View the different lists

You obtain the list by double clicking a leaf of the tree of the first panel or with the Display/refresh list choice of the context menu.

The list of events if you double click on an eventlog, a source or a category
The list of user sessions if you double click on the leaf user sessions
The list of failure sessions if you double click on the leaf logon failure
The list of RAS sessions if you double click on the leaf RAS
The list of printing if you double click on the leaf print

You can stop the list generation by clicking on the list panel.

You can sort the columns by clicking the header of each column. You can reverse the order by clicking again on the header.

You can print the list by clicking on the button or have a print preview by clicking on the button. The column width on the printout is proportional with the width seen on the screen.

List of events

For each event, you can see the properties by double clicking on the line.

You obtain a tree tabs window:

One with the general information and the description.
One with the data in 3 formats: bytes, words and ASCII.
One with the parameters of the description.

Some specific fields:

Num: it's the order number in the log.
Description: If you list the events of a remote computer, the event description is decoded from this remote computer. If it fails, the description is decoded from the local computer and the word local is added at the end of the description. The description will only show if the software or service is installed.
Parameters: this is the specific data of the current event (for example, an error code), which completes the description.
I have notice that for some descriptions, all these parameters are not used (for example the time service of the service pack).

List of user sessions

This list is built with the 528 and 540 events for the beginning, and the 538 event for the end of the session of the security log, security source logon/logoff category.

For each session, you can have the details by double clicking on the line

Some specific fields:

User: name of the user of the session.
The name is in parenthesis if the user field of the event is empty, and it is the user that has generated the event.

Open session process: it can be one of these:

KSecDD	ksecdd.sys, the security device driver
User32 or WinLogon\MSGina	winlogon.exe & msgina.dll, the authentication user interface
SCMgr	The Service Control Manager
LAN Manager Workstation Service
advapi	API call to LogonUser
IIS	Internet Information Server
NtLmSsp	NT LAN Manager Security Support Provider

Authentication: in general MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Session type: a number which means

2 Interactive session

3 Network session (net use, net view or file manager session)

4 Batch session

5 Service

6 Proxy

7 Unlock Workstation
Domain\user: domain and user name that generated the event.

2	Interactive session
3	Network session (net use, net view or file manager session)
4	Batch session
5	Service
6	Proxy
7	Unlock Workstation

List of failure sessions

This list is build with the failure audit type event of the security log, security source logon/logoff category.

For each session, you can have the details by double clicking on the line.

Some specific fields:

User: name of the user of the session.
The name is in parenthesis if the user field of the event is empty, and it is the user that has generated the event.

Open session process: it can be one of these:

KSecDD	ksecdd.sys, the security device driver
User32 ou WinLogon\MSGina	winlogon.exe & msgina.dll, the authentication user interface
SCMgr	The Service Control Manager
LAN Manager Workstation Service
advapi	API call to LogonUser
IIS	Internet Information Server
NtLmSsp	NT LAN Manager Security Support Provider

Authentication: in general MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Session type: a number which means

2 Interactive session

3 Network session (net use, net view or file manager session)

4 Batch session

5 Service

6 Proxy

7 Unlock Workstation
Domain\user: domain and user name that generated the event.
Reason: reason of the session failure.
It is the description of the event, the reason is at the beginning.

2	Interactive session
3	Network session (net use, net view or file manager session)
4	Batch session
5	Service
6	Proxy
7	Unlock Workstation

List of RAS session

This list is build with the 20050 event of the system log, RemoteAccess source.
Under Windows 2000, this event seems not to be generated. I need your eventlog to implement the new events. Please send me your eventlog.

For each session, you can have the details by double clicking on the line

Some specific fields:

Domain\user: domain and user name that generated the event.

List of printing

This list is build with the 10 event of the system logon Print source.

For each print, you can have the details by double clicking on the line.

Some specific fields:

Domain\user: domain and user name that generated the event.