Introduction
Windows Event Providers are part of the Windows Event Log services. An event provider is usually registered with the event logging and tracing service, so it can publish application specific events to the event log.
Each event provider contain metadata information required to interpret these events and to display that information in readable strings.
To list all providers in the system, you may use the logman utility like this:
logman query providers
C:>logman query providers
Provider GUID
-----------------------------------------------------------------------------
.NET Common Language Runtime {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}
ACPI Driver Trace Provider {DAB01D4D-2D48-477D-B1C3-DAAD0CE6F06B}
Active Directory Domain Services: SAM {8E598056-8993-11D2-819E-0000F875A064}
Active Directory: Kerberos Client {BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}
Active Directory: NetLogon {F33959B4-DBEC-11D2-895B-00C04F79AB69}
ADODB.1 {04C8A86F-3369-12F8-4769-24E484A9E725}
ADOMD.1 {7EA56435-3F2F-3F63-A829-F0B35B5CAD41}
Application Popup {47BFA2B7-BD54-4FAC-B70B-29021084CA8F}
…
Each provider, in turn, has metadata containing fields such as: keywords, levels, tasks, opcodes and a message template. The article entitled “Getting Provider’s metadata” on MSDN describes how to use the Windows Events APIs to enumerate the provider’s metadata programmatically.
Enter WEPExplorer
The Windows Events Provider Explorer, or WEPExplorer in short, is a graphical utility to help you explore all the providers on the system along with their metadata.
Usage
First, download the binaries from here, or just clone the repository and compile the sources yourself.
If you get the binaries, make sure you unpack the contents into a writable folder. After unpacking, run the “Explore.exe” utility.
After it runs, it will create a sub-folder called “Providers” that will contain a bunch of XML files. The “All.xml” contains the list of all the providers and the remaining “*.xml” files are generated on demand and contain a provider’s metadata.
Type a provider name to search for it, or leave that field empty to list all providers.
After you find a provider of interest, double-click or press ENTER on it so its metadata is populated in the “Provider metadata” panel.
You may use the “Providers filter” panel to specify metadata filters. After selecting (or clearing) the filter, press the “Apply” button.
Finally, in the “Providers metadata” panel, you can explore all the properties of a provider and additionally, you may right-click to get a contextual menu with useful actions:
Most notably, the “Information” menu, which is also triggered with the “Ctrl+I” hotkey, shows you the provider’s metadata template:
Download:
You might also like: