How do I find universally valuable info in Event Viewer?

[happycomputers]

Can anyone provide me specific tips on how to specifically filter the following in event viewer:

• User-level applications start/end times. (example: If someone opens calc.exe, the start time from when the application was ran, and when it was closed)

• Windows boot / shut down times.

• User-level Applications "not responding", or being ended abruptly.

These would all be very useful in trying to determine user-habits, and verifying complaints. I'm not totally convinced Event Viewer will show all of those things--but it should! If it doesn't, can anyone recommend a program that can be loaded that WILL monitor and log those things?

Thanks in advance,

p.s.: I searched google for 30 minutes trying to find the answer to this...no substantial help.

 

[Vicenarian]

Not sure if event viewer will log/filter those types of things, but I know process monitor can!

http://technet.microsoft.com/en-us/sysinternals/bb896645

Really great filtering capabilities and logging

 

[TLE]

You can create custom views in windows 7, not sure if vista or XP can though.

http://technet.microsoft.com/en-us/magazine/gg131917.aspx

 

[happycomputers]

You can create custom views in windows 7, not sure if vista or XP can though.

http://technet.microsoft.com/en-us/magazine/gg131917.aspx

I understand you can create custom views, but that doesn't mean you can actually filter based on the criteria I was looking for. I'd be satisfied if I could create a custom view that actually showed the useful info.

 

[TLE]

but that doesn't mean you can actually filter based on the criteria I was looking for.

In windows 7 you can filter an existing log....the option is on the Actions View when you have selected a log such as Applications, System or Security. It uses the same method as the Custom Views.

You need to research the event Id's and such but all the information you need to do this is out there.

 

[FoolishTech]

Can anyone provide me specific tips on how to specifically filter the following in event viewer:

• User-level applications start/end times. (example: If someone opens calc.exe, the start time from when the application was ran, and when it was closed)

The other items can be filtered knowing the events you are looking for. As far as start/end times with applications, most don't report these to Windows, so they won't show up in event viewer! Most apps only report errors, and some don't even do that.

The only thing that gets logged (that I know of) you could scan for with individual apps is events like "application hang" and such.

 

[MobileTechie]

You can get Windows to audit security events including access to files and objects. I would guess that in there somewhere you could use it to monitor the opening of application files. You can certainly do logins etc.

 

[Xander]

Take a look at Sysinternals' PSLogList. I'm using it in one of my scripts to export filtered results to a text file and then parsing that for specifics.