microsoft/EventLogExpert v26.6.19.275

v26.6.19.275

Repository: microsoft/EventLogExpert

Tag: v26.6.19.275

Published: 2026-06-19T04:51:58Z

Prerelease: yes

Release notes: All changes since the last stable release (v26.3.5.912).

Highlights

• Export filtered events to CSV or JSON — export the current filtered event view from the menu. The export respects your active filters and the visible columns in their current order (including the always-on Description column), streams to disk with bounded memory, and shows a cancelable progress banner followed by an Export complete notification with the row count and path. Timestamps use a sortable yyyy-MM-dd HH:mm:ss format, and CSV values are neutralized against formula injection.
• Scenario dashboard when no log is open — closing every log (or starting fresh) now shows an empty-state dashboard that browses the built-in scenarios in a master-detail layout, lets you star favorites for quick access, and offers one-click Launch plus quick-launch buttons for the live Application / System / Security logs or opening a file or folder.
• Built-in scenario picker — apply curated, ready-made filter sets from a new Apply Scenario control in the filter pane. Choose from 217 triage scenarios across 20 groups (system health, security, networking, server roles, common Microsoft products, and more); the list is automatically narrowed to scenarios that match the logs you have open, across both live channels and opened .evtx files. Apply layers a scenario on top of your current filters; Replace swaps them out. Scenarios can color-code their filter rows for at-a-glance multi-filter triage and timelines, and a new date-range quick-pick (last 7 days through 2 years) fills the After/Before fields in UTC.
• Group the event table inline — group by any column except Description (for example Activity ID, Source, or Level) so related events fold under collapsible header rows that show the value and event count. The table becomes a keyboard-navigable tree grid, groups can be sorted independently of the per-event sort, and Select Group (and Ctrl+A) reach events even inside collapsed groups.
• Filter Library — save, organize, and reuse filter sets from a new Filter Library (the bookmarks icon in the filter pane). Browse Saved, Favorites, and Previously Used filters, organize them with tags, rename and favorite entries, and import/export your library as JSON. Apply adds a saved set on top of your current filters; Replace current filters swaps them out. Your existing favorite and saved filters are migrated automatically.
• Open from File Explorer — right-click one or more .evtx files, a folder, or the empty space inside a folder and choose "Open with EventLogExpert". Double-clicking a .evtx still opens it, and selecting several files opens them together in a single window.
• Run Database Tools operations elevated on demand — Create Database and Show Providers can elevate a single operation via a "Run Elevated" button (one UAC prompt) instead of requiring you to run the whole app as administrator. The main app stays open while an elevated helper does the work.
• Database Tools UI is now available from the Tools menu, giving Create/Diff/Merge/Show/Upgrade provider-database operations an in-app tabbed workflow with live logs, safer file picking, and elevation awareness.
• Provider database management moved into Database Tools — a new Manage tab centralizes status, enable/disable, upgrade, restore-from-backup, classification retry, and removal. Changes are staged and applied explicitly so accidental database edits are less likely, and an opt-in selection mode unlocks bulk upgrade and bulk remove with per-row progress.
• Light mode is now available, with an option to follow your Windows theme. The title bar follows it too.
• Reorder event table columns by drag-and-drop. Column widths and order are remembered across sessions.
• International Windows support — events on non-English Windows installs (and exported .evtx files that include a LocaleMetaData folder) now resolve to readable text instead of falling back to placeholders.
• Better text for "no provider" events — when an event has no provider metadata, the app now shows the event's data and a meaningful success/error message instead of placeholders. Channel-only providers resolve correctly, and older events that share IDs are now disambiguated.
• Provider database recovery — imported databases are checked when they load, with clear status indicators in the Manage tab. Old (V3) databases automatically upgrade to the new V4 format; empty or unrecognized files are set aside instead of breaking event resolution. If an upgrade is interrupted, a recovery dialog walks you through finishing it. Newly imported databases stay disabled until you turn them on.
• In-app banners are smoother and smarter — upgrade, recovery, crash, and database-attention banners coordinate with modals more cleanly, swap with less flicker, route database actions directly to the Database Tools modal, and handle priority changes predictably instead of bouncing back to stale selections. "No events found" alerts are still grouped together when you open several logs at once.
• Filter overhaul — filters re-evaluate only when they actually change, run in parallel when there are lots of events, and new events are checked against active filters as they arrive instead of re-filtering every open log. Filter rows have been redesigned around predicate "chips" with clearer validation and Done/Add gating.
• Faster combined view — when multiple logs are open, the Combined view is now built once and updated in place as events stream in, instead of being rebuilt from scratch on every update. Live tailing is dramatically faster and uses less memory.
• New menu bar replaces the older Windows menu bar and simplifies right-click menus across the app.
• Debug Log modal now has filtering, scrolls smoothly through large logs, lets you export the contents, and shows newest entries first as they stream in.
• More reliable live event subscriptions — the underlying watcher is more resilient to exceptions, won't get stuck on stop, and won't leak system handles. The initial backlog drains more cleanly when you open a log.
• Accessibility improvements — skip-to-content link, screen reader announcements (including completion...