multiversion Posted February 4, 2018 Posted February 4, 2018 (edited) So I have gone through group policy and shutdown everything I understand. completely disabled auto updates via group policy, and disabled all telemetry that can be disabled, consumer experiences, and everything else that can be shut down there. No apps, no cortana. Disabled unneeded services. Disabled all unneeded scheduled tasks. Now I am trying to minimize logging. Going through perfmon I find that there are a few logs which I can disable safely without any ill effects. The one that got me was WdiContextLog, as it took some trial and error to figure out that this was the one that caused the start menu to become extremely unresponsive when disabled. There aren't that many logs in here anyway. After disabling a few I have 11 enabled here. Now I don't completely understand how all this works, but I gather that these logs are pulling data from multiple sources in some cases, so maybe that is why NirSoft's EventLogChannelsView shows 299 event log channels as enabled. I am actually doing this for a friend just now, but it will apply to my own system when I get home next week as well. My friend initially wanted to just turn off all the logs, and he tried to, and he broke his OS - lots of strange behavior, extremely slow, and unstable. I'm not sure what all he did, but he was smart enough to take a disk image before his attempt. So I wonder if any of you smart people would not mind helping me to identify which of these 299 channels are essential, which are maybe not essential but might be important, and which are not really needed for someone like me (or my friend) who will never make use of any of them anyway. I really only want those ones running which have to be running for general application compatibility and system stability. EventLogChannelsView gives lots of options for sorting these. You can see which ones are 'classic' and which ones are new. I can see that many have zero entries, and a few have lots of entries. I temporarily disabled all of them, and shut down a number of services in order to open a window of opportunity to create a junction and move winevt directory off the system volume and onto a smaller cheap SSD which is used for vram, scratch disk, indexing, and logging. There was one (Intel-SST-CFD-HDA%4IntelSST.etl) that was very stubborn, but somehow I did manage to gain control of it long enough to create the junction. Then I re-enabled everything just as it was before that operation. Hope some of you might be willing to offer some deeper insight here. For list of enabled event channels see the spoiler at the bottom. As an aside, I am also very curious about NtfsLog in Perfmon. In Windows 10 I seem to recall it writing directly to D:0\$LogFile which is an integral part of the ntfs drive format. This file is presented as if it is essential for the volume to be able to recover failed writes due to unexpected shutdowns or some such. It seems like this is actually of limited use to average users. In general if our system shuts down suddenly, in the middle of writing data, we lose the data. Ntfs or no. Other file systems seem to work perfectly fine without this 'feature,' discounting potential data loss if shutdown mid-write. It seems to me like the major benefits of Ntfs are mostly not facilitated by this logfile. Such as bigger file sizes, and advanced permissions. I digress though. Shouldn't $LogFile be handled by the Ntfs driver or something on a very low level, rather than an event log? Maybe my recollection is mistaken. I will have to recheck Windows 10, but I could swear that the event log "NtfsLog" in perfmon startup was writing to D:0\$LogFile in win 10. Yet right now, I am looking at the very same entry on Server 2016 but it is writing to C:\Windows\system32\LogFiles\Wmi\NtfsLog, which kind of makes more sense. So what is up with NtfsLog? ================================================== Channel Name : Application Publisher : Full Path : C:\Windows\System32\Winevt\Logs\Application.evtx ================================================== Channel Name : HardwareEvents Publisher : Full Path : C:\Windows\System32\Winevt\Logs\HardwareEvents.evtx ================================================== Channel Name : Internet Explorer Publisher : Full Path : C:\Windows\System32\Winevt\Logs\Internet Explorer.evtx ================================================== Channel Name : Key Management Service Publisher : Full Path : C:\Windows\System32\Winevt\Logs\Key Management Service.evtx ================================================== Channel Name : NetLimiter Publisher : Full Path : C:\Windows\System32\Winevt\Logs\NetLimiter.evtx ================================================== Channel Name : Security Publisher : Full Path : C:\Windows\System32\Winevt\Logs\Security.evtx ================================================== Channel Name : System Publisher : Full Path : C:\Windows\System32\Winevt\Logs\System.evtx ================================================== Channel Name : Windows PowerShell Publisher : Full Path : C:\Windows\System32\Winevt\Logs\Windows PowerShell.evtx ================================================== Channel Name : Intel-SST-CFD-HDA/IntelSST Publisher : Intel-SST-CFD-HDA Full Path : C:\Windows\System32\Winevt\Logs\Intel-SST-CFD-HDA%4IntelSST.etl ================================================== Channel Name : Macrium Reflect/Operational Publisher : Macrium Reflect Full Path : C:\Windows\System32\Winevt\Logs\Macrium Reflect%4Operational.evtx ================================================== Channel Name : Microsoft-AppV-Client/Admin Publisher : Microsoft-AppV-Client Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-AppV-Client%4Admin.evtx ================================================== Channel Name : Microsoft-AppV-Client/Operational Publisher : Microsoft-AppV-Client Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-AppV-Client%4Operational.evtx ================================================== Channel Name : Microsoft-AppV-Client/Virtual Applications Publisher : Microsoft-AppV-Client Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-AppV-Client%4Virtual Applications.evtx ================================================== Channel Name : Microsoft-Client-Licensing-Platform/Admin Publisher : Microsoft-Client-Licensing-Platform Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx ================================================== Channel Name : Microsoft-Rdms-UI/Admin Publisher : Microsoft-Windows-Rdms-UI Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Rdms-UI%4Admin.evtx ================================================== Channel Name : Microsoft-Rdms-UI/Operational Publisher : Microsoft-Windows-Rdms-UI Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Rdms-UI%4Operational.evtx ================================================== Channel Name : Microsoft-User Experience Virtualization-Agent Driver/Operational Publisher : Microsoft-User Experience Virtualization-Agent Driver Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-User Experience Virtualization-Agent Driver%4Operational.evtx ================================================== Channel Name : Microsoft-User Experience Virtualization-App Agent/Operational Publisher : Microsoft-User Experience Virtualization-App Agent Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-User Experience Virtualization-App Agent%4Operational.evtx ================================================== Channel Name : Microsoft-User Experience Virtualization-IPC/Operational Publisher : Microsoft-User Experience Virtualization-IPC Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-User Experience Virtualization-IPC%4Operational.evtx ================================================== Channel Name : Microsoft-User Experience Virtualization-SQM Uploader/Operational Publisher : Microsoft-User Experience Virtualization-SQM Uploader Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-User Experience Virtualization-SQM Uploader%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-AAD/Operational Publisher : Microsoft-Windows-AAD Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AAD%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-All-User-Install-Agent/Admin Publisher : Microsoft-Windows-All-User-Install-Agent Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-All-User-Install-Agent%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-AllJoyn/Operational Publisher : Microsoft-Windows-AllJoyn Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AllJoyn%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-AppHost/Admin Publisher : Microsoft-Windows-AppHost Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppHost%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-AppID/Operational Publisher : Microsoft-Windows-AppID Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppID%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-ApplicabilityEngine/Operational Publisher : Microsoft-Windows-ApplicabilityEngine Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ApplicabilityEngine%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Application Server-Applications/Admin Publisher : Microsoft-Windows-Application Server-Applications Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application Server-Applications%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-Application Server-Applications/Operational Publisher : Microsoft-Windows-Application Server-Applications Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application Server-Applications%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant Publisher : Microsoft-Windows-Application-Experience Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx ================================================== Channel Name : Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter Publisher : Microsoft-Windows-Application-Experience Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx ================================================== Channel Name : Microsoft-Windows-Application-Experience/Program-Inventory Publisher : Microsoft-Windows-Application-Experience Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx ================================================== Channel Name : Microsoft-Windows-Application-Experience/Program-Telemetry Publisher : Microsoft-Windows-Application-Experience Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx ================================================== Channel Name : Microsoft-Windows-Application-Experience/Steps-Recorder Publisher : Microsoft-Windows-Application-Experience Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx ================================================== Channel Name : Microsoft-Windows-ApplicationResourceManagementSystem/Operational Publisher : Microsoft-Windows-ApplicationResourceManagementSystem Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-AppLocker/EXE and DLL Publisher : Microsoft-Windows-AppLocker Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx ================================================== Channel Name : Microsoft-Windows-AppLocker/MSI and Script Publisher : Microsoft-Windows-AppLocker Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4MSI and Script.evtx ================================================== Channel Name : Microsoft-Windows-AppLocker/Packaged app-Deployment Publisher : Microsoft-Windows-AppLocker Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx ================================================== Channel Name : Microsoft-Windows-AppLocker/Packaged app-Execution Publisher : Microsoft-Windows-AppLocker Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx ================================================== Channel Name : Microsoft-Windows-AppModel-Runtime/Admin Publisher : Microsoft-Windows-AppModel-Runtime Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-AppReadiness/Admin Publisher : Microsoft-Windows-AppReadiness Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-AppReadiness/Operational Publisher : Microsoft-Windows-AppReadiness Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-AppXDeployment/Operational Publisher : Microsoft-Windows-AppXDeployment Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-AppXDeploymentServer/Operational Publisher : Microsoft-Windows-AppXDeployment-Server Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-AppXDeploymentServer/Restricted Publisher : Microsoft-Windows-AppXDeployment-Server Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx ================================================== Channel Name : Microsoft-Windows-AppxPackaging/Operational Publisher : Microsoft-Windows-AppxPackagingOM Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-AssignedAccess/Admin Publisher : Microsoft-Windows-AssignedAccess Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AssignedAccess%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-AssignedAccessBroker/Admin Publisher : Microsoft-Windows-AssignedAccessBroker Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AssignedAccessBroker%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-Audio/CaptureMonitor Publisher : Microsoft-Windows-Audio Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx ================================================== Channel Name : Microsoft-Windows-Audio/Operational Publisher : Microsoft-Windows-Audio Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Audio/PlaybackManager Publisher : Microsoft-Windows-Audio Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4PlaybackManager.evtx ================================================== Channel Name : Microsoft-Windows-Authentication User Interface/Operational Publisher : Microsoft-Windows-Shell-AuthUI Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Authentication User Interface%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-BackgroundTaskInfrastructure/Operational Publisher : Microsoft-Windows-BrokerInfrastructure Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Backup Publisher : Microsoft-Windows-Backup Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Backup.evtx ================================================== Channel Name : Microsoft-Windows-BestPractices/Operational Publisher : Microsoft-Windows-BestPractices Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BestPractices%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Biometrics/Operational Publisher : Microsoft-Windows-Biometrics Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Biometrics%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Bits-Client/Operational Publisher : Microsoft-Windows-Bits-Client Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Bluetooth-BthLEEnum/Operational Publisher : Microsoft-Windows-Bluetooth-BthLEEnum Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Bluetooth-BthLEEnum%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational Publisher : Microsoft-Windows-Bluetooth-BthLEPrepairing Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Bluetooth-BthLEPrepairing%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Bluetooth-MTPEnum/Operational Publisher : Microsoft-Windows-Bluetooth-MTPEnum Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Bluetooth-MTPEnum%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-BranchCacheSMB/Operational Publisher : Microsoft-Windows-BranchCacheSMB Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BranchCacheSMB%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-CertificateServices-Deployment/Operational Publisher : Microsoft-Windows-CertificateServices-Deployment Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CertificateServices-Deployment%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational Publisher : Microsoft-Windows-CertificateServicesClient-Lifecycle-System Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CertificateServicesClient-Lifecycle-System%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational Publisher : Microsoft-Windows-CertificateServicesClient-Lifecycle-User Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CertificateServicesClient-Lifecycle-User%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-CloudStorageWizard/Operational Publisher : Microsoft-Windows-CloudStorageWizard Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStorageWizard%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-CodeIntegrity/Operational Publisher : Microsoft-Windows-CodeIntegrity Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Compat-Appraiser/Operational Publisher : Microsoft-Windows-Compat-Appraiser Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Compat-Appraiser%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Containers-Wcifs/Operational Publisher : Microsoft-Windows-Containers-Wcifs Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Containers-Wcnfs/Operational Publisher : Microsoft-Windows-Containers-Wcnfs Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Containers-Wcnfs%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-CoreApplication/Operational Publisher : Microsoft-Windows-Immersive-Shell-API Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CoreApplication%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-CorruptedFileRecovery-Client/Operational Publisher : Microsoft-Windows-CorruptedFileRecovery-Client Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-CorruptedFileRecovery-Server/Operational Publisher : Microsoft-Windows-CorruptedFileRecovery-Server Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc Publisher : Microsoft-Windows-Crypto-DPAPI Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx ================================================== Channel Name : Microsoft-Windows-Crypto-DPAPI/Operational Publisher : Microsoft-Windows-Crypto-DPAPI Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-DAL-Provider/Operational Publisher : Microsoft-Windows-DAL-Provider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DAL-Provider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-DataIntegrityScan/Admin Publisher : Microsoft-Windows-DataIntegrityScan Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DataIntegrityScan%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-DataIntegrityScan/CrashRecovery Publisher : Microsoft-Windows-DataIntegrityScan Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DataIntegrityScan%4CrashRecovery.evtx ================================================== Channel Name : Microsoft-Windows-DateTimeControlPanel/Operational Publisher : Microsoft-Windows-DateTimeControlPanel Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-DeviceGuard/Operational Publisher : Microsoft-Windows-DeviceGuard Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DeviceGuard%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Publisher : Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-Devices-Background/Operational Publisher : Microsoft-Windows-Devices-Background Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Devices-Background%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-DeviceSetupManager/Admin Publisher : Microsoft-Windows-DeviceSetupManager Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-DeviceSetupManager/Operational Publisher : Microsoft-Windows-DeviceSetupManager Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-DeviceSync/Operational Publisher : Microsoft-Windows-DeviceSync Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DeviceSync%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Dhcp-Client/Admin Publisher : Microsoft-Windows-Dhcp-Client Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-Dhcpv6-Client/Admin Publisher : Microsoft-Windows-DHCPv6-Client Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-Diagnosis-DPS/Operational Publisher : Microsoft-Windows-Diagnosis-DPS Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Diagnosis-PCW/Operational Publisher : Microsoft-Windows-Diagnosis-PCW Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-PCW%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Diagnosis-PLA/Operational Publisher : Microsoft-Windows-Diagnosis-PLA Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Diagnosis-Scheduled/Operational Publisher : Microsoft-Windows-Diagnosis-Scheduled Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Diagnosis-Scripted/Admin Publisher : Microsoft-Windows-Diagnosis-Scripted Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-Diagnosis-Scripted/Operational Publisher : Microsoft-Windows-Diagnosis-Scripted Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational Publisher : Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Diagnostics-Networking/Operational Publisher : Microsoft-Windows-Diagnostics-Networking Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-DirectoryServices-Deployment/Operational Publisher : Microsoft-Windows-DirectoryServices-Deployment Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DirectoryServices-Deployment%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-DiskDiagnostic/Operational Publisher : Microsoft-Windows-DiskDiagnostic Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-DiskDiagnosticDataCollector/Operational Publisher : Microsoft-Windows-DiskDiagnosticDataCollector Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-DiskDiagnosticResolver/Operational Publisher : Microsoft-Windows-DiskDiagnosticResolver Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-DSC/Admin Publisher : Microsoft-Windows-DSC Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DSC%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-DSC/Operational Publisher : Microsoft-Windows-DSC Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DSC%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-EapHost/Operational Publisher : Microsoft-Windows-EapHost Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-EapHost%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-EapMethods-RasChap/Operational Publisher : Microsoft-Windows-EapMethods-RasChap Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-EapMethods-RasChap%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-EapMethods-RasTls/Operational Publisher : Microsoft-Windows-EapMethods-RasTls Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-EapMethods-RasTls%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-EapMethods-Sim/Operational Publisher : Microsoft-Windows-EapMethods-Sim Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-EapMethods-Sim%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-EapMethods-Ttls/Operational Publisher : Microsoft-Windows-EapMethods-Ttls Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-EapMethods-Ttls%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-EDP-Audit-Regular/Admin Publisher : Microsoft-Windows-EDP-Audit-Regular Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-EDP-Audit-Regular%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-EDP-Audit-TCB/Admin Publisher : Microsoft-Windows-EDP-Audit-TCB Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-EDP-Audit-TCB%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-EmbeddedAppLauncher/Admin Publisher : Microsoft-Windows-EmbeddedAppLauncher Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-EmbeddedAppLauncher%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-EnrollmentPolicyWebService/Admin Publisher : Microsoft-Windows-EnrollmentPolicyWebService Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-EnrollmentPolicyWebService%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-EnrollmentWebService/Admin Publisher : Microsoft-Windows-EnrollmentWebService Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-EnrollmentWebService%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-EventCollector/Operational Publisher : Microsoft-Windows-EventCollector Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-EventCollector%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Fault-Tolerant-Heap/Operational Publisher : Microsoft-Windows-Fault-Tolerant-Heap Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Fault-Tolerant-Heap%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-FederationServices-Deployment/Operational Publisher : Microsoft-Windows-FederationServices-Deployment Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-FederationServices-Deployment%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-FileServices-ServerManager-EventProvider/Admin Publisher : Microsoft-Windows-FileServices-ServerManager-EventProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-FileServices-ServerManager-EventProvider%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-FileServices-ServerManager-EventProvider/Operational Publisher : Microsoft-Windows-FileServices-ServerManager-EventProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-FileServices-ServerManager-EventProvider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-FileShareShadowCopyProvider/Operational Publisher : Microsoft-Windows-FileShareShadowCopyProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-FileShareShadowCopyProvider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-FMS/Operational Publisher : Microsoft-Windows-FMS Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-FMS%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Folder Redirection/Operational Publisher : Microsoft-Windows-Folder Redirection Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Folder Redirection%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Forwarding/Operational Publisher : Microsoft-Windows-Forwarding Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-GenericRoaming/Admin Publisher : Microsoft-Windows-GenericRoaming Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-GenericRoaming%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-GroupPolicy/Operational Publisher : Microsoft-Windows-GroupPolicy Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Help/Operational Publisher : Microsoft-Windows-Help Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Help%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-HomeGroup Control Panel/Operational Publisher : Microsoft-Windows-HomeGroup-ControlPanel Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-HomeGroup Control Panel%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Hyper-V-Guest-Drivers/Admin Publisher : Microsoft-Windows-Hyper-V-Guest-Drivers-Dynamic-Memory Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-IdCtrls/Operational Publisher : Microsoft-Windows-IdCtrls Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-IdCtrls%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-IKE/Operational Publisher : Microsoft-Windows-WFP Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-IKE%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-International-RegionalOptionsControlPanel/Operational Publisher : Microsoft-Windows-International-RegionalOptionsControlPanel Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-International-RegionalOptionsControlPanel%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-International/Operational Publisher : Microsoft-Windows-International Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-International%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Iphlpsvc/Operational Publisher : Microsoft-Windows-Iphlpsvc Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Iphlpsvc%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-KdsSvc/Operational Publisher : Microsoft-Windows-KdsSvc Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-KdsSvc%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Kernel-ApphelpCache/Operational Publisher : Microsoft-Windows-ApplicationExperience-Cache Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-ApphelpCache%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Kernel-Boot/Operational Publisher : Microsoft-Windows-Kernel-Boot Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Kernel-EventTracing/Admin Publisher : Microsoft-Windows-Kernel-EventTracing Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-Kernel-IO/Operational Publisher : Microsoft-Windows-Kernel-IO Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-IO%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Kernel-PnP/Configuration Publisher : Microsoft-Windows-Kernel-PnP Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx ================================================== Channel Name : Microsoft-Windows-Kernel-Power/Thermal-Operational Publisher : Microsoft-Windows-Kernel-Power Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx ================================================== Channel Name : Microsoft-Windows-Kernel-ShimEngine/Operational Publisher : Microsoft-Windows-Kernel-ShimEngine Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Kernel-StoreMgr/Operational Publisher : Microsoft-Windows-Kernel-StoreMgr Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Kernel-WDI/Operational Publisher : Microsoft-Windows-Kernel-WDI Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Kernel-WHEA/Errors Publisher : Microsoft-Windows-Kernel-WHEA Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx ================================================== Channel Name : Microsoft-Windows-Kernel-WHEA/Operational Publisher : Microsoft-Windows-Kernel-WHEA Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Known Folders API Service Publisher : Microsoft-Windows-KnownFolders Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx ================================================== Channel Name : Microsoft-Windows-LanguagePackSetup/Operational Publisher : Microsoft-Windows-LanguagePackSetup Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-LiveId/Operational Publisher : Microsoft-Windows-LiveId Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-ManagementTools-RegistryProvider/Operational Publisher : Microsoft-Windows-ManagementTools-RegistryProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ManagementTools-RegistryProvider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-ManagementTools-TaskManagerProvider/Operational Publisher : Microsoft-Windows-ManagementTools-TaskManagerProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ManagementTools-TaskManagerProvider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-MemoryDiagnostics-Results/Debug Publisher : Microsoft-Windows-MemoryDiagnostics-Results Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx ================================================== Channel Name : Microsoft-Windows-MiStreamProvider/Operational Publisher : Microsoft-Windows-MiStreamProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-MiStreamProvider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational Publisher : Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin Publisher : Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-Mprddm/Operational Publisher : Microsoft-Windows-Mprddm Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Mprddm%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-MsLbfoProvider/Operational Publisher : Microsoft-Windows-MsLbfoEventProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-MsLbfoProvider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-MUI/Admin Publisher : Microsoft-Windows-MUI Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-MUI/Operational Publisher : Microsoft-Windows-MUI Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-NCSI/Operational Publisher : Microsoft-Windows-NCSI Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-NdisImPlatform/Operational Publisher : Microsoft-Windows-NdisImPlatformEventProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-NdisImPlatform%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-NetworkLocationWizard/Operational Publisher : Microsoft-Windows-PrimaryNetworkIcon Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-NetworkLocationWizard%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-NetworkProfile/Operational Publisher : Microsoft-Windows-NetworkProfile Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-NetworkProvider/Operational Publisher : Microsoft-Windows-NetworkProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-NetworkProvider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-NlaSvc/Operational Publisher : Microsoft-Windows-NlaSvc Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-NlaSvc%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Ntfs/Operational Publisher : Microsoft-Windows-Ntfs Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Ntfs/WHC Publisher : Microsoft-Windows-Ntfs Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx ================================================== Channel Name : Microsoft-Windows-NTLM/Operational Publisher : Microsoft-Windows-NTLM Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-NTLM%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-OfflineFiles/Operational Publisher : Microsoft-Windows-OfflineFiles Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-OfflineFiles%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-OneBackup/Debug Publisher : Microsoft-Windows-OneBackup Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-OneBackup%4Debug.evtx ================================================== Channel Name : Microsoft-Windows-OOBE-Machine-DUI/Operational Publisher : Microsoft-Windows-OOBE-Machine-DUI Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-OOBE-Machine-DUI%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-PackageStateRoaming/Operational Publisher : Microsoft-Windows-PackageStateRoaming Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PackageStateRoaming%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Partition/Diagnostic Publisher : Microsoft-Windows-Partition Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx ================================================== Channel Name : Microsoft-Windows-PerceptionRuntime/Operational Publisher : Microsoft-Windows-PerceptionRuntime Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PerceptionRuntime%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-PerceptionSensorDataService/Operational Publisher : Microsoft-Windows-PerceptionSensorDataService Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PerceptionSensorDataService%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Policy/Operational Publisher : Microsoft-Windows-EQoS Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Policy%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational Publisher : Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-PowerShell/Admin Publisher : Microsoft-Windows-PowerShell Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-PowerShell/Operational Publisher : Microsoft-Windows-PowerShell Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-PrintBRM/Admin Publisher : Microsoft-Windows-PrintBRM Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PrintBRM%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-PrintService/Admin Publisher : Microsoft-Windows-PrintService Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PrintService%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade Publisher : Microsoft-Windows-Program-Compatibility-Assistant Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx ================================================== Channel Name : Microsoft-Windows-PushNotification-Platform/Admin Publisher : Microsoft-Windows-PushNotifications-Platform Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-PushNotification-Platform/Operational Publisher : Microsoft-Windows-PushNotifications-Platform Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-ReadyBoost/Operational Publisher : Microsoft-Windows-ReadyBoost Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-ReFS/Operational Publisher : Microsoft-Windows-ReFS Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ReFS%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Regsvr32/Operational Publisher : Microsoft-Windows-Build-RegDll Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Regsvr32%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-RemoteApp and Desktop Connections/Admin Publisher : Microsoft-Windows-RemoteApp and Desktop Connections Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RemoteApp and Desktop Connections%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-RemoteApp and Desktop Connections/Operational Publisher : Microsoft-Windows-RemoteApp and Desktop Connections Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RemoteApp and Desktop Connections%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin Publisher : Microsoft-Windows-RemoteDesktopServices-RdpCoreTS Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational Publisher : Microsoft-Windows-RemoteDesktopServices-RdpCoreTS Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin Publisher : Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational Publisher : Microsoft-Windows-RemoteDesktopServices-SessionServices Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RemoteDesktopServices-SessionServices%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Resource-Exhaustion-Detector/Operational Publisher : Microsoft-Windows-Resource-Exhaustion-Detector Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Resource-Exhaustion-Resolver/Operational Publisher : Microsoft-Windows-Resource-Exhaustion-Resolver Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-RestartManager/Operational Publisher : Microsoft-Windows-RestartManager Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-ScmBus/Certification Publisher : Microsoft-Windows-ScmBus Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ScmBus%4Certification.evtx ================================================== Channel Name : Microsoft-Windows-ScmDisk0101/Operational Publisher : Microsoft-Windows-ScmDisk0101 Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ScmDisk0101%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-SearchUI/Operational Publisher : Microsoft-Windows-UI-Search Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SearchUI%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Security-Audit-Configuration-Client/Operational Publisher : Microsoft-Windows-Security-Audit-Configuration-Client Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Audit-Configuration-Client%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational Publisher : Microsoft-Windows-Security-EnterpriseData-FileRevocationManager Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-EnterpriseData-FileRevocationManager%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Security-Netlogon/Operational Publisher : Microsoft-Windows-Security-Netlogon Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Netlogon%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational Publisher : Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter Publisher : Microsoft-Windows-Security-SPP-UX-Notifications Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx ================================================== Channel Name : Microsoft-Windows-Security-UserConsentVerifier/Audit Publisher : Microsoft-Windows-Security-UserConsentVerifier Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-UserConsentVerifier%4Audit.evtx ================================================== Channel Name : Microsoft-Windows-ServerEssentials-Deployment/Deploy Publisher : Microsoft-Windows-ServerEssentials-Deployment Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ServerEssentials-Deployment%4Deploy.evtx ================================================== Channel Name : Microsoft-Windows-ServerManager-ConfigureSMRemoting/Operational Publisher : Microsoft-Windows-ServerManager-ConfigureSMRemoting Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ServerManager-ConfigureSMRemoting%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-ServerManager-DeploymentProvider/Operational Publisher : Microsoft-Windows-ServerManager-DeploymentProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ServerManager-DeploymentProvider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-ServerManager-MgmtProvider/Operational Publisher : Microsoft-Windows-ServerManager-ManagementProvider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ServerManager-MgmtProvider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-ServerManager-MultiMachine/Admin Publisher : Microsoft-Windows-ServerManager-MultiMachine Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ServerManager-MultiMachine%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-ServerManager-MultiMachine/Operational Publisher : Microsoft-Windows-ServerManager-MultiMachine Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ServerManager-MultiMachine%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-SettingSync-Azure/Debug Publisher : Microsoft-Windows-SettingSync-Azure Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SettingSync-Azure%4Debug.evtx ================================================== Channel Name : Microsoft-Windows-SettingSync-Azure/Operational Publisher : Microsoft-Windows-SettingSync-Azure Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SettingSync-Azure%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-SettingSync/Debug Publisher : Microsoft-Windows-SettingSync Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx ================================================== Channel Name : Microsoft-Windows-SettingSync/Operational Publisher : Microsoft-Windows-SettingSync Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SettingSync%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter Publisher : Microsoft-Windows-Shell-ConnectedAccountState Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx ================================================== Channel Name : Microsoft-Windows-Shell-Core/ActionCenter Publisher : Microsoft-Windows-Shell-Core Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx ================================================== Channel Name : Microsoft-Windows-Shell-Core/AppDefaults Publisher : Microsoft-Windows-Shell-Core Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx ================================================== Channel Name : Microsoft-Windows-Shell-Core/LogonTasksChannel Publisher : Microsoft-Windows-Shell-Core Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx ================================================== Channel Name : Microsoft-Windows-Shell-Core/Operational Publisher : Microsoft-Windows-Shell-Core Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-SilProvider/Operational Publisher : Microsoft-Windows-SoftwareInventoryLogging-Provider Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SilProvider%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-SmartCard-Audit/Authentication Publisher : Microsoft-Windows-SmartCard-Audit Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SmartCard-Audit%4Authentication.evtx ================================================== Channel Name : Microsoft-Windows-SmartCard-DeviceEnum/Operational Publisher : Microsoft-Windows-SmartCard-DeviceEnum Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SmartCard-DeviceEnum%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin Publisher : Microsoft-Windows-SmartCard-TPM-VCard-Module Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SmartCard-TPM-VCard-Module%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational Publisher : Microsoft-Windows-SmartCard-TPM-VCard-Module Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SmartCard-TPM-VCard-Module%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-SmbClient/Connectivity Publisher : Microsoft-Windows-SMBClient Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx ================================================== Channel Name : Microsoft-Windows-SMBClient/Operational Publisher : Microsoft-Windows-SMBClient Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-SmbClient/Security Publisher : Microsoft-Windows-SMBClient Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx ================================================== Channel Name : Microsoft-Windows-SMBDirect/Admin Publisher : Microsoft-Windows-SMBDirect Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SMBDirect%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-SMBServer/Audit Publisher : Microsoft-Windows-SMBServer Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx ================================================== Channel Name : Microsoft-Windows-SMBServer/Connectivity Publisher : Microsoft-Windows-SMBServer Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx ================================================== Channel Name : Microsoft-Windows-SMBServer/Operational Publisher : Microsoft-Windows-SMBServer Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-SMBServer/Security Publisher : Microsoft-Windows-SMBServer Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx ================================================== Channel Name : Microsoft-Windows-SMBWitnessClient/Admin Publisher : Microsoft-Windows-SMBWitnessClient Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SMBWitnessClient%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-SMBWitnessClient/Informational Publisher : Microsoft-Windows-SMBWitnessClient Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SMBWitnessClient%4Informational.evtx ================================================== Channel Name : Microsoft-Windows-StateRepository/Operational Publisher : Microsoft-Windows-StateRepository Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-StateRepository/Restricted Publisher : Microsoft-Windows-StateRepository Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx ================================================== Channel Name : Microsoft-Windows-Storage-ClassPnP/Operational Publisher : Microsoft-Windows-StorDiag Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-ClassPnP%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Storage-Storport/Operational Publisher : Microsoft-Windows-StorPort Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Storage-Tiering/Admin Publisher : Microsoft-Windows-Storage-Tiering Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Tiering%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-StorageManagement/Operational Publisher : Microsoft-Windows-StorageManagement Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-StorageManagement%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-StorageSpaces-Driver/Diagnostic Publisher : Microsoft-Windows-StorageSpaces-Driver Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx ================================================== Channel Name : Microsoft-Windows-StorageSpaces-Driver/Operational Publisher : Microsoft-Windows-StorageSpaces-Driver Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-StorageSpaces-ManagementAgent/WHC Publisher : Microsoft-Windows-StorageSpaces-ManagementAgent Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx ================================================== Channel Name : Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic Publisher : Microsoft-Windows-StorageSpaces-SpaceManager Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-StorageSpaces-SpaceManager%4Diagnostic.evtx ================================================== Channel Name : Microsoft-Windows-StorageSpaces-SpaceManager/Operational Publisher : Microsoft-Windows-StorageSpaces-SpaceManager Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-StorageSpaces-SpaceManager%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Store/Operational Publisher : Microsoft-Windows-Store Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Store%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-SystemSettingsThreshold/Operational Publisher : Microsoft-Windows-SystemSettingsThreshold Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-SystemSettingsThreshold%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TaskScheduler/Maintenance Publisher : Microsoft-Windows-TaskScheduler Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx ================================================== Channel Name : Microsoft-Windows-TCPIP/Operational Publisher : Microsoft-Windows-TCPIP Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TCPIP%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin Publisher : Microsoft-Windows-TerminalServices-ClientUSBDevices Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-ClientUSBDevices%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational Publisher : Microsoft-Windows-TerminalServices-ClientUSBDevices Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-ClientUSBDevices%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-LocalSessionManager/Admin Publisher : Microsoft-Windows-TerminalServices-LocalSessionManager Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Publisher : Microsoft-Windows-TerminalServices-LocalSessionManager Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-PnPDevices/Admin Publisher : Microsoft-Windows-TerminalServices-PnPDevices Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-PnPDevices/Operational Publisher : Microsoft-Windows-TerminalServices-PnPDevices Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-Printers/Admin Publisher : Microsoft-Windows-TerminalServices-Printers Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-Printers%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-Printers/Operational Publisher : Microsoft-Windows-TerminalServices-Printers Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-Printers%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-RDPClient/Operational Publisher : Microsoft-Windows-TerminalServices-ClientActiveXCore Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin Publisher : Microsoft-Windows-TerminalServices-RemoteConnectionManager Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Publisher : Microsoft-Windows-TerminalServices-RemoteConnectionManager Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin Publisher : Microsoft-Windows-TerminalServices-ServerUSBDevices Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-ServerUSBDevices%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational Publisher : Microsoft-Windows-TerminalServices-ServerUSBDevices Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-ServerUSBDevices%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin Publisher : Microsoft-Windows-TerminalServices-SessionBroker-Client Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-SessionBroker-Client%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational Publisher : Microsoft-Windows-TerminalServices-SessionBroker-Client Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-SessionBroker-Client%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TWinUI/Operational Publisher : Microsoft-Windows-Immersive-Shell Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TZSync/Operational Publisher : Microsoft-Windows-TZSync Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TZSync%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-TZUtil/Operational Publisher : Microsoft-Windows-TZUtil Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-UAC-FileVirtualization/Operational Publisher : Microsoft-Windows-UAC-FileVirtualization Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-UAC/Operational Publisher : Microsoft-Windows-UAC Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-UniversalTelemetryClient/Operational Publisher : Microsoft-Windows-UniversalTelemetryClient Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-User Control Panel/Operational Publisher : Microsoft-Windows-User-ControlPanel Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-User Control Panel%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-User Device Registration/Admin Publisher : Microsoft-Windows-User Device Registration Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-User Profile Service/Operational Publisher : Microsoft-Windows-User Profiles Service Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-User-Loader/Operational Publisher : Microsoft-Windows-User-Loader Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-User-Loader%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-UserPnp/ActionCenter Publisher : Microsoft-Windows-UserPnp Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx ================================================== Channel Name : Microsoft-Windows-UserPnp/DeviceInstall Publisher : Microsoft-Windows-UserPnp Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx ================================================== Channel Name : Microsoft-Windows-VDRVROOT/Operational Publisher : Microsoft-Windows-VDRVROOT Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-VDRVROOT%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-VerifyHardwareSecurity/Admin Publisher : Microsoft-Windows-VerifyHardwareSecurity Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-VerifyHardwareSecurity%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-VHDMP-Operational Publisher : Microsoft-Windows-VHDMP Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx ================================================== Channel Name : Microsoft-Windows-Volume/Diagnostic Publisher : Microsoft-Windows-Volume Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Volume%4Diagnostic.evtx ================================================== Channel Name : Microsoft-Windows-VolumeSnapshot-Driver/Operational Publisher : Microsoft-Windows-VolumeSnapshot-Driver Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-VPN-Client/Operational Publisher : Microsoft-Windows-VPN-Client Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-VPN-Client%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-VPN/Operational Publisher : Microsoft-Windows-WFP Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-VPN%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Wcmsvc/Operational Publisher : Microsoft-Windows-Wcmsvc Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-WFP/Operational Publisher : Microsoft-Windows-WFP Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WFP%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Win32k/Operational Publisher : Microsoft-Windows-Win32k Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Win32k%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Windows Defender/Operational Publisher : Microsoft-Windows-Windows Defender Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Windows Defender/WHC Publisher : Microsoft-Windows-Windows Defender Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx ================================================== Channel Name : Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity Publisher : Microsoft-Windows-Windows Firewall With Advanced Security Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx ================================================== Channel Name : Microsoft-Windows-Windows Firewall With Advanced Security/Firewall Publisher : Microsoft-Windows-Windows Firewall With Advanced Security Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx ================================================== Channel Name : Microsoft-Windows-WindowsSystemAssessmentTool/Operational Publisher : Microsoft-Windows-WindowsSystemAssessmentTool Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-WindowsUpdateClient/Operational Publisher : Microsoft-Windows-WindowsUpdateClient Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-WinINet-Config/ProxyConfigChanged Publisher : Microsoft-Windows-WinINet-Config Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx ================================================== Channel Name : Microsoft-Windows-Winlogon/Operational Publisher : Microsoft-Windows-Winlogon Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-WinRM/Operational Publisher : Microsoft-Windows-WinRM Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Winsock-WS2HELP/Operational Publisher : Microsoft-Windows-Winsock-WS2HELP Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Wired-AutoConfig/Operational Publisher : Microsoft-Windows-Wired-AutoConfig Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-WLAN-AutoConfig/Operational Publisher : Microsoft-Windows-WLAN-AutoConfig Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-WMI-Activity/Operational Publisher : Microsoft-Windows-WMI-Activity Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-Workplace Join/Admin Publisher : Microsoft-Windows-Workplace Join Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Workplace Join%4Admin.evtx ================================================== Channel Name : Microsoft-Windows-WPD-ClassInstaller/Operational Publisher : Microsoft-Windows-WPDClassInstaller Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WPD-ClassInstaller%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-WPD-CompositeClassDriver/Operational Publisher : Microsoft-Windows-WPD-CompositeClassDriver Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WPD-CompositeClassDriver%4Operational.evtx ================================================== Channel Name : Microsoft-Windows-WPD-MTPClassDriver/Operational Publisher : Microsoft-Windows-WPD-MTPClassDriver Full Path : C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WPD-MTPClassDriver%4Operational.evtx ================================================== Channel Name : SMSApi Publisher : Microsoft-Windows-Mobile-Broadband-Experience-SmsApi Full Path : C:\Windows\System32\Winevt\Logs\SMSApi.evtx ================================================== Edited February 4, 2018 by multiversion Fixed spoiler. But how to give code height and scrollbar?
multiversion Posted February 5, 2018 Author Posted February 5, 2018 So maybe you guys can give me some input even if you don't have specific answers for me. Am I asking too much here? Am I crazy to try to tone down the logging? Is it just not worth the effort? Is NirSoft's EventLogChannelsView entirely the wrong tool to tackle this? Am I not being clear enough? Am I just coming off as being too dense and clueless in general, and thus not worth your time? I will make use of and learn from any and all input offered, so even if you can't (for whatever reason), or maybe just don't feel like, answering my specific questions here, I would still appreciate your general thoughts, or any tips you might have.
HarryTri Posted February 6, 2018 Posted February 6, 2018 On Δευτέρα, 5 Φεβρουαρίου 2018 at 12:13 AM, multiversion said: D:0\$LogFile which is an integral part of the ntfs drive format. You obviously refer to the 64 MB NTFS log file which is a part of the NTFS structure, you should let it alone.
jaclaz Posted February 7, 2018 Posted February 7, 2018 16 hours ago, HarryTri said: You obviously refer to the 64 MB NTFS log file which is a part of the NTFS structure, you should let it alone. Sure, but that has nothing to do with a service (or *whatever*) watching it. jaclaz
multiversion Posted February 7, 2018 Author Posted February 7, 2018 (edited) 23 hours ago, HarryTri said: You obviously refer to the 64 MB NTFS log file which is a part of the NTFS structure, you should let it alone. That was just an aside, which I was curious about. But my question was not necessarily about $LogFile, on the root of any given ntfs drive. Rather I was asking about the the NtfsLog trace session which can be found in perfmon > data collector sets > startup event trace sessions. I had recalled in Win 10 that trace session was writing to the $LogFile on the system drive. I checked it though, and indeed I was mistaken in my recollection. It is writing to C:\Windows\system32\LogFiles\Wmi\NtfsLog on both Win 10 and Server 2016. Strange because I had a distinct memory that it was writing to $LogFile in Win 10, which seemed very strange, so I actually spent some time searching for info about it online. I guess maybe I dreamed that or something, memories from an alternate reality... Anyway, I was more interested in which of the channels shown as enabled in NirSoft's EventLogChannelsView might be safely disabled. Edited February 7, 2018 by multiversion typo
RanCorX2 Posted February 11, 2018 Posted February 11, 2018 you can safely disable all event logs, even the standard ones and stop the service, but then you miss some error descriptions, i disable them all but leave the standard ones active, application, system, setup and security.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now