v26.5.12.971

All changes since the last stable release (v26.3.5.912).

Highlights

• Light mode is now available, with an option to follow the system theme (title bar included).
• Column drag-and-drop reordering in the event table, with persistent column sizing and ordering across sessions.
• MUI-aware event message resolution — events on international Windows installs (and from exported .evtx files with LocaleMetaData folders) now resolve correctly via .mui satellites instead of falling back to placeholders.
• Better event resolution for "no provider" cases — events with no provider metadata now render EventData and ERROR_SUCCESS text instead of placeholders, channel-named providers resolve correctly, and legacy events are disambiguated by Qualifier.
• Database recovery flow — imported provider databases are classified on load (V4 schema with auto-upgrade from V3, quarantine for empty/unrecognized/obsolete formats), interrupted upgrades are detected and recovered via a dedicated dialog, and freshly-imported databases default to disabled until you opt in.
• App-level banner system for upgrade progress, recoverable errors with action buttons, and unhandled-exception recovery — mounted above the error boundary so it survives crashes. Empty-log alerts are batched when opening multiple logs at once.
• Filter pipeline overhaul — immutable BasicFilterSource / CompiledFilter model, signature-based change detection, parallel filtering above a threshold, and only-new-events filtering on arrival instead of re-filtering all active logs.
• Faster combined-events sorting via a k-way merge of pre-sorted per-log lists (replaces the full re-sort), and a cross-log RecordId equality bug is fixed.
• Custom menu bar replaces the XAML one and simplifies context menus across the app.
• Debug Log modal gains filtering, virtualization, export, and newest-first streaming.
• More reliable live event subscriptions — EventLogWatcher hardened against handler exceptions, reentrant stops, and finalizer-time native handle leaks, with a cleaner initial-backlog drain.
• Accessibility infrastructure: skip link, live regions, focus-visible, reduced-motion, landmarks, role=button, non-color cues.
• Details pane height is now remembered as a user preference.
• DbTool now supports MTA files; added missing severity levels and additional event types / EvtVariantTypes for broader event coverage.
• Major memory and performance pass — pooled StringBuilder via thread-static cache, System.Text.Json source generators for provider DB serialization, IFormattable direct-write logging, primitive specializations on interpolated log handlers, and many smaller hot-path wins.

Features

• Light mode with follow-system-theme option, and the title bar honors the OS theme.
• Column drag-and-drop reordering in the event table, with persistent column sizing and ordering.
• Details pane height persisted as a user preference.
• XML resolution no longer requires the toggle — XML is automatically available, but only resolved when a filter actually needs it.
• Custom menu bar with templated menu items, replacing the XAML menu bar (also simplifies context menus).
• Improved keyboard navigation in the event table, with refactored event selection.
• LogName parser now creates folder structure that aligns with the MMC.
• Support for exported LocaleMetaData folders when resolving events from exported .evtx files.
• DbTool supports MTA files for provider details.
• Added missing severity levels so more events display the correct level.
• Added additional event types and EvtVariantTypes for broader event coverage.
• Title bar shows app name and version before log names.
• Markdown italics now render in release notes / in-app Markdown.

Database & Recovery

• New V4 provider DB schema with ResolvedFromOwningPublisher merging for better resolution coverage.
• Imported databases are classified on load with a clear status (NotClassified, Unknown, BackupExists, etc.) surfaced in the Settings modal.
• Empty and unrecognized provider databases are quarantined at classification time instead of failing the resolver.
• Obsolete and unrecognized provider DBs are now rejected by EventDbTool commands with clear messaging.
• V3 databases auto-upgrade to V4; freshly-imported databases default to disabled.
• Interrupted upgrades are detected via an .upgrade.bak marker and recoverable through a new recovery dialog.
• Remove no longer deletes user-created .bak files via wildcard.
• Per-entry import failures are surfaced in the Settings modal with buffered toggles so a bad entry doesn't break the batch.
• Inline upgrade banner triggers settings-scope upgrades from the Settings modal toggle confirmation.
• Opening a log now waits for classification to complete and gracefully handles resolver errors.

Banners & Alerts

• New app-level banner surface for upgrade progress, attention items, and recoverable errors.
• Error banners can include an optional action button (e.g. reload).
• Reload button gets focus automatically when an error banner appears.
• Unhandled exceptions route through the banner system for in-app recovery instead of hard failures.
• Empty-log alerts are batched across multi-open call sites.
• Banner severity taxonomy aligned (Critical/Error).

Settings Modal / Database UX

• Classification-pending UX with WCAG AA contrast on status fills.
• Database rows restructured with per-status primary actions and tightened visuals.
• Trash action revealed by clicking the database name, with a recessed left strip indicator.
• Recovery dialog copy pluralized for multi-entry scenarios.

Event Resolution

• Events with no provider metadata now render EventData and ERROR_SUCCESS text instead of placeholders.
• Channel-named providers resolve via EvtChannelConfigOwningPublisher.
• Legacy event messages are disambiguated by Qualifier.
• Empty manifest templates are treated as zero expected properties on strict match (no more spurious mismatches).
• Environment variables are expanded in publisher metadata paths; short-id fallback hardened for full-RawId manifests.
• Add/Close-All gated on open logs; Security/State gated on admin elevation.
• Events on international Windows installs and exported .evtx files with LocaleMetaData folders resolve via .mui satellites.

Filter Improvements

• New immutable filter model: BasicFilterSource, CompiledFilter, and a FilterCompiler replacing the old mutable FilterModel shape.
• Signature-based change detection so the UI no longer refilters on every flip.
• Parallel filtering above a threshold when combined event count is large; only-new-events filtering on arrival instead of re-filtering all active logs.
• Filters are now indexed so position in the pane is preserved.
• New-filter drafts render as pane-/group-local pending rows instead of dispatching IsEditing placeholders, with stale row state cleared on group collapse.
• FilterService.TryParse string escaping now handles quotes, backslashes, and whitespace consistently across top-level, sub-filter, and MultiSelect paths.
• Date-range default logic moved into a single DateRangeDefaults helper.
• Filter spinner: filter-generation guard added for stale-result races.

Performance & Memory

• K-way merge of pre-sorted per-log lists for combined events (replaces full re-sort); per-log/combined default aligned to DateAndTime.
• Pooled StringBuilder via thread-static cache; replaced per-call format-token allocations with IFormattable direct paths, plus primitive specializations on logging interpolated handlers.
• System.Text.Json source generators for provider database DTO serialization.
• Streamed JSON directly to/from GZipStream in CompressedJsonValueConverter — eliminates intermediate string and byte[] allocations.
• Per-provider Lazy gates coalesce first-touch ProviderDetails work; replaced shared Registry.LocalMachine with an owned base key for parallel local resolution.
• Single-pass GetKeywordsFromBitmask, with hoisted Keywords value and mask-gated standard-keyword loop.
• stackalloc bounded in EventMethods native-render paths, with ArrayPool fallback above 4096 chars.
• ScrollToSelectedEvent collapsed from FirstOrDefault + IndexOf into a single indexed pass over DisplayedEvents.
• Multi-event clipboard copy reuses a single StringBuilder; replaced OwningLog.Split.Last with a LastIndexOf slice (also in the row template).
• Deferred KeywordsDisplayName join until first read.
• Rotating cache for NTStatus and HResult lookups.
• Caches are instance-based so they release at end of life cycle.
• Faster event table loading (batch loading + improved indexing).
• Sort-in-place on load (no ImmutableArray round-trip); event table compares updated vs. current combined lists before triggering an update; status bar only triggers updates on actual value changes.
• Logger allocates only when an event is actually logged, and uses a temp file instead of in-memory buffering.
• Property-count function reuses the same caching as the format-properties function; better template matching when multiple candidates exist.
• Optimized hot paths and reduced redundant allocations across the app.

Reliability

• Live event subscriptions: native subscription handle released and ThreadPool wait honored on the finalizer path.
• Handler exceptions are isolated and reentrant stops are rejected in EventLogWatcher.
• Initial backlog drained outside the lifecycle lock to avoid stalls.
• More descriptive Win32 messages on UnauthorizedAccessException.
• HandleOpenLog uses channels instead of run-jobs, with a semaphore to throttle threads when multiple logs are opened.

UI / CSS / Accessibility

• New a11y infrastructure: focus-visible, reduced-motion, landmarks.
• New a11y behavior: skip link, live regions, role=button, non-color cues.
• Converted ID selectors to classes, removed !important overrides, and dropped the forced-colors override.
• Consolidated CSS tokens and removed unused/redundant CSS; row styles share a common base.
• Generic modal service replaces individual modal components; per-modal sizing variables and an inline alert header for modals.
• Boolean select restyled to be theme-consistent — enabled state now uses the positive color (no more red/green polarity confusion).
• ValueSelect dropdowns: bug fixes and optimizations.
• Removed unused HTML / navigation scaffolding.
• Markdown parser now supports italics.
• Debug Log modal: filtering, virtualization, export, and newest-first streaming (with an aria-busy region while loading).
• Removed the Copy Event button from the details pane.

Bug Fixes

• Cross-log RecordId equality bug in the combined-events view (records from different logs no longer collide).
• Index out of range when event messages contain a trailing %n or use 0 as a terminator.
• Variant type mismatch that could cause event resolution issues; added a missing variant and a more diagnostic default.
• Reading a log file after it was deleted.
• Temp file creation failure when encryption was involved (now uses a file stream directly instead of copying).
• Dispose method on the DB event resolver and a watcher constructor bug.
• Logger DI issue.
• Failure dialogs now only appear when a manual scan is initiated (no more startup-scan noise).
• Several smaller bugs and optimizations in ValueSelect.
• Added a failure path when Deserialize returns null.
• Added IDisposable to several components to prevent leaks; cleaned up unneeded dispose patterns.
• Auto update checks no longer repeat — skipped after the first attempt per session.
• Remove no longer deletes user-created .bak files via wildcard.
• Empty/unrecognized provider DBs no longer crash the resolver — they are classified and quarantined.
• Dropped unused remote-machine support from event message and registry providers.