Event Viewer

  • Article

(Note: This topic describes not just Windows XP Professional with Service Pack 2, but also Windows XP Professional with Service Pack 3.)

On This Page

Benefits and Purposes of Event Viewer
Overview: Using Event Viewer in a Managed Environment
How Event Viewer Communicates with Sites on the Internet
Controlling Event Viewer to Prevent the Flow of Information to and from the Internet
Procedures for Preventing the Flow of Information to and from the Internet Through Event Viewer

Benefits and Purposes of Event Viewer

Administrators can use Event Viewer to view and manage event logs. Event logs contain information about hardware and software problems and about security events on your computer. A computer running Microsoft Windows XP Professional with Service Pack 2 (SP2) records events in three kinds of logs: application, system, and security. While Event Viewer is primarily a tool for administrators to manage event logs, users can also view application and system logs on their computer. Only administrators can gain access to security logs.

Overview: Using Event Viewer in a Managed Environment

Users can access event logs for their own computers through Control Panel\Administrative Tools\Event Viewer. The user can obtain detailed information about a particular event by either double-clicking the event or selecting the event and clicking Properties on the Action menu. The dialog box gives a description of the event, which can contain one or more links to Help.

Links can either be to Microsoft servers or to servers managed by the software vendor for the component that generated the event. On Windows XP with SP2, most events that originate from Microsoft products will have standard text containing a URL at the end of the description ("For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp").

When users click the link, they are asked to confirm that the information presented to them can be sent over the Internet. If the user clicks Yes, the information listed will be sent to the Web site named in the link. The parameters in the original URL will be replaced by a standard list of parameters whose contents are detailed in the confirmation dialog box. This list is provided in the next subsection under "Specific Information Sent or Received."

You may want to prevent users from sending this information over the Internet through this link and accessing a Web site. Alternatively, you may want to redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization. In Windows XP with SP2, you can do either of these things through Group Policy.

How Event Viewer Communicates with Sites on the Internet

In order to access the relevant Help information provided by the link in the Event Properties dialog box, the user must send the information listed about the event. The collected data is confined to what is needed to retrieve more information about the event from the Microsoft Knowledge Base. User names and e-mail addresses, names of files unrelated to the logged event, computer addresses, and any other forms of personally identifiable information are not collected.

The exchange of information that takes place over the Internet is as follows:

  • Specific information sent or received: Information about the event sent over the Internet includes the following:

    • Company name (software vendor)

    • Date and time

    • Event ID (for example, 1704)

    • File name and version (for example, userenv.dll, 5.1.2600.1106)

    • Product name and version (for example, Microsoft Windows Operating System, 5.1.2600.1106)

    • Registry source (for example, userenv)

    • Type of event message (for example, Error)

    The information the user receives is from the Web site named in the link.

  • Default settings: Access to Event Viewer is enabled by default.

  • Triggers: The user chooses to send information about the event over the Internet in order to obtain more information about the event.

  • User notification: When a user clicks the link, a dialog box listing the information that will be sent is provided.

  • Logging: This is a feature of Event Viewer.

  • Encryption: The information may or may not be encrypted, depending on whether the link uses HTTP or HTTPS.

  • Access: No information is stored.

  • Privacy: In Event Viewer, click Help, click Help Topics, click the Search tab, and type privacy statement.

  • Transmission protocol and port: Communication occurs over the standard port for the protocol in the URL, using either HTTP or HTTPS.

  • Ability to disable: The ability to send information over the Internet or to be linked to a Web site can be prevented through a Group Policy setting.

Controlling Event Viewer to Prevent the Flow of Information to and from the Internet

You can prevent users from sending information across the Internet and accessing Internet sites through Event Viewer by configuring Group Policy. Alternatively, you can redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization. You can do these things by configuring Group Policy.

These Group Policy settings affect only the flow of information to and from an intranet or the Internet through Event Viewer, not the other functions of Event Viewer.

Procedures for Preventing the Flow of Information to and from the Internet Through Event Viewer

The following procedure tells how to use Group Policy to prevent users from sending information across the Internet and accessing Internet sites through Event Viewer.

To Use Group Policy to Prevent the Flow of Information to and from the Internet Through Event Viewer

  1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates,” for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings.

  3. In the details pane, double-click Turn off Event Viewer "Events.asp" links, and then click Enabled.

    Important   You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."

The following procedure tells how to use Group Policy to redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization.

  1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates,” for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Event Viewer.

  3. In the details pane, double-click Events.asp URL, click Enabled, and then type in the URL for the Web page that you want Event Viewer links to go to. Click OK.

  4. In the details pane, double-click Events.asp program, click Enabled, and then type the path for the program that should be used for displaying the URL that you typed in the previous step. If you want the page to be displayed in the Web browser and the Web browser is in the system path, you can type the name of the Web browser executable alone, for example, iexplore.exe.

  5. In the details pane, double-click Events.asp program command line parameters, click Enabled, and then type any command line parameters required for the program you typed in the previous step. If the program you typed in the previous step does not use parameters, clear the text box.

    Note   Even after the preceding settings go into effect, when users click a link in Event Viewer, the user notification still appears, stating that Event Viewer will send information across the Internet and asking for confirmation. Regardless of the user notification, if you carry out the preceding procedure and redirect events to a Web server in your organization, the information goes to that server, not across the Internet.