Event Viewer and Internet Communication (Windows Server 2003)

  • Article

Applies To: Windows Server 2003 with SP1

This section provides information about:

  • The benefits of Event Viewer

  • How Event Viewer communicates with sites on the Internet

  • How to control Event Viewer to prevent the flow of information to and from the Internet

Benefits and Purposes of Event Viewer

Using Event Viewer, administrators can view and set logging options for event logs in order to gather information about hardware, software, and system problems. By default, a computer running an operating system in the Microsoft Windows Server 2003 family records events in three kinds of logs:

  • Application log: The application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. Application developers decide which events to log.

  • Security log: The security log records events such as valid and invalid logon attempts, as well as events related to resource use such as creating, opening, or deleting files or other objects. For example, if logon auditing is enabled, attempts to log on to the system are recorded in the security log.

  • System log: The system log contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined by the server.

A computer running a Windows Server 2003 family operating system which is configured as a domain controller records events in two additional logs:

  • Directory service log: The directory service log contains events logged by the Windows Active Directory directory service. For example, connection problems between the server and the global catalog are recorded in the directory service log.

  • File Replication service log: The File Replication service log contains events logged by the Windows File Replication service. For example, file replication failures and events that occur while domain controllers are being updated with information about system volume changes are recorded in the file replication log.

A computer running a Windows Server 2003 operating system configured as a Domain Name System (DNS) server records events in an additional log. The DNS server log contains Windows DNS service events.

Other types of events and event logs might be available on a computer, depending on what services are installed.

Overview: Using Event Viewer in a Managed Environment

The Event Log service starts automatically when you start the operating system. Administrators access event logs for a server through Control Panel\Administrative Tools\Event Viewer. They can obtain detailed information about a particular event by either double-clicking the event, or by selecting the event and clicking Properties on the Action menu. The dialog box gives a description of the event, which can contain one or more links to Help.

Links can either be to servers at Microsoft, or to servers managed by the software vendor for the component that generated the event. On products in the Windows Server 2003 family, most events that originate from Microsoft products will have standard text containing a URL at the end of the description ("For more information, see Help and Support Center at go.microsoft.com/fwlink/events.asp").

When you click the link, you are asked to confirm that the information presented can be sent over the Internet. If you click Yes, the information listed will be sent to the Web site named in the link. The parameters in the original URL will be replaced by a standard list of parameters whose contents are detailed in the confirmation dialog box. This list is provided in the next subsection under "Specific information sent or received."

In a highly managed environment, IT administrators might want to prevent users and administrators from sending this information over the Internet through this link and accessing a Web site. In the Windows Server 2003 family, this information flow is governed by a registry key. Administrators can edit this registry key to prevent users and administrators from accessing the Internet through Event Viewer.

How Event Viewer Communicates with Sites on the Internet

In order to access the relevant Help information provided by the link in the Event Properties dialog box, you must send the information listed about the event. The collected data is confined to what is needed to retrieve more information about the event from the Microsoft Knowledge Base. User names and e-mail addresses, names of files unrelated to the logged event, computer addresses, and any other forms of personally identifiable information are not collected.

The exchange of information that takes place over the Internet is described as follows:

  • Specific information sent or received: Information about the event sent over the Internet includes the following:

    • Company name (software vendor)

    • Date and time

    • Event ID (for example, 1704)

    • File name and version (for example, userenv.dll, 5.1.2600.1106)

    • Product name and version (for example, Microsoft Windows Operating System, 5.1.2600.1106)

    • Registry source (for example, userenv)

    • Type of event message (for example, Error)

    The information the user receives is from the Web site named in the link.

  • Default settings: Access to Event Viewer is enabled by default.

  • Triggers: The user chooses to send information about the event over the Internet in order to view Help.

  • User notification: When a user clicks the link, a dialog box listing the information that will be sent is provided.

  • Logging: This is a feature of Event Viewer.

  • Encryption: The information may or may not be encrypted, depending on whether it is an HTTP or HTTPS link.

  • Access: No information is stored.

  • Privacy statement: See the Windows Server 2003 family Help for a privacy statement. (In Help and Support, type Linking to Microsoft for Help and Support.)

  • Transmission protocol and port: Communication occurs over the standard port for the protocol in the URL, either HTTP or HTTPS.

  • Ability to disable: The ability to send information over the Internet or to be linked to a Web site can be prevented by editing the registry.

Controlling Event Viewer to Prevent the Flow of Information to and from the Internet

You can prevent users and administrators from sending information across the Internet and accessing Internet sites through Event Viewer by editing the registry. When you edit the registry as described in the following subsection, clicking Yes as previously described will still start Help, but it will not access the Internet for information specific to the event.

The Windows Server 2003 family computer registry values listed in this subsection are located in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Event Viewer

The following list describes how this registry key controls the flow of information to and from the Internet.

  • MicrosoftRedirectionProgram

    Default value: %SystemRoot%\PCHealth\HelpCtr\Binaries\HelpCtr.exe

    Usage: This program is started with command-line parameters from MicrosoftRedirectionProgramCommandLineParameters

  • MicrosoftRedirectionProgramCommandLineParameters

    Default value: -url hcp://services/centers/support?topic=%s

    Usage: "%s" is replaced with the URL in the link

  • MicrosoftRedirectionURL

    Default value: https://go.microsoft.com/fwlink/events.asp

    Usage: Governs the text of the standard link for Microsoft events

    Note

noteNote
If any of these registry values is missing or empty, the link will be started directly using ShellExecute; deleting these values is not a method for preventing information from reaching the Internet.
</div></td>
</tr>
</tbody>
</table>

Procedures for Preventing the Flow of Information to and from the Internet Through Event Viewer

To prevent the flow of information to and from the Internet through Event Viewer you need to edit the registry. You can then apply the registry change to computers in a domain using Group Policy.

Editing the registry

Edit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Event Viewer as follows:

To prevent the user from accessing the Internet when they click the link, delete the final "%s" from the value of MicrosoftRedirectionProgramCommandLineParameters (see the list in the previous subsection). With this change, clicking the link and clicking Yes will still start Help, but it will not access the Internet for information specific to this event.

For more information about the registry, see the Registry Reference for Windows Server 2003 on the Microsoft Windows Server 2003 Deployment Kit companion CD, or on the Windows Server 2003 Web site at:

https://go.microsoft.com/fwlink/?LinkId=428

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.

Distributing the registry change using Group Policy

You can distribute this registry change to computers in a domain by configuring a Group Policy object (GPO). You first need to create a template using the Event Viewer snap-in as described in the following procedure.

To enable the Event Viewer Group Policy snap-in

  1. Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.

  2. Click User Configuration, click Administrative Templates, and then click Windows Components.

  3. Click Microsoft Management Console and then click Restricted/Permitted snap-ins.

  4. In the details pane under Setting, double-click Event Viewer.

  5. In the Event Viewer Properties dialog box, select Enabled.