Thursday, June 5, 2014

Computer on/off event viewer filter

Sometimes I want to track when I turned my computer on or off, including when it went to sleep or woke back up again.  To do that, I have created a custom view in Event Viewer on my Windows 8 system (should be the same for all systems from Vista and beyond, I assume). Go to Custom Views and click on "Filter current custom...". Switch to the XML tab and check the "Edit query manually" in the lower part. Now, paste the following in there:

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">
    *[System
        [Provider
            [@Name='Microsoft-Windows-Kernel-Power'
            or @Name='Microsoft-Windows-Power-Troubleshooter'
            ]
            and TimeCreated    [timediff(@SystemTime) &lt;= 2592000000]
        ]
    ]
        or
    *[System
        [Provider
            [@Name='Microsoft-Windows-Kernel-General']
            and ( (EventID &gt;= 12 and EventID &lt;= 13) )
            and TimeCreated    [timediff(@SystemTime) &lt;= 2592000000]
        ]
    ]
   </Select>
  </Query>
</QueryList>

Basically, it is the equivalent of this, but only showing event 12 (switch off) and 13 (switch on) for the Kernel General source:




Please remember to "Save filter to custom view" if you want quick access to it later.