microsoft · NikTilton · May 14, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
@@ -6,42 +6,40 @@ A Windows Event Log viewer for tech support and IT professionals.
 
 ## Key features
 
-* Quickly load huge .evtx files. File -> Open and select multiple files, or just drag-and-drop them into the view. The tool will happily load multiple .evtx files concurrently.
-* View multiple .evtx files in an interleaved combined view and examine how events line up across multiple servers.
-* See event description previews right in the table without having to open each individual event.
-* Filter using friendly drop-downs, use Advanced Filter and enter a LINQ expression, or combine both.
-* Create an event database to view .evtx files on computers that don't have the same product installed. For example, view Exchange Server or SQL Server logs on a user workstation.
-* Can be used as a replacement for Event Viewer to view live event logs. Choose Continuously Update on the View menu and watch new events appear in real time.
+* Loads `.evtx` files concurrently — `File` → `Open`, drag-and-drop, or open every `.evtx` in a folder in one step.
+* Combined view interleaves events from any mix of file and live logs by time across multiple machines.
+* Configurable event-table columns (visibility, ordering, sort) with per-row highlight colors driven by your filters.
+* Filter pane with Basic (category × evaluator) filters, sub-filters joined with `AND` / `OR`, Date filter, Advanced Dynamic LINQ expressions, and Exclusion filters.
+* Filter Cache (Favorites + Recent) and named, importable / exportable Filter Groups.
+* Live event channels with auto-discovery (admin-only channels disabled when not elevated), `Continuously Update`, and a `Load New Events` buffered mode.
+* Provider Databases — load `.db` files captured on another machine so its `.evtx` files resolve descriptions and task categories correctly.
+* In-line description previews in the table; on-demand event XML in the Details pane.
+* Configurable Ctrl+C copy mode (`Default`, `Simple`, `XML`, `Full`); System / Light / Dark theme.
+* In-app Release Notes and Debug Log viewer; opt-in pre-release update channel.
 
 For more information, check our [docs](docs/Home.md).
 
 ## Quick Start
 
-### Windows 10 or 11
+Download the `EventLogExpert_<version>_x64.appinstaller` (or the matching `EventLogExpert_<version>_x64.msix`) from the latest release and run it: <https://github.com/microsoft/EventLogExpert/releases/latest>.
 
-Simply download the `EventLogExpert*.msix` file from the latest and run it: [https://github.com/microsoft/EventLogExpert/releases/latest/](https://github.com/microsoft/EventLogExpert/releases/latest/).
+The `.appinstaller` declares its dependency on the Windows App Runtime (currently `Microsoft.WindowsAppRuntime.1.7.msix`, also published in the same release) so App Installer fetches the runtime automatically on a clean machine. Updates are checked on launch.
 
-### Windows Server 2019 or 2022
+If you'd rather install the runtime manually first, grab `Microsoft.WindowsAppRuntime.1.7.msix` from the release and install it with:
 
-Note: Auto-updates do not work on 2019.
+```
+Add-AppxPackage $home\Downloads\Microsoft.WindowsAppRuntime.1.7.msix
+```
 
-* Download the `EventLogExpert*.msix`.
-* Windows 2019 will also need the `Microsoft.WindowsAppRuntime*.msix` unless it was already installed by something else. You'll find this file in the release with the `EventLogExpert*.msix`.
-* Enable sideloading:
+Then install the app:
 
-    `Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock -Name AllowAllTrustedApps -Value 1`
-
-* Install the runtime with Add-AppxPackage. Example:
-
-    `Add-AppxPackage $home\Downloads\Microsoft.WindowsAppRuntime.1.2.msix`
-
-* Install EventLogExpert:
-
-    `Add-AppxPackage $home\Downloads\EventLogExpert_23.5.19.1256_x64.msix`
+```
+Add-AppxPackage $home\Downloads\EventLogExpert_<version>_x64.msix
+```
 
 ### First time setup
 
-Head over to our [docs](docs/Home.md).
+Head over to our [docs](docs/Settings.md).
 
 ## Contributing
 

@@ -2,38 +2,99 @@
 
 ## Filtering
 
-There are three ways to filter. All filters apply to all logs open in that window.
+The Filter pane sits above the event table. Every event in the active log set is evaluated against the applied filters; non-matches are hidden. The pane has five `Add` buttons across the top:
 
-### Add filter
+| Button | Adds |
+| --- | --- |
+| `Add Basic Filter` | A category × evaluator × value comparison against a single resolved-event field. |
+| `Add Date Filter` | A `Before` / `After` time-window filter. Only one date filter exists at a time; the button is hidden once one is added. |
+| `Add Advanced Filter` | A free-form Dynamic LINQ expression evaluated against `ResolvedEvent`. |
+| `Add Cached Filter` | Picks a string from the Filter Cache (Favorites + Recent) and adds it as a Cached filter row. See [Saved Filters](Saved-Filters.md). |
+| `Add Exclusion` | A Basic filter row in the excluded state — same category × evaluator × value shape as `Add Basic Filter`, but matching events are hidden instead of shown. Any saved row can be flipped between included and excluded later via the chrome `Exclude` / `Include` button. |
 
-This button provides drop-down menus for easy filtering.
+Each saved row carries a chrome strip with `Edit`, `Exclude` (or `Include` when the row is already an exclusion), `Remove`, and a `Disable` / `Enable` toggle. While editing, the chrome shows `Save` and `Cancel`. Non-exclusion rows also show a highlight-color picker (`Highlight Color`) before the comparison content. When any filter is being applied, the pane shows `[Applying Filters]` with a spinner; otherwise it shows `[Active Filters: N]`. The pane can be collapsed via the caret in the top-right corner.
+
+`Edit` → `Clear All Filters` removes every filter row and the date filter from the pane in one step. `Edit` → `Save All Filters` persists only the filter rows — the date filter is not part of a saved group. See [Keyboard and Copy](Keyboard-And-Copy.md). `View` → `Show All Events` (`Ctrl+H`) suspends evaluation without removing any filters.
+
+### Basic filters
+
+Pick a category, pick an evaluator, then enter or pick a comparison value. Optionally add one or more sub-filters joined to the parent with `AND` or `OR`.
+
+**Categories** (`FilterCategory`):
+
+| Label | Source field |
+| --- | --- |
+| `Event ID` | event id (int) |
+| `Activity ID` | activity id GUID (string-equal) |
+| `Level` | resolved level string (`Information`, `Warning`, `Error`, `Critical`, `Verbose`) |
+| `Keywords` | display keywords |
+| `Source` | provider name |
+| `Task Category` | resolved task name |
+| `Process ID` | process id |
+| `Thread ID` | thread id |
+| `User ID` | SID string |
+| `Description` | resolved description text |
+| `Xml` | raw XML (forces eager XML resolution; see caveat) |
+
+**Evaluators** (`FilterEvaluator`):
+
+| Label | Behavior |
+| --- | --- |
+| `Equals` | Exact match. Numeric for ID-typed fields; case-sensitive string compare for everything except `Keywords`, which is case-insensitive. |
+| `Contains` | Case-insensitive substring match. |
+| `Not Equal` | Negated `Equals` (same case-sensitivity rules). |
+| `Not Contains` | Negated `Contains` (case-insensitive). |
+| `Multi Select` | Matches any value in the supplied set. The category determines which set is offered (e.g., `Level` → checkboxes for the five level values; `Source` → the providers seen in the active logs). |
+
+Sub-filters live underneath the parent and can be combined freely. `AND` requires the sub-filter to also match; `OR` matches if either the parent or the sub-filter matches.
 
 ### Date filter
 
-Any events falling outside of the starting and ending time specified here are hidden.
-
-### Advanced filter
-
-This button displays a textbox allowing a LINQ expression for filtering. Filterable properties are:
-
-Property Name|Type
--|-
-ComputerName|string
-Description|string
-Id|int
-KeywordDisplayNames|IEnumerable<string>
-Keywords|long?
-LogName|string
-OwningLog|string
-Qualifiers|int?
-RecordId|long?
-SeverityLevel|Enum? (Error == 2, Warning == 3, Information == 4)
-Source|string
-TaskCategory|string
-Template|string?
-TimeCreated|DateTime
-Xml|string
-
-Note that Xml is generated when requested, so filters against Xml may be slower than filters against other properties.
+`After` / `Before` timestamps in the configured time zone (see [Settings](Settings.md) → `Time Zone`). Only one date filter is allowed; removing it lets `Add Date Filter` reappear. Right-clicking an event in the table and choosing `Exclude Events Before` / `Exclude Events After` is a shortcut that sets a date filter using the right-clicked event's timestamp as the boundary.
+
+### Advanced filters (Dynamic LINQ)
+
+Free-form expression evaluated against the `ResolvedEvent` record using [Dynamic LINQ](https://dynamic-linq.net/). The placeholder shown in the input is:
+
+```
+(Id == 1000 || Id == 1001) && Description.Contains('Fault')
+```
+
+Available properties:
+
+| Property | Type | Notes |
+| --- | --- | --- |
+| `Id` | `int` | Event id. |
+| `ActivityId` | `Guid?` | Nullable. |
+| `Level` | `string` | `Information`, `Warning`, `Error`, `Critical`, `Verbose`. |
+| `Keywords` | `IReadOnlyList<string>` | Use `.Contains("...")`. |
+| `KeywordsDisplayName` | `string` | Comma-separated keywords. |
+| `Source` | `string` | Provider name. |
+| `TaskCategory` | `string` | |
+| `ProcessId` | `int?` | |
+| `ThreadId` | `int?` | |
+| `UserId` | `SecurityIdentifier?` | Use `.ToString()` to compare. |
+| `TimeCreated` | `DateTime` | The raw `ResolvedEvent` value — the table and Details pane render it in the configured time zone, but expressions see the underlying value. |
+| `LogName` | `string` | Source log channel as reported by the event reader. |
+| `OwningLog` | `string` | The file path or live-channel name as displayed in the tab strip. |
+| `LogPathType` | `LogPathType` | `File` or `Channel`. |
+| `ComputerName` | `string` | |
+| `RecordId` | `long?` | |
+| `Description` | `string` | Resolved description text. |
+| `Xml` | `string` | Raw event XML. **See XML caveat.** |
+
+**XML caveat.** When a filter expression references `Xml`, the underlying `EventLogReader` is opened with XML rendering enabled, which is meaningfully slower than the default. Adding an XML-referencing filter against logs already loaded without XML triggers a one-time re-read of those logs (only the logs that lack XML — logs already loaded with XML are untouched). Removing or disabling an XML filter does not trigger another reload because the in-memory XML is harmless to keep. Filters that don't reference `Xml` operate on already-resolved fields and stay fast.
+
+### Excluded filters
+
+Either an `Add Exclusion` row from the start, or any Basic / Advanced row toggled with the `Exclude` chrome button. Matching events are hidden. Excluded filters are evaluated independently of `View` → `Show All Events`: the show-all toggle disables only the inclusion side, so exclusions and the date filter remain in effect when it's on. `Edit` → `Clear All Filters` removes every filter from the pane (including the date filter and exclusions) — there's no built-in way to reversibly suspend everything at once.
+
+### Cached filters
+
+Quick-access strings for repeat use. See [Saved Filters](Saved-Filters.md) for how the cache is populated and managed.
+
+### Highlighting
+
+Each non-excluded filter row exposes a `Highlight Color` picker in its chrome. When set, every event matching that filter is rendered with that background color in the event table. When multiple filters with different colors match the same event, the first matching enabled, non-excluded filter in pane order wins (a filter with `Highlight Color` set to `None` still counts as a match and suppresses any later highlight). Selection styling beats highlight while a row is selected. Highlight colors persist with the filter — saving a group preserves its colors.
 
 [Docs home](Home.md)
@@ -1,8 +1,16 @@
 # EventLogExpert
 
+A Windows Event Log viewer for tech support and IT professionals. Reads `.evtx` files and live event channels, with provider-database support so events captured on one machine resolve correctly on another.
+
+Runs on supported versions of Windows: Windows 11, Windows Server 2022, Windows Server 2025.
+
 ## Topics
 
-* [First time setup](FirstTimeSetup.md) - Customizing your experience.
-* [Filtering](Filtering.md) - How to use the various filter options.
-* [Viewing events](Viewing.md) - Things to know about viewing, selecting, scrolling, and reading events.
-* [Provider databases](ProviderDatabases.md) - Viewing event descriptions on machines that don't have the requisite software installed.
+- [Opening Logs](Opening-Logs.md) — Opening files, folders, and live channels.
+- [Viewing Events](Viewing-Events.md) — Tab strip, configurable table columns, details pane.
+- [Filtering](Filtering.md) — Basic, Date, Advanced (Dynamic LINQ), Cached, Exclusion filters and highlighting.
+- [Saved Filters](Saved-Filters.md) — Filter cache (Favorites + Recent) and Filter groups.
+- [Provider Databases](Provider-Databases.md) — Why event databases exist and the `eventdbtool` CLI.
+- [Settings](Settings.md) — Time zone, databases, theme, copy mode, log level, pre-release builds.
+- [Keyboard and Copy](Keyboard-And-Copy.md) — Ctrl+C copy formats and other keyboard bindings.
+- [Updates and Diagnostics](Updates-And-Diagnostics.md) — Docs, Submit an Issue, Check for Updates, Release Notes and View Debug Logs.
@@ -0,0 +1,45 @@
+# [EventLogExpert](Home.md)
+
+## Keyboard and Copy
+
+### Copy formats
+
+The `Edit` menu always lists all four copy formats:
+
+| Edit menu item | Format | Output |
+| --- | --- | --- |
+| `Copy Selected` | `Default` | One quoted, space-separated field per visible event-table column, plus the description. |
+| `Copy Selected (Simple)` | `Simple` | Five quoted, space-separated fields: level, timestamp, source, event id, description. |
+| `Copy Selected (XML)` | `Xml` | The event's XML, pretty-printed when parseable. |
+| `Copy Selected (Full)` | `Full` | A multi-line block with labeled fields (`Log Name`, `Source`, `Date`, `Event ID`, `Task Category`, `Level`, `Keywords`, `User`, `Computer`, `Description`, `Event Xml`). |
+
+`Ctrl+C` invokes whichever format `Tools` → `Settings` → `Keyboard Copy Behavior` is set to. The `Ctrl+C` shortcut hint in the `Edit` menu moves to that entry so the keyboard binding is always visible. `Full` is the initial setting on a fresh install.
+
+Multi-selection is honored — every selected row is included in the copied payload in the order they appear.
+
+`Save All Filters` and `Clear All Filters` also live on the `Edit` menu. `Save All Filters` prompts for a `Group Name` (default `New Filter Section\New Filter Group`) and saves the current filter rows as a named filter group — the date filter is not included. See [Saved Filters](Saved-Filters.md). `Clear All Filters` removes every filter row and the date filter from the pane in one step.
+
+### Menu navigation
+
+The menu bar follows WAI-ARIA menubar conventions. Once a menu-bar button has focus (Tab in from elsewhere or click one open):
+
+| Key | Action |
+| --- | --- |
+| `ArrowLeft` / `ArrowRight` | Move between top-level menus. Wraps. If a menu is open, switches to the new menu. |
+| `Home` / `End` | Jump to the first or last top-level menu. |
+| `ArrowDown` | Open the focused menu, with focus on the first item. |
+| `ArrowUp` | Open the focused menu, with focus on the last item. |
+| `Enter` / `Space` | Open the focused menu (alternative to `ArrowDown`). |
+| `Escape` | Close the open menu. |
+
+Hovering a different top-level menu while a menu is open switches to that menu — same as Win32 menubars.
+
+### Other shortcuts
+
+| Shortcut | Action |
+| --- | --- |
+| `Ctrl+O` | `File` → `Open` → `File`. Standalone open; not the `Combine` variant. |
+| `Ctrl+H` | Toggle `View` → `Show All Events`. Suspends inclusion-filter evaluation so any event not blocked by an exclusion or by the date filter becomes visible. Toggling again resumes filtering against the same set. |
+| `Ctrl+C` | Copy selected events using the `Keyboard Copy Behavior` format. |
+
+[Docs home](Home.md)