Detailed Usage of the Event Viewer /AUXSOURCE Switch Option
For more information, see Help and Support Center at http://support.microsoft.com.
This article describes:
- The default function of Event Viewer.
- How /auxsource works.
- How to use /auxsource.
- The syntax for /auxsource.
- Who can use /auxsource.
- Caveats for using /auxsource.
The Default Function of Event ViewerWhen you open a saved event log in Event Viewer, you have to select the type of event log to use: Application, Security, System, and so forth. The list of event log types is read from the computer that is hosting the .evt file and that is on a network share. This list is combined with the list of event log types that are on the computer that is running Event Viewer.
If the saved event log is either on a remote computer for which you are not a member of the Administrator group, or on a remote computer on which Remote Registry Service is not running, Event Viewer cannot retrieve information about the log types that are supported by the remote computer; therefore, you cannot retrieve event descriptions or categories if the actual type of the log is not included in this list, such as File Replication service (FRS), DNS, and Active Directory.
Even if the correct log type is included in this list, some events may have been generated by components that were installed only on the computer that generated the saved event log and not on the local computer or on the computer that is hosting the .evt file. In this case, descriptions and categories may be available for some events in the log but not for others.
How /AUXSOURCE WorksYou can only use the /auxsource switch if you are running Event Viewer on a Windows XP Professional or Windows XP Server-based computer. You can also use this switch to read Microsoft Windows 2000 event logs, but only from a Microsoft Windows XP-based computer.
With the /auxsource switch, you can view saved event logs (.evt files) on a problematic computer. You can work with these logs locally or you can help a customer over the phone; however, refer to the "Caveats" section in this article to see the requirements for helping a customer with these logs.
The key to these messages is that the missing information is imbedded in the components to which the messages are related. For example, if an error message such as the one in the "Summary" section in this article is logged in Event Viewer and it references Microsoft SQL Server or Windows Clustering (or any other component or application), the information is not displayed because the message information is stored in the corresponding component or application. To view the information, you have to look at the event logs on that computer. With /auxsource, you can view the missing information even though you are not logged on to the computer that is experiencing the problem.
How to Use /AUXSOURCETo use /auxsource, use the following methods:
- Start Event Viewer with the /auxsource, and then point it to the problematic computer over a network connection.
- Start Event Viewer with the /auxsource, and then point it to a reference server.
A reference server is a computer that contains all of the software and the operating system components that the problematic computer contains. It is an image of the customer's computer, or (at least) a computer that is running the components for which you want to view the output. The reference server can also be the computer on which you view the logs, such as the local workstation; however, the local workstation must be running all of the same components as the problematic computer. In the case of a clustered computer with server software, this may not be possible unless you want to create a single-node cluster apart from your workstation.
/AUXSOURCE Syntax (Usage)Use the following syntax for the /auxsource switch
- IP address
- Fully qualified domain name (FQDN)
- NetBIOS name
Requirements for /AUXSOURCE UsersTo use /auxsource, you must be able to access the registry as an administrator on the server that is specified in the /auxsource=server syntax. If you are not logged on as an administrator on that server, you can either run Event Viewer by using the runas command or you can establish a connection to the IPC$ share of the /auxsource=computer syntax by using the following command-line syntax:
The inability to establish the necessary security rights that are needed on the computer in the /auxsource=computer syntax is silent, which means that no errors are displayed; however, this becomes evident when you do not see the advanced log types in the Open log file dialog box. In place of the IPC$ connection, you can create matching user names and passwords in the domain of the server in /auxsource=server.
Self Logging Applications and DNS, FRS, and Active DirectoryWhen you are viewing logs for DNS, FRS, and Active Directory, Event Viewer must be running on a domain controller. You cannot use the /auxsource switch from a workstation or from a member server to view the log details.
The same caveat applies to programs such as Microsoft Exchange, which maintain their own logs and (or) write their logs to the System log or Application log; you have to be logged on to a computer with that type of software installed.
Windows 2000You cannot use this switch to view log details when you are logged on to a Windows 2000-based computer; however, you can use the switch from a Windows XP-based computer to view the information in a log output from a Windows 2000-based computer. If you place the Windows XP file Els.dll, which enables the switch, on a Windows 2000-based computer, you receive the following error message:
Article ID: 312216 - Last Review: 12/03/2007 05:07:27 - Revision: 6.4
- kbenv kbinfo KB312216