June 2nd, 2015

Why do events logged by the ReportEvent function show up in the wrong order in the Event Viewer?

A customer observed that when their service logs multiple events in rapid succession, they sometimes show up out of order in Event Viewer. Specifically, the order of events that all occur within the same second are sometimes mis-ordered relative to each other. Is this expected?

Events in the event viewer are timestamped only to one-second resolution. The EVENT­LOG­RECORD structure reports time in UNIX format, namely, seconds since January 1, 1970.

Experimentation suggested that the Event Viewer sorts events by timestamp, but it does not use a stable sort, so multiple events that occur within the same second end up in an unpredictable order.

Not much you can do about it, but at least now you know that you’re not hallucinating.

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.

Feedback