Automatically Create 40 Event Viewer Custom Views

I still find Custom Views useful when troubleshooting on individual workstations, and I’d recently been wondering if it was possible to push them out via GPP or similar. I started creating some views manually, as a test, but it was taking too long.

I’d recently been working on implementing Palantir’s WEF/WEC setup, and wondered whether I could leverage their legwork to automate the creation of these custom views.

The script I came up with took a fraction of the time to write, as opposed to the manual method. It does the following:

  1. Downloads the Palantir ‘windows-event-forwarding’ repo in ZIP format into a temporary folder
  2. Extracts the Event Log query out of each file in the ‘wef-subscriptions’ folder, and
    turns it into an appropriately-named custom Event Viewer view (XML) file in %PROGRAMDATA%\Microsoft\Event Viewer\Views

2017-11-07 16_51_46-Event Viewer

I love how simple PowerShell makes it to work with XML.

The script needs to be run as an admin in order to create the view files in %PROGRAMDATA%, unless you change the output path in the $templateStoragePath variable. It’ll also need to be able to connect to the Internet to download the ZIP file from GitHub.

I’ve started storing my scripts in my PowerShell GitHub repo rather than as Github Gists, and it’s harder to embed them on wordpress.com. View the code via the link below:

https://github.com/dstreefkerk/PowerShell/blob/master/Create-EventViewerCustomViews.ps1

Microsoft Word: Multilevel lists: Removing number font styles

I was recently working with a report template where a numbered Heading 1 had a colour and size assigned to the actual number style. This was then causing problems on the table of contents because the number’s style was showing up there too.

1

The problem is though, it’s impossible to remove the formatting on that number via the UI in Word. By default, the colour is set to “No Color”, but it’s impossible to go back to that setting once a colour has been chosen.

2

3

I didn’t want to re-create the entire document as it had macros embedded, and also had a lot of work done already. Luckily, all of this information is stored in XML format, so it’s not too hard to find.

To remove this style information from the number, do the following with a backup of your file.

  1. Rename the file extension to .zip (I usually just append .zip to the existing filename)
  2. Copy out the Word folder from within the zip file to somewhere temporary7
  3. Open numbering.xml from the unzipped word folder with something like XML Notepad
  4. Search for the name of your style. In my case, it was “Heading1” (note the lack of a space between “Heading” and “1”. The style is actually called “Heading 1” in Word:
    4
  5. Once you find that style, drill down to the w:rPr node. You can see here that a style and colour is defined for the numbering associated with Heading 1
    10
  6. Remove everything under w:rPr except for w:rFonts->w:hint (I’m sure you could remove this too, but it was there by default for other styles)
    11
  7. Save the XML file
  8. Copy the XML file back into the word folder in the zip file
    12
  9. Rename the file extension back to what it originally was. In my case, it was .docm
  10. Open the file in Word, and inspect the result. Hopefully, it succeeds for you as it did for me:
    13

Remember: Do this with a backup copy of your file in case you somehow manage to corrupt it.