Event Viewer channels?

I

intelfx

New Member
Hi,

What exactly are the "Event Viewer channels" that can be configured on the Settings tab of NTLite? What am I gaining/losing by disabling them and what am I risking (in terms of lost functionality) by doing so? Or, to put it another way: why exactly I should not just disable all of them, or vice versa?
 
Event Viewer channels are different classes of log providers which can be enabled or disabled. Some providers are included in Windows, and others can be registered when you install new software. The problem isn't so much how many providers are active, but more the volume and rate that logging events are created.

Event logs are processed as a priority task, and can subtract from overall performance if there's too much activity to be tracked. Sometimes you will notice latency spikes when the event logger gets backlogged. For performance tuning, some users will disable multiple channels to prevent this from happening.

The major problem is some channels are required by some Windows for normal operation. Disabling the channels can break something, or prevent new software from being installed (because it references a specific logger). Windows reporting tools also use the event logs, and other tools wait for specific events before taking action (like crash reporting).

Generally you should avoid tweaking this unless you're following someone's tuning guide. It's easy to break something, and have no clue why it's broken. Also when you're troubleshooting a software problem, having all available event logs is essential. Many channels are not really important in the long run, but it's hard to say which channels unless you know what software will be running.
 
garlin said:
Event Viewer channels are different classes of log providers which can be enabled or disabled. Some providers are included in Windows, and others can be registered when you install new software. The problem isn't so much how many providers are active, but more the volume and rate that logging events are created.

Event logs are processed as a priority task, and can subtract from overall performance if there's too much activity to be tracked. Sometimes you will notice latency spikes when the event logger gets backlogged. For performance tuning, some users will disable multiple channels to prevent this from happening.

The major problem is some channels are required by some Windows for normal operation. Disabling the channels can break something, or prevent new software from being installed (because it references a specific logger). Windows reporting tools also use the event logs, and other tools wait for specific events before taking action (like crash reporting).

Generally you should avoid tweaking this unless you're following someone's tuning guide. It's easy to break something, and have no clue why it's broken. Also when you're troubleshooting a software problem, having all available event logs is essential. Many channels are not really important in the long run, but it's hard to say which channels unless you know what software will be running.
Click to expand...
intelfx said:
Hi,

What exactly are the "Event Viewer channels" that can be configured on the Settings tab of NTLite? What am I gaining/losing by disabling them and what am I risking (in terms of lost functionality) by doing so? Or, to put it another way: why exactly I should not just disable all of them, or vice versa?
Click to expand...
I have gone extensively though my channels and found that you do need a few to continue to run windows and install/run programs without issues.

However this is just with my computer and others systems may not like what I have done. How I did it was going through them and taking time to see what breaks and what doesn't. Took some time but after awhile got it nailed down.
 
For experienced users, it's workable. But you kinda have to really understand how Windows works. Just picking channels because "they don't sound very useful or interesting" isn't the right way to start. That's why using a guide is a better way than random guessing.
 
garlin said:
For experienced users, it's workable. But you kinda have to really understand how Windows works. Just picking channels because "they don't sound very useful or interesting" isn't the right way to start. That's why using a guide is a better way than random guessing.
Click to expand...
Yeah, I'm not experienced in Windows' inner workings by any means. Actually, my goal here is still the same: to forward-port MT's preset to LTSC 2021.

Any guides you would advise me to follow?
 
I don't have any problem disabling all event viewer channels. The only side effect I noticed was that Windows does not try to activate when connecting to a network, there is a specific channel for that (Microsoft-Windows-NetworkProfile/Operational), but for me it is not a problem because by going to Settings > Update & Security > Activation the Windows will activate if it isn't already.

Even disabling Windows Event Log service after installing Windows I have no major problems, just some scheduled tasks cannot be disabled after that and possibly those that depend on Event Channels should not work properly either. But reports say that some programs need this service.

Some scheduled tasks use Event Channels, like the one responsible for trying to activate Windows when changing networks.

1686520220006.png

1686520275407.png

Interestingly, after activating Windows, this scheduled task is automatically disabled along with SvcRestartTaskLogon, leaving only SvcRestartTask enabled.
 
No one's working on MT_'s preset, he retired from our site. You might want to adapt GamerOS preset, simply because it gets more user traffic and active feedback.

If you want to incorporate his last logging tweaks, open your current preset in Notepad and replace the matching XML blocks under <Settings> with his XML block. Make sure you substitute the two TweakGroups correctly!
 

Attachments

  • LTSC v1.0.5c.xml
    20.9 KB
I forgot about the topic below, I had no problem with DirectX but it could be that I disabled the channels after installing this. I will test again.

Event Viewer channels

I watched the presets (I have attached them) of the members and I was interested in the settings of the Event Viewer channels. If I disable everything in Event Viewer channels (as in attached presets), I have schtasks.exe errors, and I cant install DirectX. What can cause these errors?
www.ntlite.com www.ntlite.com
 
I have tweaked the channels a little on my own system's but as has been said, tread very cautiously. Windows logs an awful lot by default, its akin to debug logging on linux, but sadly if you just turn it all off expect things to misbehave, and one day you might be grateful for those logs been present.

Some things which are a nuisance e.g. windows logs every time the time has successfully been updated, I sync every 15 mins to a ntp service, and that generates a lot of logging.

If you not sure keep it at default.

The problem I have with following others guides, like minimal services guides etc. is these people must be just using their system for one thing only as often these guides break various functions, I have seen the effect on running thread and handles of course, but how functional is the system. ntlite with its compatibility locks is a great idea as an example preventing people breaking something they need.
 
My "minimal services" are not a guide, they are what i use on a bareboned tweaked to hell and back airgapped machine and are for information purposes only so users can see what an os is capable of. Of course using them as is will break stuff but it depends on users needs and they still leave my machine extremely usable, i dont need all the glitz and schmitz of the modern windows operating system(abominations), the only online stuff i need is emails web browsing and cat/bat/elephant videos which debian 12 live can easily cope with.

Hellcow does guides, Txmmy does gaming presets, i share my stuff/findings.
 
Last edited:
Yeah I never meant to say the sharing is not appreciated, was more to say I dont just blindly copy and paste and think its good to go. The data that was posted with the impact on the resource usage was certainly appreciated.

Interesting observation though, I noticed that Microsoft-Windows-TerminalServices-RDPClient\Operational doesnt seem to be a visible adjustment in the latest version of ntlite? Can anyone else please check to see if they see it? Searching for RDPClient in the filter box is blank.
 
Last edited:
You must log in or register to reply here.
Back
Top