Event Viewer and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2

Applies To: Windows 7, Windows Server 2008 R2

In this section

Benefits and purposes of Event Viewer

Overview: Using Event Viewer in a managed environment

How Event Viewer communicates with Internet sites

Controlling Event Viewer to prevent the flow of information to and from the Internet

Procedures for preventing the flow of information to and from the Internet through Event Viewer

Additional references

This section explains how Event Viewer in Windows® 7 and Windows Server® 2008 R2 communicates across the Internet, and it explains steps to take to limit, control, or prevent that communication in an organization with many users.

Benefits and purposes of Event Viewer

Administrators can use Event Viewer to view and manage event logs. Event logs contain information about hardware and software problems and about security events on your computer. A computer that is running Windows 7 or Windows Server 2008 R2 records events in at least three types of logs: application, system, and security. A computer that has Windows Server 2008 R2 configured as a domain controller records events in two additional logs, the Directory Service log and the File Replication Service log. A computer that has Windows Server 2008 R2 configured as a Domain Name System (DNS) Server records events related to DNS in an additional log.

Forwarding and collecting events

Windows Server 2008 R2 can collect copies of events from multiple remote computers and store them on one computer. Windows Server 2008 R2 can forward and collect events across the Internet, and it can encrypt the events, depending on how it is configured. Using the event collecting feature requires that you configure the forwarding and the collecting computers. The configuration that you create for forwarding and collecting events is called an “event subscription.”

The process of collecting events depends on the Windows Remote Management (WinRM) service and the Windows Event Collector service. These services must be running on computers that are participating in the forwarding and collecting process. The WinRM service supports communication through HTTPS (you can specify that the events you forward across the Internet are encrypted before being sent).

It is outside the scope of this document to fully describe event collecting, event subscriptions, the Windows Remote Management (WinRM) service, or the Windows Event Collector service. For more details about forwarding and collecting events, see Additional references later in this section.

Overview: Using Event Viewer in a managed environment

In Windows 7 or Windows Server 2008 R2, Event Viewer is located in Administrative Tools (click Start, click Administrative Tools, and then click Event Viewer).

In Windows Server 2008 R2, you can also view Event Viewer data in Server Manager. In the Server Manager console tree, expand Diagnostics, and then click Event Viewer. You can obtain detailed information about a particular event by double-clicking the event (or through other methods, such as right-clicking and then clicking Event Properties). The dialog box gives a description of the event, and it can contain one or more links to Help.

In Event Properties, the link next to More Information is labeled Event Log Online Help. By default, Event Log Online Help appends the information that is explained in How Event Viewer communicates with Internet sites later in this section. Detailed message explanations, recommended user actions, and links to additional support and resources are presented on the following site:

Events and Errors Message Center.

When you click the link, you are asked to confirm that the information presented can be sent over the Internet. If you click Yes, the information listed about the event will be sent across the Internet. This information is described in more detail in How Event Viewer communicates with Internet sites later in this section.

You might want to prevent users from sending this information over the Internet. Or you may want to redirect the requests that result from users clicking links in Event Viewer to a Web server in your organization. In Windows 7 or Windows Server 2008 R2, you can control these through Group Policy.

You might also want to collect copies of events from multiple remote computers and store them on one computer. For information about this option, see Forwarding and collecting events earlier in this section and Additional references later in this section.

How Event Viewer communicates with Internet sites

To access the relevant Help information that is provided by the link in the Event Properties dialog box, you must send the information that is listed about the event. This data is limited, and you can use it to retrieve more information about the event from the Event Log Online Help. User names, e-mail addresses, and names of files unrelated to the logged event are not collected.

For information about how to collect copies of events from multiple remote computers and store them on one computer, see Forwarding and collecting events earlier in this section and Additional references later in this section.

The communication that occurs across the Internet when a user clicks the Event Log Online Help link in the Event Properties dialog box is described in the following list:

• Specific information sent or received: Information about the event that is sent across the Internet is appended to a URL. By default, the site is:

  Events and Errors Message Center.

  The information appended to the URL includes:

  • Company name (software vendor)

  • Date and time

  • Product name and version (for example, Windows Server 2008 R2)

  • Event ID (for example, 1010)

  • Event source (for example, Microsoft-Windows-DHCP-Client)

  • Locale ID (for example, 1033 for English - United States)

  The information that the user receives is the available information about the event, and it may include additional links.

• Default settings: Access to Event Viewer is enabled by default.

• Triggers: The user chooses to send information about the event across the Internet to obtain more information about the event.

• User notification: When a user clicks this link, a dialog box listing the information that will be sent is provided.

• Logging: This is a feature of Event Viewer.

• Encryption: The information may be encrypted, depending on whether the link uses HTTP or HTTPS.

• Access: No information is stored.

• Privacy: Event information that is collected and sent to Microsoft® when a user clicks the Event Log Online Help link is used to locate and provide additional information about the event. Microsoft does not use this information to contact or identify the user. The information is not stored.

• Transmission protocol and port: Communication occurs over the standard port for the protocol in the URL. It uses HTTP with port 80 or HTTPS with port 443.

• Ability to disable: The ability to send information across the Internet or link to a Web site can be prevented through a Group Policy setting.

Controlling Event Viewer to prevent the flow of information to and from the Internet

You can prevent users from sending information across the Internet and accessing Internet sites through Event Viewer by configuring Group Policy. Alternatively, you can redirect the requests that result from users clicking links in Event Viewer to a Web server in your organization. You can control these by configuring Group Policy.

These Group Policy settings affect only the flow of information to and from an intranet or the Internet through Event Viewer, not the other functions of Event Viewer.

Procedures for preventing the flow of information to and from the Internet through Event Viewer

The following procedure explains how to use Group Policy to prevent users from sending information across the Internet and accessing Internet sites through Event Viewer.

To use Group Policy to prevent the flow of information to and from the Internet through Event Viewer

1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate Group Policy object (GPO).

2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication Settings.

3. In the details pane, double-click Turn off Event Viewer "Events.asp" links, and then click Enabled.

The following procedure explains how to use Group Policy to redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization.

To use Group Policy to redirect links in Event Viewer to a Web server in your organization

1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate GPO.

2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand Windows Components, and then click Event Viewer.

3. In the details pane, double-click Events.asp URL, click Enabled, and then type the URL for the Web page that you want Event Viewer links to go to. Click OK.

4. In the details pane, double-click Events.asp program, click Enabled, and then type the path for the program to be used for displaying the URL that you typed in the previous step. If you want the page to be displayed in the Web browser and the Web browser is in the system path, you can type the name of the Web browser executable alone, for example, iexplore.exe.

5. In the details pane, double-click Events.asp program command line parameters, click Enabled, and then type any command line parameters that are required for the program you typed in the previous step. If the program you typed in the previous step does not use parameters, clear the text box.

Additional references

For more information, see the following resources on the Microsoft Web site:

• Windows 7 Technical Library Roadmap

• Windows Server 2008 and Windows Server 2008 R2

• Windows Remote Management

• Windows Event Collector Reference