybe 50-60 events, not more! The strange thing is that in that file I can see ONLY the events from the most recent day in the filter (right now the 14 of june).
  Now the funny part: if I save THE SAME LOG as .XML, it doesn't show all the events, but more than the TXT file (in this case, it shows until the 2nd of june), but the last event on the filtered event viewer, is on 13 may.
  I hope somebody can help me, and excuse me for my explanation.

  Hi ripp3r,
  Thank you for your post.
  I test to save event log following your description with same result. When I save log to evtx format file, the log show correctly.
  Then I find KB2417105 (for Windows 2008) to express that logs are truncated because the saving event log operation is not synchronized appropriately with the fetching-event operation.
  When I installed the KB2417105, event log saved to txt file successful.
  If your server OS is Windows 2008 R2, please install
  KB981466.
  If there are more inquiries on this issue, please feel free to let us know.
  Regards,
  Rick Tan

• Events View in iPhoto '08

  When I go to the Events view in iPhoto '08 about half of my events groups do not show the key photos. Similarly, when you drag the mouse across the front of the event window in some instances no photos appear, in others only half appear and the rest do not. However, when double clicking on the event all photos show in the file. How can I fix this? Why does it do that? Thanks.

  gmm26
  Welcome to the Apple Discussions.
  The reason iPhoto won't let you select the Library is because it does not see a valid Library there. This means that your database has been damaged.
  Try these in order - from best option on down...
  1. Do you have an up-to-date back up? If so, try copy the library6.iphoto file from the back up to the iPhoto Library (Right Click -> Show Package Contents) allowing it to overwrite the damaged file.
  2. Download iPhoto Library Manager and use its rebuild function. This will create a new library based on data in the albumdata.xml file. Not everything will be brought over - no slideshows, books or calendars, for instance - but it should get all your albums back.
  3. If neither of these work then you'll need to create and populate a new library.
  To create and populate a new library:
  Note this will give you a working library with the same Events and pictures as before, however, you will lose your albums, keywords, modified versions, books, calendars etc.
  In the iPhoto Preferences -> Events Uncheck the box at 'Imported Items from the Finder'
  Move the iPhoto Library to the desktop
  Launch iPhoto. It will ask if you wish to create a new Library. Say Yes.
  Go into the iPhoto Library (Right Click -> Show Package Contents) on your desktop and find the Originals folder. From the Originals folder drag the individual Event Folders to the iPhoto Window and it will recreate them in the new library.
  When you're sure all is well you can delete the iPhoto Library on your desktop.
  In the future, in addition to your usual back up routine, you might like to make a copy of the library6.iPhoto file whenever you have made changes to the library as protection against database corruption.
  Regards
  TD

• Event ID 100 in Event Viewer

  After upgrading ITunes to version 10.2.2.12, I have been receiving error messages in my Windows 7 Event Viewer. The errors occur when the PC goes to sleep.  I realize I can disable Bonjour in Services but prefer to keep it enabled if possible. I am using the Apple Extreme Base Station and the Airport Utility cannot find the AEBS when Bonjour is disabled. I have tried reparing the Bonjour and ITunes installs but that did not help. Thanks in advance for any suggestions.
  Details are below:
  Log Name:      Application
  Source:        Bonjour Service
  Date:          4/26/2011 9:33:18 AM
  Event ID:      100
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      User-PC
  Description:
  mDNSCoreMachineSleep: mDNS_Unlock locking failure! mDNS_busy (1) != mDNS_reentrancy (0)
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Bonjour Service" />
      <EventID Qualifiers="0">100</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2011-04-26T13:33:18.000000000Z" />
      <EventRecordID>26566</EventRecordID>
      <Channel>Application</Channel>
      <Computer>User-PC</Computer>
      <Security />
    </System>
    <EventData>
      <Data>mDNSCoreMachineSleep: mDNS_Unlock locking failure! mDNS_busy (1) != mDNS_reentrancy (0)</Data>
    </EventData>
  </Event>

  If the UPSA service is started then you could try using the
  Forefront Synchronization Service Manager to troubleshoot the issue, it may shed some light on what is going wrong during the sync.  Have a look here for more information:
  http://www.adventuresinsharepoint.co.uk/index.php/2014/05/15/user-profile-synchronization-not-working-with-active-directory-connection/

• Essential event viewer bugs with "Forwarded Events" log in Windows Server 2008 R2 and Windows 7

  To my general experience, Windows event viewer is one of the most problematic, faulty management tools in the case of extensive use of its more sophisticated capabilities. The sole description as well as reproduction of some entangled failures would require
  remarkable effort.
  With the "Forwarded Events" log however, the situation becomes particularly worse in that even simple functionality fails and workarounds are difficult to find. That’s what I’ll describe here in order to share my experience with interested users.
  For precision: I’ve extensively used event viewer on a German Windows Server 2008 R2 SP1 (Windows SBS 2011 Standard SP1). The bugs I found on that system, I could reproduce on a German Windows 7 Professional 64-Bit SP1, too.
  Problem 1: Failure of even simple event filtering
  To reproduce this problem, execute these steps on a test machine with any of the two OS mentioned above:
  (i) To prepare log contents, do either of the following:
  (a) populate some events to your local "Forwarded Events" log (most simply by subscribing events from other logs of the same machine; stop subscription if you have collected some events)
  Or
  (b) copy a non-empty log file "ForwardedEvents.evtx" from another machine (with any of the two OS mentioned above) to your test machine and open the file in event viewer.
  (ii) Navigate to your "Forwarded Events" test log and open the filtering dialog. In the "Includes/Excludes Event IDs" field, type: 1-9000. Click OK.
  (iii) Look at the results pane: Surprise, 0 Events! Do you really have no event IDs between 1 and 9000 in your test log?
  (iv) Another example, if you have forwarded security events in your test log: Clear filter, if any previous filter is in place. Open the filtering dialog. In "Keywords" sub-dialog, choose "Audit Success". Click OK.
  (v) Look at the results pane: Surprise, 0 Events! Do you really have no successful security monitoring events in your test log?
  I’ll finish here. If you have a rich variety of events in your test log available, let your imagination run wild to test around. Finally include some simple manually created or modified XPath filters on the XML tab of the filtering dialog. I promise, you’ll
  find a lot of additional strange results.
  Problem 2: Cannot save manually selected events to .evtx file
  Navigate to your "Forwarded Events" test log. In the results pane, select one or more events by highlighting them by mouse clicks. In context menu, choose "Save selected events". In the "save as" dialog, choose file type *.evtx
  and save your file. Open the newly created file in event viewer. Result: Surprise, no events inside the new file!
  Have more fun with forwarded events
  Helmut

  Did you mean that right click Forwarded Event and select "Filter Current Log..."? Since I can filter correct event vai the "Filter Current Log..." in my Lab environment.
  Hi Justin,
  yes, I mean "Filter Current Log ... " (in my German systems: "Aktuelles Protokoll filtern ... ").
  What do you mean with "my Lab environment" exactly?
  In the meantime, I performed additional tests. I copied the "ForwardedEvents.evtx" test file from Server 2008 R2 resp. Windows 7 to
  (i) German Windows 8 Pro 64-Bit RTM
  (ii) German Windows 8.1 Pro 64-Bit, up-to-date
  in order to view and filter the file there.
  Results: Same event viewer problem on Windows 8 RTM, but correct behavior on Windows 8.1!
  Best regards, Helmut

• Escape key no longer functioning to back out of photos in Event view

  In iPhoto '09, when you drilled down to view a photo in Event view, you used to be able to use the Escape key to step back a level. With iPhoto '11, I have been unable to do this. Is there a setting I'm missing or something?

  I just figured out a great solution to this problem! The goal here is to remap the Escape key in iPhoto so that it functions like the Command-Left-Arrow, which currently has all the functions we wish Escape had. The instruction are fairly simple:
  Install KeyRemap4MacBook. It's a wonderful program that lets you take control of your keyboard. It's stable and powerful and quick and free.
  Follow these instructions which tell you how to add your own custom settings. (Skip steps 4 through 6, which just give you some example settings to add.)
  Edit private.xml so that it looks like the following (or at least contains the following "item", if you have other custom settings installed):
  <?xml version="1.0"?>
  <root>
    <item>
      <name>Escape to Command Left Arrow</name>
      <identifier>private.app_iphoto_escape_to_command_left_arrow</identifier>
      <only>IPHOTO</only>
      <autogen>--KeyToKey-- KeyCode::ESCAPE, KeyCode::CURSOR_LEFT, ModifierFlag::COMMAND_R</autogen>
    </item>
  </root>
  Finally, save private.xml, then click "ReloadXML" under the "Change Key" tab of the KeyRemap4MacBook preferance pane. Your new setting should appear at the top of the list. Enable it. Restart iPhoto if you feel like it (you probably won't need to). And now, in iPhoto, Escape should work as you want it to!
  NOTE: There is one downside I've discovered. You won't be able to get out of Slideshow mode using the Escape key anymore, as this was the one case where Escape originally functioned sensibly. Rather, you'll have to use your mouse to click the X button to escape. But Slideshow mode is terrible anyway. Just use full screen mode instead.