Event Properties
Applies To: Windows Server 2008, Windows Vista
The following table lists the common event properties. For more information about event properties and the underlying XML schema, see the Event Representation for Event Consumers topic in the Windows Event Log Software Development Kit (SDK) online.
Property Name | Description |
---|---|
Source |
The software that logged the event, which can be either a program name, such as "SQL Server", or a component of the system or of a large program, such as a driver name. For example, "Elnkii" indicates an EtherLink II driver. |
Event ID |
A number identifying the particular event type. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event Log service is started. The first line of the description of such an event is "The Event log service was started." The Event ID and the Source can be used by product support representatives to troubleshoot system problems. |
Level |
A classification of the event severity. The following event severity levels can occur in the system and application logs:
The following event severity levels can occur in the security log:
In the Event Viewer normal list view, these are represented by a symbol. |
User |
The name of the user on whose behalf the event occurred. This name is the client ID if the event was actually caused by a server process or the primary ID if impersonation is not taking place. Where applicable, a security log entry contains both the primary and impersonation IDs. Impersonation occurs when the server allows one process to take on the security attributes of another. |
Operational Code |
Contains a numeric value that identifies the activity or a point within an activity that the application was performing when it raised the event. For example, initialization or closing. |
Log |
The name of the log where the event was recorded. |
Task Category |
Used to represent a subcomponent or activity of the event publisher. |
Keywords |
A set of categories or tags that can be used to filter or search for events. Examples include "Network", "Security", or "Resource not found." |
Computer |
The name of the computer on which the event occurred. The computer name is typically the name of the local computer, but it might be the name of a computer that forwarded the event or it might be the name of the local computer before its name was changed. |
Date and Time |
The date and time that the event was logged. |
The following table lists the properties that can be displayed by adding columns to the Event Viewer display. For more information about adding columns to the display, see Show or Hide Event Properties.
Property Name | Description |
---|---|
Process ID |
The identification number for the process that generated the event. |
Thread ID |
The identification number for the thread that generated the event. |
Processor ID |
The identification number for the processor that processed the event. |
Session ID |
The identification number for the terminal server session in which the event occurred. |
Kernal Time |
The elapsed execution time for kernal-mode instructions, in CPU time units. |
User Time |
The elapsed execution time for user-mode instructions, in CPU time units. |
Processor Time |
The elapsed execution time for user-mode instructions, in CPU ticks. |
Correlation Id |
Identifies the activity in the process for which the event is involved. This identifier is used to specify simple relationships between events. |
Relative Correlation Id |
Identifies a related activity in a process for which the event is involved. |