v26.6.1.1342

All changes since the last stable release (v26.3.5.912).

Highlights

• Database Tools UI is now available from the Tools menu, giving Create/Diff/Merge/Show/Upgrade provider-database operations an in-app tabbed workflow with live logs, safer file picking, and elevation awareness.
• Provider database management moved into Database Tools — a new Manage tab centralizes status, enable/disable, upgrade, restore-from-backup, classification retry, and removal. Changes are staged and applied explicitly so accidental database edits are less likely, and an opt-in selection mode unlocks bulk upgrade and bulk remove with per-row progress.
• Light mode is now available, with an option to follow your Windows theme. The title bar follows it too.
• Reorder event table columns by drag-and-drop. Column widths and order are remembered across sessions.
• International Windows support — events on non-English Windows installs (and exported .evtx files that include a LocaleMetaData folder) now resolve to readable text instead of falling back to placeholders.
• Better text for "no provider" events — when an event has no provider metadata, the app now shows the event's data and a meaningful success/error message instead of placeholders. Channel-only providers resolve correctly, and older events that share IDs are now disambiguated.
• Provider database recovery — imported databases are checked when they load, with clear status indicators in the Manage tab. Old (V3) databases automatically upgrade to the new V4 format; empty or unrecognized files are set aside instead of breaking event resolution. If an upgrade is interrupted, a recovery dialog walks you through finishing it. Newly imported databases stay disabled until you turn them on.
• In-app banners are smoother and smarter — upgrade, recovery, crash, and database-attention banners coordinate with modals more cleanly, swap with less flicker, route database actions directly to the Database Tools modal, and handle priority changes predictably instead of bouncing back to stale selections. "No events found" alerts are still grouped together when you open several logs at once.
• Filter overhaul — filters re-evaluate only when they actually change, run in parallel when there are lots of events, and new events are checked against active filters as they arrive instead of re-filtering every open log. Filter rows have been redesigned around predicate "chips" with clearer validation and Done/Add gating.
• Faster combined view — when multiple logs are open, the Combined view is now built once and updated in place as events stream in, instead of being rebuilt from scratch on every update. Live tailing is dramatically faster and uses less memory.
• New menu bar replaces the older Windows menu bar and simplifies right-click menus across the app.
• Debug Log modal now has filtering, scrolls smoothly through large logs, lets you export the contents, and shows newest entries first as they stream in.
• More reliable live event subscriptions — the underlying watcher is more resilient to exceptions, won't get stuck on stop, and won't leak system handles. The initial backlog drains more cleanly when you open a log.
• Accessibility improvements — skip-to-content link, screen reader announcements (including completion announcements for long-running operations), visible keyboard focus, respect for reduced-motion preferences, page landmarks, proper button roles, correct keyboard tab order on database rows, and visual cues that don't rely on color alone.
• Details pane height is remembered between sessions.
• DbTool now reads MTA files, supports more event types and variant types, and the app correctly identifies more severity levels for broader event coverage.
• Major performance and memory pass — many smaller improvements across the app add up to faster load times, smoother scrolling, and lower memory use, especially with multiple logs open.

Features

• Database Tools is available from the Tools menu, with a tabbed modal and vertical tab strip for Create, Diff, Merge, Show, Upgrade, and Manage provider-database operations.
• Database Tools includes a live log view that streams operation output while long-running work is in progress.
• Database Tools uses an elevation-safe Win32 file picker for choosing database paths and output locations.
• Database tooling caches the elevation check and warns when EventDbTool starts without administrator rights.
• Light mode with a "Follow system" option; the title bar honors the OS theme.
• Drag-and-drop column reordering in the event table; column widths and order are remembered.
• Details pane height is remembered between sessions.
• XML is now always available without flipping a toggle. It's only generated when a filter actually needs it, so there's no performance cost when you don't use it.
• New menu bar with a consistent look, replacing the older Windows menu bar (right-click menus are simpler too).
• Improved keyboard navigation in the event table.
• The "Open by Log Name" picker now mirrors the folder structure you'd see in Event Viewer (MMC).
• Exported .evtx files with a LocaleMetaData folder are now fully supported.
• DbTool can read MTA provider files.
• More events display the correct severity (Information / Warning / Error / Critical / Verbose).
• More event types and variant types are recognized, so more events resolve to readable text.
• The title bar now shows the app name and version before any open log names.
• In-app release notes and Markdown content now render italics.

Database Tools & Manage Tab

• A new Manage tab in the Database Tools modal is the single place to enable/disable, upgrade, restore, remove, and retry classification on imported provider databases.
• Edits in the Manage tab are staged and only applied when you save changes, so you can review (or back out) toggle changes, restores, and removals in one batch instead of one-at-a-time confirmations.
• Optional selection mode (toggled by a Select trigger) unlocks bulk Upgrade and bulk Remove across multiple databases.
• Multi-select removal of databases lets you take several entries out at once; the confirmation still warns you that affected logs will close and reopen.
• Per-row Upgrade progress is shown directly on each database row while an upgrade (or queued upgrade batch) is running.
• The Restore button respects in-flight upgrade progress, so an import-triggered upgrade can't be undercut by an accidental restore.
• Bulk Upgrade/Remove iterate in visible row order, so confirmation and focus stay predictable; failures stay selected (only succeeded entries are cleared) and the tab only auto-exits selection mode once every operation has succeeded.
• Esc in selection mode exits selection instead of closing the whole dialog.
• The attention banner now opens the Database Tools modal directly when there are databases that need attention.
• While the Database Tools modal is open, the attention banner is suppressed so it doesn't fight with the modal you're already using to act on it.
• The Manage tab is keyboard-friendly: action buttons use the real disabled attribute (so screen readers and keyboard users see the correct state) and the master selection checkbox is scoped so it doesn't leak styles to other tabs.

Database & Recovery

• New V4 provider database format with improved resolution coverage (merges in publishers that own a given channel).
• Imported databases get a clear status: classified, not yet classified, classification failed (with a retry action), unknown format, has backup, etc.
• Empty or unrecognized provider databases are set aside (quarantined) instead of breaking the resolver.
• Obsolete or unrecognized databases are rejected by EventDbTool commands with a clear message.
• V3 databases automatically upgrade to V4. Newly imported databases start out disabled — turn them on when you're ready.
• If an upgrade is interrupted (power loss, crash, etc.), the app detects the leftover marker file and offers a recovery dialog. The recovery dialog is treated as critical, so it can't be casually dismissed and won't get lost behind other UI.
• Removing a database no longer deletes your own .bak backup files.
• If one entry in a batch import fails, the rest still go through — the failures are listed clearly.
• Toggling pre-release builds in Settings can now kick off a database upgrade right from the confirmation dialog.
• Opening a log waits for database classification to finish first, so resolution doesn't silently use the wrong data.
• A successful import marks database state as changed, so closing the Database Tools modal triggers a clean reload of any open log views.

Banners & Alerts

• App-wide banner area for upgrade progress, attention items, and recoverable errors.
• The banner cycle is hosted at the modal-chrome level via a shared state service, so opening or closing a modal swaps the banner cleanly without flicker.
• When a higher-priority banner arrives (e.g., an error during an upgrade), it takes selection without bouncing back to a stale lower-priority preference on the next refresh.
• Error banners can include an action button (for example, a Reload button); the action button automatically gets keyboard focus when an error banner appears, so you can press Enter to recover.
• If the app hits an unhandled exception, it now offers in-app recovery via a banner instead of going to a hard failure screen.
• "Empty log" notifications are grouped together when you open several logs at once, instead of stacking up.
• Banner severity (Critical vs. Error) is now consistent across the app.
• Grammar fix: the attention banner reads "1 database needs attention" (and "N databases need attention" for higher counts).

Settings UI

• The Settings modal is now focused on preferences and app-wide options; database management lives in the Database Tools Manage tab.
• Settings has a restructured information architecture with improved accessibility plumbing, a cleaner empty-state when there's nothing to show, and a more descriptive toggle aria-label.
• Recovery dialog wording is pluralized correctly when more than one database needs attention.
• Focus rings in Settings no longer get clipped by surrounding chrome.
• The "Pre-release builds" toggle sits on its own row above the modal action buttons so it can't be confused with them.

Event Resolution

• Events with no provider metadata now show the event data and a readable success/error message instead of placeholders.
• Channel-only providers (events that only identify a channel, not a publisher) now resolve via the channel's owning publisher.
• Older event messages that share IDs are now disambiguated by their qualifier value.
• Templates that legitimately expect zero properties no longer cause spurious "property mismatch" messages.
• Environment variables in publisher metadata paths are expanded properly; resolution is more reliable for providers that use full raw IDs.
• The "Add log" and "Close all" menu items are only enabled when you actually have logs open. "Security" and "State" are only enabled when running elevated.
• Events on non-English Windows installs, and exported .evtx files that ship a LocaleMetaData folder, now resolve via .mui satellite files instead of placeholders.

Filter Improvements

• Filters are evaluated through a new, more reliable pipeline. Behavior is the same — performance and stability are better.
• Toggling unrelated UI no longer causes the filter pipeline to re-run; it only re-runs when filter state actually changes.
• When there are lots of events, filtering runs in parallel. As new events arrive, only the new ones are checked against active filters instead of re-filtering every open log.
• Filters keep their position in the panel even after edits.
• Drafting a new filter no longer leaves stale placeholder rows behind, including when you collapse a filter group mid-edit.
• Filter text parsing now handles quotes, backslashes, and whitespace consistently in all contexts, including sub-filters and multi-select values.
• Date-range defaults are now consistent across the app.
• The filter spinner reflects only the latest filter run — older, slower runs can no longer overwrite a newer result.
• Redesigned filter row built around predicate chips: each filter shows its predicates as discrete chips, with validation gating that prevents adding or completing a row until the predicate is valid.
• The Done/Add buttons now react reliably to changes anywhere in the row (the underlying state-propagation chain no longer goes stale).
• Keyboard focus is restored to the right chip after edits.
• Exclude predicates have a distinct icon shape (not just a color) so they're easier to tell apart from include predicates at a glance.

Performance & Memory

• Database Tools log output flushes in batches, and Show Providers output is built in a single pass for smoother long-running operations.
• Combined view rebuild eliminated — when multiple logs are open, the Combined view is maintained in place instead of rebuilt on every event. Live tailing is 92–94% faster with 17–50% lower memory use in benchmarks. Per-log tabs are derived from the Combined view on demand. Filter changes, log loads, and log closes are 22–48% faster too.
• Combined-events sorting uses a merge of pre-sorted per-log lists instead of a full re-sort; default sort is consistent between per-log and combined views.
• Reduced string and memory allocations in hot paths: pooled string builders, faster format-token paths, and primitive specializations in logging.
• Provider database serialization uses source-generated JSON for faster reads/writes.
• Compressed JSON now streams directly to and from disk, avoiding large temporary strings and byte arrays.
• First-time provider resolution coalesces concurrent requests; parallel local resolution uses an owned registry key for better isolation.
• Keyword decoding is single-pass and short-circuits when there are no standard keywords to check.
• Native event rendering uses stack buffers for typical sizes and falls back to a pooled buffer for very large events.
• Scrolling to the selected event is now a single indexed pass instead of two searches.
• Copying multiple events to the clipboard reuses one string builder; owning-log parsing is faster.
• Keyword display strings are built only when first read.
• Rotating cache for NTStatus and HResult lookups speeds up repeated decodes.
• Caches are tied to instance lifetime so they release when no longer needed.
• Faster event table loading via batch loading and improved indexing.
• The event table only re-renders when the underlying list actually changes; the status bar only updates on real value changes.
• The diagnostic logger only allocates when something is actually logged, and uses a temp file instead of buffering everything in memory.
• Property-count and property-format paths share their cache; template matching picks a better candidate when multiple are available.
• Recomputing eligible-count in the Manage tab skips the snapshot pass when nothing is selected, so banner and coordinator state changes don't allocate in the common case.

Reliability

• Database Tools operations were hardened with encrypted-input handling, async database flushing, bounded regex timeouts, partial-database cleanup, safer conditional rendering, ARIA/JS interop detach fixes, and cleaner exception handling.
• Modals no longer fail if first-render JavaScript interop is detached or unavailable.
• Log views now tolerate first-render timing issues instead of crashing while the UI is still attaching.
• Log tab activation is guarded while a log is loading, avoiding races from keyboard or click input during startup.
• Update auto-scans no longer interfere with restart/update options.
• Live event subscriptions release their native handle and wait for in-flight callbacks correctly on shutdown — no more leaked handles or hung threads.
• Exceptions thrown by event handlers are isolated so one bad subscriber can't break others; stop requests during stop are rejected cleanly.
• The initial event backlog is drained outside the watcher's startup lock, so opening a busy log no longer stalls.
• UnauthorizedAccessException messages now include the underlying Win32 reason for easier troubleshooting.
• Opening multiple logs at once is throttled to avoid overwhelming the system, and uses channels for smoother event flow.
• Modal close pipeline has a close-veto path with a critical scope, so critical dialogs (recovery, in-progress operations) won't be dismissed out from under you. Inline alerts dispose asynchronously and cleanly when a modal closes.
• Cross-modal context menu activations correctly detach viewport listeners and restore opener focus.
• Focus and JS-interop helpers now catch TaskCanceledException, JSDisconnectedException, and JSException consistently during teardown, so disconnected browser sessions and rapid modal close/open sequences don't surface as errors.
• The Manage tab cancels in-flight or queued upgrade batches before removal, and only counts a removal as failed once the real cancel/completion event arrives.
• Banner cycle mutations are synchronized, upgrade-progress cancellation faults are isolated to their own row, and OnRemove callbacks are properly awaited.

UI / CSS / Accessibility

• Log tabs are keyboard-accessible with Tab navigation, button roles, and correct disabled states for screen readers.
• Tab-list keyboard handling now prevents default browser behavior only where needed, keeping focus and scroll behavior predictable.
• ValueSelect dropdowns keep C# and JavaScript open/close/toggle state in sync, so the visible menu matches the component state.
• .visually-hidden styles are scoped correctly so screen-reader-only content doesn't affect unrelated UI.
• Accessibility infrastructure: visible keyboard focus, respect for reduced-motion settings, page landmarks.
• Accessibility behavior: skip-to-content link, live region announcements, proper button roles, visual cues that don't depend on color alone.
• Screen-reader completion announcements for long-running operations via a shared announcer host (e.g., upgrades, removals, classifications announce when they finish).
• Reusable Checkbox component and a new switch-style boolean component; radio groups were refactored to share centralized ARIA parameters in a common base class for consistent labelling.
• Manage tab "blocked" help text (upgrade-blocked, save-blocked) no longer re-announces on every state flip — only the action labels are described, not the live status spans.
• Database row keyboard order is now natural left-to-right (name → toggle/upgrade → trash) while the trash control stays visually pinned to the left edge.
• A pending-toggle visual indicator (subtle 1px ring) and screen-reader suffix ("pending toggle, unsaved") make staged enable/disable changes obvious.
• CSS cleanup: switched from ID selectors to classes, removed !important overrides and the forced-colors override, and consolidated styling tokens.
• A single generic modal style is used across the app; alert dialogs share the same look.
• Boolean "yes/no" selectors no longer look like green/red traffic lights — enabled now uses the app's positive color, removing the polarity confusion.
• ValueSelect dropdowns: several bug fixes and smoother behavior.
• Removed unused HTML and navigation scaffolding.
• Markdown rendering now supports italics.
• Debug Log modal: filtering, smooth scrolling for large logs, export, and newest-first streaming (with a "busy" announcement for screen readers while loading).
• Removed the redundant "Copy Event" button from the details pane (copy is still available from the right-click menu and keyboard shortcuts).
• Modal footers right-align their buttons consistently across the app.
• Debug Log modal: very long lines no longer cause a horizontal scrollbar — they clip with an ellipsis, and hovering shows the full line as a tooltip (indentation in stack traces is preserved so they still read correctly).

Bug Fixes

• File picker titles now flow through the Win32 dialog correctly, suggested file names are bounds-checked, and long titles are clamped safely.
• Log-view scroll pinning is re-armed when the view shrinks, so pinned output stays anchored after filtering or resizing.
• Fixed an inverted pin-state guard in DatabaseToolsLogView that could keep the live log from following new output.
• ValueSelect now re-renders immediately after close/open/toggle state changes instead of drifting from the JavaScript state.
• Restored the RestartNowAndUpdate options in update prompts.
• DatabaseToolsLogView now resets its watermark correctly between operations.
• Combined view no longer treats records from different logs as duplicates when they happen to share a record ID.
• Fixed crashes when an event message ends with a %n placeholder or uses 0 as a string terminator.
• Fixed an event variant type mismatch that could break resolution; added a missing variant and a more helpful default.
• Fixed an error when trying to read a log file that had been deleted on disk.
• Fixed temp-file creation failures when working with encrypted logs (the app now uses a file stream directly).
• Fixed a disposal bug in the database-backed resolver and a watcher constructor bug.
• Fixed a dependency injection issue with the diagnostic logger.
• Provider-database failure dialogs only appear when you start a scan manually — no more popups during startup scans.
• Several smaller ValueSelect bugs and rough edges.
• Added a clean failure path when provider-database deserialization returns nothing instead of throwing.
• Added proper cleanup (IDisposable) to several components to prevent leaks, and removed dispose calls that were no longer needed.
• Update checks no longer repeat themselves — once per session.
• Removing a database no longer wildcard-deletes your .bak backup files.
• Empty or unrecognized provider databases no longer crash the resolver — they're flagged and quarantined.
• Removed unused remote-machine support from the event message and registry providers.
• Opening one Live log immediately after another no longer briefly populates and then wipes the new log's table — close-all now clears state before the previous log's watcher finishes draining.
• Bulk-selection cleanup in the Manage tab is scoped to the file names that were actually removed instead of clearing the entire selection set.
• The close-and-reopen warning is restored in the remove-confirmation dialog, and per-file removal failures are surfaced so you can see which ones didn't go through.
• Removals that throw after confirmation are counted as failures (rather than silently dropped) so the UI reflects the real outcome.