Windows Event Viewer (eventvwr.msc if you like to fire it up fast from Win+R menu) is very helpful when performing troubleshooting.
However it is not always easy to find events related to the particular events.
In this post I'll discuss some tricks I find useful for troubleshooting DirectAccess and NPS events.
Starting from Windows 2008 Event Viewer allows creation of custom filters.
![]()
Some options are rather intuitive, but some are hard to unlock, like Task category. Task categories are available for selected sources only like Microsoft Windows security auditing.
But what I like the most from Custom Views - it's an option to use XML instead of predefined options:
![]()
You have to check Edit query manually and accept the warning window.
What is handy is that XML view always shows you correct query for the things you already selected in the Filter tab.
To filter out only failed main/quick/extended modes authentication events (to troubleshoot DirectAccess, for example):
If you want to filter NPS events like WiFi authentication for the last hour and for specific client pc:
![]()
However it is not always easy to find events related to the particular events.
In this post I'll discuss some tricks I find useful for troubleshooting DirectAccess and NPS events.
Starting from Windows 2008 Event Viewer allows creation of custom filters.
But what I like the most from Custom Views - it's an option to use XML instead of predefined options:
What is handy is that XML view always shows you correct query for the things you already selected in the Filter tab.
To filter out only failed main/quick/extended modes authentication events (to troubleshoot DirectAccess, for example):
<QueryList>If you have to filter DirectAccess events by client's IPv6 address you can use something like this:
<Query Id="0" Path="Security">
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and( Task = 12547 or Task = 12549 or Task = 12550 ) and(band(Keywords,4503599627370496))]]</Select>
</Query>
</QueryList>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[EventData[Data[@Name='RemoteAddress'] and (Data='x:x:x:x:x:x:x:x') or (Data[@Name='RemoteTunnelEndpoint'] and (Data='x:x:x:x:x:x:x:x'))]]</Select>
</Query>
</QueryList>
If you want to filter NPS events like WiFi authentication for the last hour and for specific client pc:
<QueryList>You may ask where to get EventData fields? You can find them in events, when looking as XML:
<Query Id="0" Path="Security">
<Select Path="Security">*[EventData[Data[@Name='ProxyPolicyName'] and (Data='NPS-policy') and Data[@Name='SubjectMachineName'] and (Data='client01.domain.com')]] and *[System[TimeCreated[timediff(@SystemTime) <= 3600000]]]</Select>
</Query>
</QueryList>
I hope now you can filter Windows Server events easier.