microsoft/EventLogExpert v26.5.12.971

v26.5.12.971

Repository: microsoft/EventLogExpert

Tag: v26.5.12.971

Published: 2026-05-12T16:41:33Z

Prerelease: yes

Release notes: All changes since the last stable release (v26.3.5.912).

Highlights

• Light mode is now available, with an option to follow the system theme (title bar included).
• Column drag-and-drop reordering in the event table, with persistent column sizing and ordering across sessions.
• MUI-aware event message resolution — events on international Windows installs (and from exported .evtx files with LocaleMetaData folders) now resolve correctly via .mui satellites instead of falling back to placeholders.
• Better event resolution for "no provider" cases — events with no provider metadata now render EventData and ERROR_SUCCESS text instead of placeholders, channel-named providers resolve correctly, and legacy events are disambiguated by Qualifier.
• Database recovery flow — imported provider databases are classified on load (V4 schema with auto-upgrade from V3, quarantine for empty/unrecognized/obsolete formats), interrupted upgrades are detected and recovered via a dedicated dialog, and freshly-imported databases default to disabled until you opt in.
• App-level banner system for upgrade progress, recoverable errors with action buttons, and unhandled-exception recovery — mounted above the error boundary so it survives crashes. Empty-log alerts are batched when opening multiple logs at once.
• Filter pipeline overhaul — immutable BasicFilterSource / CompiledFilter model, signature-based change detection, parallel filtering above a threshold, and only-new-events filtering on arrival instead of re-filtering all active logs.
• Faster combined-events sorting via a k-way merge of pre-sorted per-log lists (replaces the full re-sort), and a cross-log RecordId equality bug is fixed.
• Custom menu bar replaces the XAML one and simplifies context menus across the app.
• Debug Log modal gains filtering, virtualization, export, and newest-first streaming.
• More reliable live event subscriptions — EventLogWatcher hardened against handler exceptions, reentrant stops, and finalizer-time native handle leaks, with a cleaner initial-backlog drain.
• Accessibility infrastructure: skip link, live regions, focus-visible, reduced-motion, landmarks, role=button, non-color cues.
• Details pane height is now remembered as a user preference.
• DbTool now supports MTA files; added missing severity levels and additional event types / EvtVariantTypes for broader event coverage.
• Major memory and performance pass — pooled StringBuilder via thread-static cache, System.Text.Json source generators for provider DB serialization, IFormattable direct-write logging, primitive specializations on interpolated log handlers, and many smaller hot-path wins.

Features

• Light mode with follow-system-theme option, and the title bar honors the OS theme.
• Column drag-and-drop reordering in the event table, with persistent column sizing and ordering.
• Details pane height persisted as a user preference.
• XML resolution no longer requires the toggle — XML is automatically available, but only resolved when a filter actually needs it.
• Custom menu bar with templated menu items, replacing the XAML menu bar (also simplifies context menus).
• Improved keyboard navigation in the event table, with refactored event selection.
• LogName parser now creates folder structure that aligns with the MMC.
• Support for exported LocaleMetaData folders when resolving events from exported .evtx files.
• DbTool supports MTA files for provider details.
• Added missing severity levels so more events display the correct level.
• Added additional event types and EvtVariantTypes for broader event coverage.
• Title bar shows app name and version before log names.
• Markdown italics now render in release notes / in-app Markdown.

Database & Recovery

• New V4 provider DB schema with ResolvedFromOwningPublisher merging for better resolution coverage.
• Imported databases are classified on load with a clear status (NotClassified, Unknown, BackupExists, etc.) surfaced in the Settings modal.
• Empty and unrecognized provider databases are quarantined at classification time instead of failing the resolver.
• Obsolete and unrecognized provider DBs are now rejected by EventDbTool commands with clear messaging.
• V3 databases auto-upgrade to V4; freshly-imported databases default to disabled.
• Interrupted upgrades are detected via an .upgrade.bak marker and recoverable through a new recovery dialog.
• Remove no longer deletes user-created .bak files via wildcard.
• Per-entry import failures are surfaced in the Settings modal with buffered toggles so a bad entry doesn't break the batch.
• Inline upgrade banner triggers settings-scope upgrades from the Settings modal toggle confirmation.
• Opening a log now waits for classification to complete and gracefully handles resolver errors.

Banners & Alerts

• New app-level banner surface for upgrade progress, attention items, and recoverable errors.
• Error banners can include an optional action button (e.g. reload).
• Reload button gets focus automatically when an error banner appears.
• Unhandled exceptions route through the banner system for in-app recovery instead of hard failures.
• Empty-log alerts are batched across multi-open call sites.
• Banner severity taxonomy aligned (Critical/Error).

Settings Modal / Database UX

• Classification-pending UX with WCAG AA contrast on status fills.
• Database rows restructured with per-status primary actions and tightened visuals.
• Trash action revealed by clicking the database name, with a recessed left strip indicator.
• Recovery dialog copy pluralized for multi-entry scenarios.

Event Resolution

• Events with no provider metadata now render EventData and ERROR_SUCCESS text instead of placeholders.
• Channel-named providers resolve via EvtChannelConfigOwningPublisher.
• Legacy event messages are disambiguated by Qualifier.
• Empty manifest templates are treated as zero expected properties on strict match (no more spurious mismatches).
• Environment variables are expanded in publisher metadata paths; short-id fallback hardened for full-RawId manifests.
• Add/Close-All gated on open logs; Security/State gated on admin elevation.
• Events on international Windows installs and exported .evtx files with…