microsoft/EventLogExpert v26.6.22.1219

v26.6.22.1219

Repository: microsoft/EventLogExpert

Tag: v26.6.22.1219

Published: 2026-06-22T20:41:48Z

Prerelease: yes

Release notes: All changes since the last stable release (v26.3.5.912).

Highlights

• Native Arm64 support with a single self-contained installer — EventLogExpert now ships as one multi-architecture .msixbundle that runs natively on both x64 and Arm64 (Windows installs the matching build automatically), and it carries its Windows App Runtime inside the package, so there's no separate runtime to install on a clean machine. Existing installs update to it in place.
• Redesigned event table — the log table was rebuilt around a render-isolated store with filtering moved off the UI thread, so large logs scroll, filter, and update more smoothly, with per-tab groups for multiple open logs.
• Logs load newest-first — opening a log reads the newest events first and paints the first screenful immediately, so recent events are on screen right away instead of after a full load.
• Export filtered events to CSV or JSON — export the current filtered event view from the menu. The export respects your active filters and the visible columns in their current order (including the always-on Description column), streams to disk with bounded memory, and shows a cancelable progress banner followed by an Export complete notification with the row count and path. Timestamps use a sortable yyyy-MM-dd HH:mm:ss format, and CSV values are neutralized against formula injection.
• Scenario dashboard when no log is open — closing every log (or starting fresh) now shows an empty-state dashboard that browses the built-in scenarios in a master-detail layout, lets you star favorites for quick access, and offers one-click Launch plus quick-launch buttons for the live Application / System / Security logs or opening a file or folder.
• Built-in scenario picker — apply curated, ready-made filter sets from a new Apply Scenario control in the filter pane. Choose from 217 triage scenarios across 20 groups (system health, security, networking, server roles, common Microsoft products, and more); the list is automatically narrowed to scenarios that match the logs you have open, across both live channels and opened .evtx files. Apply layers a scenario on top of your current filters; Replace swaps them out. Scenarios can color-code their filter rows for at-a-glance multi-filter triage and timelines, and a new date-range quick-pick (last 7 days through 2 years) fills the After/Before fields in UTC.
• Group the event table inline — group by any column except Description (for example Activity ID, Source, or Level) so related events fold under collapsible header rows that show the value and event count. The table becomes a keyboard-navigable tree grid, groups can be sorted independently of the per-event sort, and Select Group (and Ctrl+A) reach events even inside collapsed groups.
• Filter Library — save, organize, and reuse filter sets from a new Filter Library (the bookmarks icon in the filter pane). Browse Saved, Favorites, and Previously Used filters, organize them with tags, rename and favorite entries, and import/export your library as JSON. Apply adds a saved set on top of your current filters; Replace current filters swaps them out. Your existing favorite and saved filters are migrated automatically.
• Open from File Explorer — right-click one or more .evtx files, a folder, or the empty space inside a folder and choose "Open with EventLogExpert". Double-clicking a .evtx still opens it, and selecting several files opens them together in a single window.
• Run Database Tools operations elevated on demand — Create Database and Show Providers can elevate a single operation via a "Run Elevated" button (one UAC prompt) instead of requiring you to run the whole app as administrator. The main app stays open while an elevated helper does the work.
• Database Tools UI is now available from the Tools menu, giving Create/Diff/Merge/Show/Upgrade provider-database operations an in-app tabbed workflow with live logs, safer file picking, and elevation awareness.
• Provider database management moved into Database Tools — a new Manage tab centralizes status, enable/disable, upgrade, restore-from-backup, classification retry, and removal. Changes are staged and applied explicitly so accidental database edits are less likely, and an opt-in selection mode unlocks bulk upgrade and bulk remove with per-row progress.
• Light mode is now available, with an option to follow your Windows theme. The title bar follows it too.
• Reorder event table columns by drag-and-drop. Column widths and order are remembered across sessions.
• International Windows support — events on non-English Windows installs (and exported .evtx files that include a LocaleMetaData folder) now resolve to readable text instead of falling back to placeholders.
• Better text for "no provider" events — when an event has no provider metadata, the app now shows the event's data and a meaningful success/error message instead of placeholders. Channel-only providers resolve correctly, and older events that share IDs are now disambiguated.
• Provider database recovery — imported databases are checked when they load, with clear status indicators in the Manage tab. Old (V3) databases automatically upgrade to the new V4 format; empty or unrecognized files are set aside instead of breaking event resolution. If an upgrade is interrupted, a recovery dialog walks you through finishing it. Newly imported databases stay disabled until you turn them on.
• In-app banners are smoother and smarter — upgrade, recovery, crash, and database-attention banners coordinate with modals more cleanly, swap with less flicker, route database actions directly to the Database Tools modal, and handle priority changes predictably instead of bouncing back to stale selections. "No events found" alerts are still grouped together when you open several logs at once.
• Filter overhaul — filters re-evaluate only when they actually change, run in parallel when there are lots of events, and new events are checked against active filters as they arrive instead of re-filtering every open log. Filter rows have been redesigned around predicate "chips" with clearer validation and Done/Add gating.
• Faster combined view —...