v26.5.28.1003

All changes since the last stable release (v26.3.5.912).

Highlights

• Database Tools UI is now available from the Tools menu, giving Create/Diff/Merge/Show/Upgrade provider-database operations an in-app tabbed workflow with live logs, safer file picking, and elevation awareness.
• Light mode is now available, with an option to follow your Windows theme. The title bar follows it too.
• Reorder event table columns by drag-and-drop. Column widths and order are remembered across sessions.
• International Windows support — events on non-English Windows installs (and exported .evtx files that include a LocaleMetaData folder) now resolve to readable text instead of falling back to placeholders.
• Better text for "no provider" events — when an event has no provider metadata, the app now shows the event's data and a meaningful success/error message instead of placeholders. Channel-only providers resolve correctly, and older events that share IDs are now disambiguated.
• Provider database recovery — imported databases are checked when they load, with clear status badges in Settings. Old (V3) databases automatically upgrade to the new V4 format; empty or unrecognized files are set aside instead of breaking event resolution. If an upgrade is interrupted, a recovery dialog walks you through finishing it. Newly imported databases stay disabled until you turn them on.
• In-app banner system for upgrade progress, recoverable errors (with optional action buttons), and crash recovery — the banner sits above the error boundary so it's still visible if something goes wrong. "No events found" alerts are grouped together when you open several logs at once.
• Filter overhaul — filters re-evaluate only when they actually change, run in parallel when there are lots of events, and new events are checked against active filters as they arrive instead of re-filtering every open log.
• Faster combined view — when multiple logs are open, the Combined view is now built once and updated in place as events stream in, instead of being rebuilt from scratch on every update. Live tailing is dramatically faster and uses less memory.
• New menu bar replaces the older Windows menu bar and simplifies right-click menus across the app.
• Debug Log modal now has filtering, scrolls smoothly through large logs, lets you export the contents, and shows newest entries first as they stream in.
• More reliable live event subscriptions — the underlying watcher is more resilient to exceptions, won't get stuck on stop, and won't leak system handles. The initial backlog drains more cleanly when you open a log.
• Accessibility improvements — skip-to-content link, screen reader announcements, visible keyboard focus, respect for reduced-motion preferences, page landmarks, proper button roles, and visual cues that don't rely on color alone.
• Details pane height is remembered between sessions.
• DbTool now reads MTA files, supports more event types and variant types, and the app correctly identifies more severity levels for broader event coverage.
• Major performance and memory pass — many smaller improvements across the app add up to faster load times, smoother scrolling, and lower memory use, especially with multiple logs open.

Features

• Database Tools is available from the Tools menu, with a tabbed modal and vertical tab strip for Create, Diff, Merge, Show, and Upgrade provider-database operations.
• Database Tools includes a live log view that streams operation output while long-running work is in progress.
• Database Tools uses an elevation-safe Win32 file picker for choosing database paths and output locations.
• Database tooling caches the elevation check and warns when EventDbTool starts without administrator rights.
• Light mode with a "Follow system" option; the title bar honors the OS theme.
• Drag-and-drop column reordering in the event table; column widths and order are remembered.
• Details pane height is remembered between sessions.
• XML is now always available without flipping a toggle. It's only generated when a filter actually needs it, so there's no performance cost when you don't use it.
• New menu bar with a consistent look, replacing the older Windows menu bar (right-click menus are simpler too).
• Improved keyboard navigation in the event table.
• The "Open by Log Name" picker now mirrors the folder structure you'd see in Event Viewer (MMC).
• Exported .evtx files with a LocaleMetaData folder are now fully supported.
• DbTool can read MTA provider files.
• More events display the correct severity (Information / Warning / Error / Critical / Verbose).
• More event types and variant types are recognized, so more events resolve to readable text.
• The title bar now shows the app name and version before any open log names.
• In-app release notes and Markdown content now render italics.

Database & Recovery

• New V4 provider database format with improved resolution coverage (merges in publishers that own a given channel).
• Imported databases get a clear status in the Settings modal: classified, not yet classified, unknown format, has backup, etc.
• Empty or unrecognized provider databases are set aside (quarantined) instead of breaking the resolver.
• Obsolete or unrecognized databases are rejected by EventDbTool commands with a clear message.
• V3 databases automatically upgrade to V4. Newly imported databases start out disabled — turn them on when you're ready.
• If an upgrade is interrupted (power loss, crash, etc.), the app detects the leftover marker file and offers a recovery dialog.
• Removing a database no longer deletes your own .bak backup files.
• If one entry in a batch import fails, the rest still go through — the failures are listed in the Settings modal.
• Toggling pre-release builds in Settings can now kick off a database upgrade right from the confirmation dialog.
• Opening a log waits for database classification to finish first, so resolution doesn't silently use the wrong data.

Banners & Alerts

• New app-wide banner area for upgrade progress, attention items, and recoverable errors.
• Error banners can include an action button (for example, a Reload button).
• The Reload button automatically gets keyboard focus when an error banner appears, so you can press Enter to recover.
• If the app hits an unhandled exception, it now offers in-app recovery via a banner instead of going to a hard failure screen.
• "Empty log" notifications are grouped together when you open several logs at once, instead of stacking up.
• Banner severity (Critical vs. Error) is now consistent across the app.

Settings Modal / Database UX

• Status indicators meet WCAG AA contrast, including the "classification pending" state.
• Database rows are restructured so the most useful action is the primary one for that row's current status.
• The trash (delete) action appears when you click the database name, and a subtle left indicator strip makes status easier to read at a glance.
• Recovery dialog wording is now pluralized correctly when more than one database needs attention.

Event Resolution

• Events with no provider metadata now show the event data and a readable success/error message instead of placeholders.
• Channel-only providers (events that only identify a channel, not a publisher) now resolve via the channel's owning publisher.
• Older event messages that share IDs are now disambiguated by their qualifier value.
• Templates that legitimately expect zero properties no longer cause spurious "property mismatch" messages.
• Environment variables in publisher metadata paths are expanded properly; resolution is more reliable for providers that use full raw IDs.
• The "Add log" and "Close all" menu items are only enabled when you actually have logs open. "Security" and "State" are only enabled when running elevated.
• Events on non-English Windows installs, and exported .evtx files that ship a LocaleMetaData folder, now resolve via .mui satellite files instead of placeholders.

Filter Improvements

• Filters are evaluated through a new, more reliable pipeline. Behavior is the same — performance and stability are better.
• Toggling unrelated UI no longer causes the filter pipeline to re-run; it only re-runs when filter state actually changes.
• When there are lots of events, filtering runs in parallel. As new events arrive, only the new ones are checked against active filters instead of re-filtering every open log.
• Filters keep their position in the panel even after edits.
• Drafting a new filter no longer leaves stale placeholder rows behind, including when you collapse a filter group mid-edit.
• Filter text parsing now handles quotes, backslashes, and whitespace consistently in all contexts, including sub-filters and multi-select values.
• Date-range defaults are now consistent across the app.
• The filter spinner reflects only the latest filter run — older, slower runs can no longer overwrite a newer result.

Performance & Memory

• Database Tools log output flushes in batches, and Show Providers output is built in a single pass for smoother long-running operations.
• Combined view rebuild eliminated — when multiple logs are open, the Combined view is maintained in place instead of rebuilt on every event. Live tailing is 92–94% faster with 17–50% lower memory use in benchmarks. Per-log tabs are derived from the Combined view on demand. Filter changes, log loads, and log closes are 22–48% faster too.
• Combined-events sorting uses a merge of pre-sorted per-log lists instead of a full re-sort; default sort is consistent between per-log and combined views.
• Reduced string and memory allocations in hot paths: pooled string builders, faster format-token paths, and primitive specializations in logging.
• Provider database serialization uses source-generated JSON for faster reads/writes.
• Compressed JSON now streams directly to and from disk, avoiding large temporary strings and byte arrays.
• First-time provider resolution coalesces concurrent requests; parallel local resolution uses an owned registry key for better isolation.
• Keyword decoding is single-pass and short-circuits when there are no standard keywords to check.
• Native event rendering uses stack buffers for typical sizes and falls back to a pooled buffer for very large events.
• Scrolling to the selected event is now a single indexed pass instead of two searches.
• Copying multiple events to the clipboard reuses one string builder; owning-log parsing is faster.
• Keyword display strings are built only when first read.
• Rotating cache for NTStatus and HResult lookups speeds up repeated decodes.
• Caches are tied to instance lifetime so they release when no longer needed.
• Faster event table loading via batch loading and improved indexing.
• The event table only re-renders when the underlying list actually changes; the status bar only updates on real value changes.
• The diagnostic logger only allocates when something is actually logged, and uses a temp file instead of buffering everything in memory.
• Property-count and property-format paths share their cache; template matching picks a better candidate when multiple are available.

Reliability

• Database Tools operations were hardened with encrypted-input handling, async database flushing, bounded regex timeouts, partial-database cleanup, safer conditional rendering, ARIA/JS interop detach fixes, and cleaner exception handling.
• Modals no longer fail if first-render JavaScript interop is detached or unavailable.
• Log views now tolerate first-render timing issues instead of crashing while the UI is still attaching.
• Log tab activation is guarded while a log is loading, avoiding races from keyboard or click input during startup.
• Update auto-scans no longer interfere with restart/update options.
• Live event subscriptions release their native handle and wait for in-flight callbacks correctly on shutdown — no more leaked handles or hung threads.
• Exceptions thrown by event handlers are isolated so one bad subscriber can't break others; stop requests during stop are rejected cleanly.
• The initial event backlog is drained outside the watcher's startup lock, so opening a busy log no longer stalls.
• UnauthorizedAccessException messages now include the underlying Win32 reason for easier troubleshooting.
• Opening multiple logs at once is throttled to avoid overwhelming the system, and uses channels for smoother event flow.

UI / CSS / Accessibility

• Log tabs are keyboard-accessible with Tab navigation, button roles, and correct disabled states for screen readers.
• Tab-list keyboard handling now prevents default browser behavior only where needed, keeping focus and scroll behavior predictable.
• ValueSelect dropdowns keep C# and JavaScript open/close/toggle state in sync, so the visible menu matches the component state.
• .visually-hidden styles are scoped correctly so screen-reader-only content doesn't affect unrelated UI.
• Accessibility infrastructure: visible keyboard focus, respect for reduced-motion settings, page landmarks.
• Accessibility behavior: skip-to-content link, live region announcements, proper button roles, visual cues that don't depend on color alone.
• CSS cleanup: switched from ID selectors to classes, removed !important overrides and the forced-colors override, and consolidated styling tokens.
• A single generic modal style is used across the app; alert dialogs share the same look.
• Boolean "yes/no" selectors no longer look like green/red traffic lights — enabled now uses the app's positive color, removing the polarity confusion.
• ValueSelect dropdowns: several bug fixes and smoother behavior.
• Removed unused HTML and navigation scaffolding.
• Markdown rendering now supports italics.
• Debug Log modal: filtering, smooth scrolling for large logs, export, and newest-first streaming (with a "busy" announcement for screen readers while loading).
• Removed the redundant "Copy Event" button from the details pane (copy is still available from the right-click menu and keyboard shortcuts).
• Modal footers right-align their buttons consistently across the app. The Settings modal stacks the "Pre-release builds" toggle on its own row above the action buttons so it can't be confused with them.
• Debug Log modal: very long lines no longer cause a horizontal scrollbar — they clip with an ellipsis, and hovering shows the full line as a tooltip (indentation in stack traces is preserved so they still read correctly).

Bug Fixes

• File picker titles now flow through the Win32 dialog correctly, suggested file names are bounds-checked, and long titles are clamped safely.
• Log-view scroll pinning is re-armed when the view shrinks, so pinned output stays anchored after filtering or resizing.
• Fixed an inverted pin-state guard in DatabaseToolsLogView that could keep the live log from following new output.
• ValueSelect now re-renders immediately after close/open/toggle state changes instead of drifting from the JavaScript state.
• Restored the RestartNowAndUpdate options in update prompts.
• DatabaseToolsLogView now resets its watermark correctly between operations.
• Combined view no longer treats records from different logs as duplicates when they happen to share a record ID.
• Fixed crashes when an event message ends with a %n placeholder or uses 0 as a string terminator.
• Fixed an event variant type mismatch that could break resolution; added a missing variant and a more helpful default.
• Fixed an error when trying to read a log file that had been deleted on disk.
• Fixed temp-file creation failures when working with encrypted logs (the app now uses a file stream directly).
• Fixed a disposal bug in the database-backed resolver and a watcher constructor bug.
• Fixed a dependency injection issue with the diagnostic logger.
• Provider-database failure dialogs only appear when you start a scan manually — no more popups during startup scans.
• Several smaller ValueSelect bugs and rough edges.
• Added a clean failure path when provider-database deserialization returns nothing instead of throwing.
• Added proper cleanup (IDisposable) to several components to prevent leaks, and removed dispose calls that were no longer needed.
• Update checks no longer repeat themselves — once per session.
• Removing a database no longer wildcard-deletes your .bak backup files.
• Empty or unrecognized provider databases no longer crash the resolver — they're flagged and quarantined.
• Removed unused remote-machine support from the event message and registry providers.
• Opening one Live log immediately after another no longer briefly populates and then wipes the new log's table — close-all now clears state before the previous log's watcher finishes draining.