The project Windows Event Viewer – EventLogExpert provides a modern open-source toolset that fundamentally improves the way we interact with Windows Event Logs. Since troubleshooting .evtx files is often a tedious process, I was looking for an alternative and found this project on GitHub.
Read my overview of why I think this tool belongs in the toolkit of every IT Architect and Administrator.
Table of Contents
Who Maintains the Project?
The project is officially hosted under the Microsoft organization on GitHub. It is an open-source tool released under the MIT License. It is maintained by a dedicated group within Microsoft who develop the tool in their spare time to support the community and IT administration efforts.
The project is driven by experts who possess deep knowledge of Windows internals. Key contributors include:
- Bill Long – A well-known name in the Microsoft ecosystem who has significantly contributed to the tool’s architecture.
- Jason Schick – A Software Engineer at Microsoft who is currently one of the most active maintainers. He handles many of the recent updates, bug fixes, and feature implementations.
- Maheshi Weerasinghe – Another Microsoft engineer who contributes to the ongoing development and issue management within the repository.
- Other Microsoft Staff – The tool is strengthened by feedback and code contributions from Support Engineers and Field Engineers.
Comparison: EventLogExpert vs. Classic Event Viewer
The following table highlights the most significant differences between the Windows standard and this modern alternative.
- Classic Event Viewer often freezes when handling large logs, while EventLogExpert remains extremely fast and uses parallel loading for efficiency.
- Instead of viewing logs separately, EventLogExpert offers an Interleaved Combined View that merges multiple files into one chronological timeline.
- You no longer have to click every single event to see what happened because the description preview is integrated directly into the main table.
- Filtering is much more powerful, allowing for complex LINQ expressions rather than being stuck with basic XML or static dropdowns.
- EventLogExpert uses its own provider databases, which means you can read logs for specialized services like SQL or Exchange on any machine without installing those applications.
Benefits Compared to Native Windows Event Viewer
The primary advantage lies in efficiency. While the native Event Viewer has remained virtually unchanged for decades, EventLogExpert utilizes modern technologies (.NET 8/10) to handle the massive log volumes common today. Specifically, the ability to view logs from different servers in a single, combined timeline saves a massive amount of time when correlating errors. Furthermore, you can create “Provider Databases,” meaning you can analyze Exchange or SQL logs on your local laptop without having the corresponding server software installed there.
Comparison with Other Third-Party Tools
There are many tools on the market, such as the classic “Event Log Explorer” or forensic suites like Belkasoft. However, many of these tools are paid or intended for specific niches like forensics. EventLogExpert positions itself as a lean, high-performance, and free alternative optimized specifically for daily IT operations and support. Unlike complex log management systems like Graylog or ELK stacks, EventLogExpert requires no server infrastructure. It is a perfect modern replacement of the classic version for me.
Project Context and Sources
EventLogExpert can be found on GitHub at microsoft/EventLogExpert. The documentation is integrated directly into the repository and provides detailed instructions for filtering and setup. The tool is provided as an MSIX package, making installation on modern Windows systems (Windows 10/11 and Server 2019/2022/2025) very simple.
Installation of our Windows Event Viewer – EventLogExpert
Getting started with EventLogExpert is straightforward because it is distributed as a modern Windows app package. You can find the latest releases on the GitHub repository under the releases section.
As always I am using winget to install it. This will make sure the dependencies and requirements are resolved automatically.
winget install -e --id Microsoft.EventLogExpertTroubleshooting: Resolving Startup Crashes
Even with modern tools, you might encounter a “silent crash” where the application opens and immediately closes. During my testing, I found that this is often tied to version mismatches or missing runtimes.
When you experience issues like it opens and silently crashes, try these 3 commands and reboot
Add-AppxPackage -Register -Path 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\appxmanifest.xml' -DisableDevelopmentMode
Add-AppxPackage -Register -Path 'C:\Windows\SystemApps\Microsoft.UI.Xaml.CBS_8wekyb3d8bbwe\appxmanifest.xml' -DisableDevelopmentMode
Add-AppxPackage -Register -Path 'C:\Windows\SystemApps\MicrosoftWindows.Client.Core_cw5n1h2txyewy\appxmanifest.xml' -DisableDevelopmentModeIf the debug log located here “%AppData%\Local\Packages\eventlogexpert_8wekyb3d8bbwe\LocalState\debug.log” show a MoAppCrash in combase.dll, check if you are running an outdated version. The internal update check can sometimes stall the UI. Manually updating to the latest release (e.g., v26.3.5.912) usually resolves this. Go directly to the GitHub Releases page and download the MSIX.
If an update fails, navigating to “%LocalAppData%\Packages\EventLogExpert_8wekyb3d8bbwe\LocalState” and clearing the files can give the app a fresh start.
Important: For Windows Server 2019 or 2022, note that auto-updates may not work. You might need to manually install the Microsoft.WindowsAppRuntime MSIX first, which is usually provided alongside the main app in the GitHub release assets.
Configuration of the Windows Event Viewer – EventLogExpert
Once installed, the power of EventLogExpert lies in how you set up your environment to handle logs from various sources. For me it is the perfect Modern Windows Event Viewer.
- The application allows you to define specialized provider databases. This is a crucial step if you intend to analyze logs from SQL Server, Exchange, or Active Directory on a machine that does not have these roles installed.
- You can manage these databases in the settings menu to ensure that event IDs are resolved into human-readable text correctly.
- Adjust the UI settings to your preference, such as switching between light and dark modes or configuring the default time zone for log correlation.
- Set up your filter templates early on. If you frequently look for specific Event IDs like 4624 (Successful Logon) or 4625 (Failed Logon), saving these as persistent filters will save you significant time during future incidents.
How to use the Windows Event Viewer – EventLogExpert
The daily workflow with EventLogExpert is significantly different from the old MMC snap-in, primarily due to how it handles data streams.
You start by opening one or multiple .evtx files. The tool loads these in parallel, which is noticeably faster than the native viewer when dealing with files over 100MB.
Use the Interleaved View to see events from multiple servers or log channels in a single chronological stream. This is perfect for tracking a service request as it moves through different layers of your infrastructure.
The filter bar at the top supports advanced logic. You can quickly toggle filters on and off to drill down into specific time frames or severity levels without waiting for the entire view to refresh.
If you find a specific pattern of interest, you can use the highlight feature to mark events, making it easier to maintain your place while scrolling through thousands of entries.
For documentation or sharing with your team, you can export the filtered views or specific events into formats that are easier to digest in a report or a ticket.
Conclusion on Windows Event Viewer – EventLogExpert
Troubleshooting in hybrid environments often requires sifting through logs from different systems simultaneously. A tool that values the past (classic event logging) but provides a modern, high-performance interface fits perfectly with my approach: preserving what works while implementing it in a better, more efficient way. EventLogExpert is exactly that bridge for daily IT operations.
This is a perfect addition to my modern tail tools. If you need a modern tail tool with a GUI please check my blog here.
In case you need to learn more about Event Viewer standards please check here for fundamentals and here for details around Event Viewer and LAPS.
If you have any questions on Windows Event Viewer – EventLogExpert please don’t hesitate to reach out to me on LinkedIn, Bluesky or check my newly created Adaptive Cloud community on Reddit.
LinkedIn: https://www.linkedin.com/in/andreas-hartig/
Bluesky: https://bsky.app/profile/hartiga.de
Adaptive Cloud community on Reddit: https://www.reddit.com/r/AdaptiveCloud/
