我在事件查看器中创建了一个自定义视图。我从事件查看器中删除了自定义视图,自定义视图消失了,然后我再次启动事件查看器,但自定义视图又出现了。
Windows 10版本是1803。
的内容%ProgramData%\Microsoft\Event Viewer\Views\为:(ServerRoles目录)和View_0.xml。
View_0.xml包含:
<?xml version="1.0" encoding="UTF-8"?>
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>System</Channel>
<EventId>12,13,20,27,42,107</EventId>
<Source>Microsoft-Windows-Kernel-Boot,Microsoft-Windows-Kernel-Power</Source>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>False</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name LanguageNeutralValue="State">State</Name>
<QueryList>
<Query Id="0" Path="System">
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-Boot' or @Name='Microsoft-Windows-Kernel-Power'] and (EventID=12 or EventID=13 or EventID=20 or EventID=27 or EventID=42 or EventID=107)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
<ResultsConfig>
<Columns>
<Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">100</Column>
<Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column>
<Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">150</Column>
<Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">60</Column>
<Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">60</Column>
<Column Name="Task Category" Type="System.String" Path="Event/System/Task" Visible="">60</Column>
<Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column>
<Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column>
<Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column>
<Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column>
<Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column>
<Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column>
<Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column>
<Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column>
<Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column>
<Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column>
<Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column>
<Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column>
<Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column>
<Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column>
</Columns>
</ResultsConfig>
</ViewerConfig>
我尝试删除该文件,但没有用。该文件已重新创建。
答案1
我所做的只是单击我的自定义日志(以这种方式选择它)并按下键盘上的“删除”。然后在出现确认对话框时单击“是”。