v26.5.28.1003

All changes since the last stable release (v26.3.5.912).

Highlights

• Database Tools UI is now available from the Tools menu, giving Create/Diff/Merge/Show/Upgrade provider-database operations an in-app tabbed workflow with live logs, safer file picking, and elevation awareness.
• Light mode is now available, with an option to follow your Windows theme. The title bar follows it too.
• Reorder event table columns by drag-and-drop. Column widths and order are remembered across sessions.
• International Windows support — events on non-English Windows installs (and exported .evtx files that include a LocaleMetaData folder) now resolve to readable text instead of falling back to placeholders.
• Better text for "no provider" events — when an event has no provider metadata, the app now shows the event's data and a meaningful success/error message instead of placeholders. Channel-only providers resolve correctly, and older events that share IDs are now disambiguated.
• Provider database recovery — imported databases are checked when they load, with clear status badges in Settings. Old (V3) databases automatically upgrade to the new V4 format; empty or unrecognized files are set aside instead of breaking event resolution. If an upgrade is interrupted, a recovery dialog walks you through finishing it. Newly imported databases stay disabled until you turn them on.
• In-app banner system for upgrade progress, recoverable errors (with optional action buttons), and crash recovery — the banner sits above the error boundary so it's still visible if something goes wrong. "No events found" alerts are grouped together when you open several logs at once.
• Filter overhaul — filters re-evaluate only when they actually change, run in parallel when there are lots of events, and new events are checked against active filters as they arrive instead of re-filtering every open log.
• Faster combined view — when multiple logs are open, the Combined view is now built once and updated in place as events stream in, instead of being rebuilt from scratch on every update. Live tailing is dramatically faster and uses less memory.
• New menu bar replaces the older Windows menu bar and simplifies right-click menus across the app.
• Debug Log modal now has filtering, scrolls smoothly through large logs, lets you export the contents, and shows newest entries first as they stream in.
• More reliable live event subscriptions — the underlying watcher is more resilient to exceptions, won't get stuck on stop, and won't leak system handles. The initial backlog drains more cleanly when you open a log.
• Accessibility improvements — skip-to-content link, screen reader announcements, visible keyboard focus, respect for reduced-motion preferences, page landmarks, proper button roles, and visual cues that don't rely on color alone.
• Details pane height is remembered between sessions.
• DbTool now reads MTA files, supports more event types and variant types, and the app correctly identifies more severity levels for broader event coverage.
• Major performance and memory pass — many smaller improvements across the app add up to faster load times, smoother scrolling, and lower memory use, especially with multiple logs open.

Features

• Database Tools is available from the Tools menu, with a tabbed modal and vertical tab strip for Create, Diff, Merge, Show, and Upgrade provider-database operations.
• Database Tools includes a live log view that streams operation output while long-running work is in progress.
• Database Tools uses an elevation-safe Win32 file picker for choosing database paths and output locations.
• Database tooling caches the elevation check and warns when EventDbTool starts without administrator rights.
• Light mode with a "Follow system" option; the title bar honors the OS theme.
• Drag-and-drop column reordering in the event table; column widths and order are remembered.
• Details pane height is remembered between sessions.
• XML is now always available without flipping a toggle. It's only generated when a filter actually needs it, so there's no performance cost when you don't use it.
• New menu bar with a consistent look, replacing the older Windows menu bar (right-click menus are simpler too).
• Improved keyboard navigation in the event table.
• The "Open by Log Name" picker now mirrors the folder structure you'd see in Event Viewer (MMC).
• Exported .evtx files with a LocaleMetaData folder are now fully supported.
• DbTool can read MTA provider files.
• More events display the correct severity (Information / Warning / Error / Critical / Verbose).
• More event types and variant types are recognized, so more events resolve to readable text.
• The title bar now shows the app name and version before any open log names.
• In-app release notes and Markdown content now render italics.

Database & Recovery

• New V4 provider database format with improved resolution coverage (merges in publishers that own a given channel).
• Imported databases get a clear status in the Settings modal: classified, not yet classified, unknown format, has backup, etc.
• Empty or unrecognized provider databases are set aside (quarantined) instead of breaking the resolver.
• Obsolete or unrecognized databases are rejected by EventDbTool commands with a clear message.
• V3 databases automatically upgrade to V4. Newly imported databases start out disabled — turn them on when you're ready.
• If an upgrade is interrupted (power loss, crash, etc.), the app detects the leftover marker file and offers a recovery dialog.
• Removing a database no longer deletes your own .bak backup files.
• If one entry in a batch import fails, the rest still go through — the failures are listed in the Settings modal.
• Toggling pre-release builds in Settings can now kick off a database upgrade right from the confirmation dialog.
• Opening a log waits for database classification to finish first, so resolution doesn't silently use the wrong data.

Banners & Alerts

• New app-wide banner area for upgrade progress, attention items, and recoverable errors.
• Error banners can include an action button (for example, a Reload button).
• The Reload button automatically gets keyboard focus when an error banner appears, so you can press Enter to recover.
• If the app hits an unhandled exception, it now offers in-app recovery via a banner instead of going to a hard failure screen.
• "Empty log" notifications are grouped together when you open several logs at once, instead of stacking up.
• Banner severity (Critical vs. Error) is now consistent across the app.

Settings Modal / Database UX

• Status indicators meet WCAG AA contrast, including the "classification pending" state.
• Database rows are restructured so the most useful action is the primary one for that row's current status.
• The trash (delete) action appears when you click the database name, and a subtle left indicator strip makes status easier to read at a glance.
• Recovery dialog wording is now pluralized correctly when more than one database needs attention.

Event Resolution

• Events with no provider metadata now show the event data and a readable success/error message instead of placeholders.
• Channel-only providers (events that only identify a channel, not a publisher) now resolve via the channel's owning publisher.
• Older event messages that share IDs are now disambiguated by their qualifier value.
• Templates that legitimately expect zero properties no longer cause spurious "property mismatch" messages.
• Environment variables in publisher metadata paths are expanded properly; resolution is more reliable for providers that use full raw IDs.
• The "Add log" and "Close all" menu items are only enabled when you actually have logs open. "Security" and "State" are only enabled when running elevated.
• Events on non-English Windows installs, and exported .evtx files that ship a LocaleMetaData folder, now resolve via .mui satellite files instead of placeholders.

Filter Improvements

• Filters are evaluated through a new, more reliable pipeline. Behavior is the same — performance and stability are better.
• Toggling unrelated UI no longer causes the filter pipeline to re-run; it only re-runs when filter state actually changes.
• When there are lots of events, filtering runs in parallel. As new events arrive, only the new ones are checked against active filters instead of re-filtering every open log.
• Filters keep their position in the panel even after edits.
• Drafting a new filter no longer leaves stale placeholder rows behind, including when you collapse a filter group mid-edit.
• Filter text parsing now handles quotes, backslashes, and whitespace consistently in all contexts, including sub-filters and multi-select values.
• Date-range defaults are now consistent across the app.
• The filter spinner reflects only the latest filter run — older, slower runs can no longer overwrite a newer result.

Performance & Memory

• Database Tools log output flushes in batches, and Show Providers output is built in a single pass for smoother long-running operations.
• Combined view rebuild eliminated — when multiple logs are open, the Combined view is maintained in place instead of rebuilt on every event. Live tailing is 92–94% faster with 17–50% lower memory use in benchmarks. Per-log tabs are derived from the Combined view on demand. Filter changes, log loads, and log closes are 22–48% faster too.
• Combined-events sorting uses a merge of pre-sorted per-log lists instead of a full re-sort; default sort is consistent between per-log and combined views.
• Reduced string and memory allocations in hot paths: pooled string builders, faster format-token paths, and primitive specializations in logging.
• Provider database serialization u...

v26.5.19.1351

All changes since the last stable release (v26.3.5.912).

Highlights

• Light mode is now available, with an option to follow your Windows theme. The title bar follows it too.
• Reorder event table columns by drag-and-drop. Column widths and order are remembered across sessions.
• International Windows support — events on non-English Windows installs (and exported .evtx files that include a LocaleMetaData folder) now resolve to readable text instead of falling back to placeholders.
• Better text for "no provider" events — when an event has no provider metadata, the app now shows the event's data and a meaningful success/error message instead of placeholders. Channel-only providers resolve correctly, and older events that share IDs are now disambiguated.
• Provider database recovery — imported databases are checked when they load, with clear status badges in Settings. Old (V3) databases automatically upgrade to the new V4 format; empty or unrecognized files are set aside instead of breaking event resolution. If an upgrade is interrupted, a recovery dialog walks you through finishing it. Newly imported databases stay disabled until you turn them on.
• In-app banner system for upgrade progress, recoverable errors (with optional action buttons), and crash recovery — the banner sits above the error boundary so it's still visible if something goes wrong. "No events found" alerts are grouped together when you open several logs at once.
• Filter overhaul — filters re-evaluate only when they actually change, run in parallel when there are lots of events, and new events are checked against active filters as they arrive instead of re-filtering every open log.
• Faster combined view — when multiple logs are open, the Combined view is now built once and updated in place as events stream in, instead of being rebuilt from scratch on every update. Live tailing is dramatically faster and uses less memory.
• New menu bar replaces the older Windows menu bar and simplifies right-click menus across the app.
• Debug Log modal now has filtering, scrolls smoothly through large logs, lets you export the contents, and shows newest entries first as they stream in.
• More reliable live event subscriptions — the underlying watcher is more resilient to exceptions, won't get stuck on stop, and won't leak system handles. The initial backlog drains more cleanly when you open a log.
• Accessibility improvements — skip-to-content link, screen reader announcements, visible keyboard focus, respect for reduced-motion preferences, page landmarks, proper button roles, and visual cues that don't rely on color alone.
• Details pane height is remembered between sessions.
• DbTool now reads MTA files, supports more event types and variant types, and the app correctly identifies more severity levels for broader event coverage.
• Major performance and memory pass — many smaller improvements across the app add up to faster load times, smoother scrolling, and lower memory use, especially with multiple logs open.

Features

• Light mode with a "Follow system" option; the title bar honors the OS theme.
• Drag-and-drop column reordering in the event table; column widths and order are remembered.
• Details pane height is remembered between sessions.
• XML is now always available without flipping a toggle. It's only generated when a filter actually needs it, so there's no performance cost when you don't use it.
• New menu bar with a consistent look, replacing the older Windows menu bar (right-click menus are simpler too).
• Improved keyboard navigation in the event table.
• The "Open by Log Name" picker now mirrors the folder structure you'd see in Event Viewer (MMC).
• Exported .evtx files with a LocaleMetaData folder are now fully supported.
• DbTool can read MTA provider files.
• More events display the correct severity (Information / Warning / Error / Critical / Verbose).
• More event types and variant types are recognized, so more events resolve to readable text.
• The title bar now shows the app name and version before any open log names.
• In-app release notes and Markdown content now render italics.

Database & Recovery

• New V4 provider database format with improved resolution coverage (merges in publishers that own a given channel).
• Imported databases get a clear status in the Settings modal: classified, not yet classified, unknown format, has backup, etc.
• Empty or unrecognized provider databases are set aside (quarantined) instead of breaking the resolver.
• Obsolete or unrecognized databases are rejected by EventDbTool commands with a clear message.
• V3 databases automatically upgrade to V4. Newly imported databases start out disabled — turn them on when you're ready.
• If an upgrade is interrupted (power loss, crash, etc.), the app detects the leftover marker file and offers a recovery dialog.
• Removing a database no longer deletes your own .bak backup files.
• If one entry in a batch import fails, the rest still go through — the failures are listed in the Settings modal.
• Toggling pre-release builds in Settings can now kick off a database upgrade right from the confirmation dialog.
• Opening a log waits for database classification to finish first, so resolution doesn't silently use the wrong data.

Banners & Alerts

• New app-wide banner area for upgrade progress, attention items, and recoverable errors.
• Error banners can include an action button (for example, a Reload button).
• The Reload button automatically gets keyboard focus when an error banner appears, so you can press Enter to recover.
• If the app hits an unhandled exception, it now offers in-app recovery via a banner instead of going to a hard failure screen.
• "Empty log" notifications are grouped together when you open several logs at once, instead of stacking up.
• Banner severity (Critical vs. Error) is now consistent across the app.

Settings Modal / Database UX

• Status indicators meet WCAG AA contrast, including the "classification pending" state.
• Database rows are restructured so the most useful action is the primary one for that row's current status.
• The trash (delete) action appears when you click the database name, and a subtle left indicator strip makes status easier to read at a glance.
• Recovery dialog wording is now pluralized correctly when more than one database needs attention.

Event Resolution

• Events with no provider metadata now show the event data and a readable success/error message instead of placeholders.
• Channel-only providers (events that only identify a channel, not a publisher) now resolve via the channel's owning publisher.
• Older event messages that share IDs are now disambiguated by their qualifier value.
• Templates that legitimately expect zero properties no longer cause spurious "property mismatch" messages.
• Environment variables in publisher metadata paths are expanded properly; resolution is more reliable for providers that use full raw IDs.
• The "Add log" and "Close all" menu items are only enabled when you actually have logs open. "Security" and "State" are only enabled when running elevated.
• Events on non-English Windows installs, and exported .evtx files that ship a LocaleMetaData folder, now resolve via .mui satellite files instead of placeholders.

Filter Improvements

• Filters are evaluated through a new, more reliable pipeline. Behavior is the same — performance and stability are better.
• Toggling unrelated UI no longer causes the filter pipeline to re-run; it only re-runs when filter state actually changes.
• When there are lots of events, filtering runs in parallel. As new events arrive, only the new ones are checked against active filters instead of re-filtering every open log.
• Filters keep their position in the panel even after edits.
• Drafting a new filter no longer leaves stale placeholder rows behind, including when you collapse a filter group mid-edit.
• Filter text parsing now handles quotes, backslashes, and whitespace consistently in all contexts, including sub-filters and multi-select values.
• Date-range defaults are now consistent across the app.
• The filter spinner reflects only the latest filter run — older, slower runs can no longer overwrite a newer result.

Performance & Memory

• Combined view rebuild eliminated — when multiple logs are open, the Combined view is maintained in place instead of rebuilt on every event. Live tailing is 92–94% faster with 17–50% lower memory use in benchmarks. Per-log tabs are derived from the Combined view on demand. Filter changes, log loads, and log closes are 22–48% faster too.
• Combined-events sorting uses a merge of pre-sorted per-log lists instead of a full re-sort; default sort is consistent between per-log and combined views.
• Reduced string and memory allocations in hot paths: pooled string builders, faster format-token paths, and primitive specializations in logging.
• Provider database serialization uses source-generated JSON for faster reads/writes.
• Compressed JSON now streams directly to and from disk, avoiding large temporary strings and byte arrays.
• First-time provider resolution coalesces concurrent requests; parallel local resolution uses an owned registry key for better isolation.
• Keyword decoding is single-pass and short-circuits when there are no standard keywords to check.
• Native event rendering uses stack buffers for typical sizes and falls back to a pooled buffer for very large events.
• Scrolling to the selected event is now a single indexed pass instead of two searches.
• Copying multiple events to the clipboard reuses one string builder; owning-log parsing is faster.
• Keyword display strings are built only when first read.
• Rotating cache for NTStatus and HResult lookups speeds up repeated decodes.
• Caches ar...

v26.5.12.971

All changes since the last stable release (v26.3.5.912).

Highlights

• Light mode is now available, with an option to follow the system theme (title bar included).
• Column drag-and-drop reordering in the event table, with persistent column sizing and ordering across sessions.
• MUI-aware event message resolution — events on international Windows installs (and from exported .evtx files with LocaleMetaData folders) now resolve correctly via .mui satellites instead of falling back to placeholders.
• Better event resolution for "no provider" cases — events with no provider metadata now render EventData and ERROR_SUCCESS text instead of placeholders, channel-named providers resolve correctly, and legacy events are disambiguated by Qualifier.
• Database recovery flow — imported provider databases are classified on load (V4 schema with auto-upgrade from V3, quarantine for empty/unrecognized/obsolete formats), interrupted upgrades are detected and recovered via a dedicated dialog, and freshly-imported databases default to disabled until you opt in.
• App-level banner system for upgrade progress, recoverable errors with action buttons, and unhandled-exception recovery — mounted above the error boundary so it survives crashes. Empty-log alerts are batched when opening multiple logs at once.
• Filter pipeline overhaul — immutable BasicFilterSource / CompiledFilter model, signature-based change detection, parallel filtering above a threshold, and only-new-events filtering on arrival instead of re-filtering all active logs.
• Faster combined-events sorting via a k-way merge of pre-sorted per-log lists (replaces the full re-sort), and a cross-log RecordId equality bug is fixed.
• Custom menu bar replaces the XAML one and simplifies context menus across the app.
• Debug Log modal gains filtering, virtualization, export, and newest-first streaming.
• More reliable live event subscriptions — EventLogWatcher hardened against handler exceptions, reentrant stops, and finalizer-time native handle leaks, with a cleaner initial-backlog drain.
• Accessibility infrastructure: skip link, live regions, focus-visible, reduced-motion, landmarks, role=button, non-color cues.
• Details pane height is now remembered as a user preference.
• DbTool now supports MTA files; added missing severity levels and additional event types / EvtVariantTypes for broader event coverage.
• Major memory and performance pass — pooled StringBuilder via thread-static cache, System.Text.Json source generators for provider DB serialization, IFormattable direct-write logging, primitive specializations on interpolated log handlers, and many smaller hot-path wins.

Features

• Light mode with follow-system-theme option, and the title bar honors the OS theme.
• Column drag-and-drop reordering in the event table, with persistent column sizing and ordering.
• Details pane height persisted as a user preference.
• XML resolution no longer requires the toggle — XML is automatically available, but only resolved when a filter actually needs it.
• Custom menu bar with templated menu items, replacing the XAML menu bar (also simplifies context menus).
• Improved keyboard navigation in the event table, with refactored event selection.
• LogName parser now creates folder structure that aligns with the MMC.
• Support for exported LocaleMetaData folders when resolving events from exported .evtx files.
• DbTool supports MTA files for provider details.
• Added missing severity levels so more events display the correct level.
• Added additional event types and EvtVariantTypes for broader event coverage.
• Title bar shows app name and version before log names.
• Markdown italics now render in release notes / in-app Markdown.

Database & Recovery

• New V4 provider DB schema with ResolvedFromOwningPublisher merging for better resolution coverage.
• Imported databases are classified on load with a clear status (NotClassified, Unknown, BackupExists, etc.) surfaced in the Settings modal.
• Empty and unrecognized provider databases are quarantined at classification time instead of failing the resolver.
• Obsolete and unrecognized provider DBs are now rejected by EventDbTool commands with clear messaging.
• V3 databases auto-upgrade to V4; freshly-imported databases default to disabled.
• Interrupted upgrades are detected via an .upgrade.bak marker and recoverable through a new recovery dialog.
• Remove no longer deletes user-created .bak files via wildcard.
• Per-entry import failures are surfaced in the Settings modal with buffered toggles so a bad entry doesn't break the batch.
• Inline upgrade banner triggers settings-scope upgrades from the Settings modal toggle confirmation.
• Opening a log now waits for classification to complete and gracefully handles resolver errors.

Banners & Alerts

• New app-level banner surface for upgrade progress, attention items, and recoverable errors.
• Error banners can include an optional action button (e.g. reload).
• Reload button gets focus automatically when an error banner appears.
• Unhandled exceptions route through the banner system for in-app recovery instead of hard failures.
• Empty-log alerts are batched across multi-open call sites.
• Banner severity taxonomy aligned (Critical/Error).

Settings Modal / Database UX

• Classification-pending UX with WCAG AA contrast on status fills.
• Database rows restructured with per-status primary actions and tightened visuals.
• Trash action revealed by clicking the database name, with a recessed left strip indicator.
• Recovery dialog copy pluralized for multi-entry scenarios.

Event Resolution

• Events with no provider metadata now render EventData and ERROR_SUCCESS text instead of placeholders.
• Channel-named providers resolve via EvtChannelConfigOwningPublisher.
• Legacy event messages are disambiguated by Qualifier.
• Empty manifest templates are treated as zero expected properties on strict match (no more spurious mismatches).
• Environment variables are expanded in publisher metadata paths; short-id fallback hardened for full-RawId manifests.
• Add/Close-All gated on open logs; Security/State gated on admin elevation.
• Events on international Windows installs and exported .evtx files with LocaleMetaData folders resolve via .mui satellites.

Filter Improvements

• New immutable filter model: BasicFilterSource, CompiledFilter, and a FilterCompiler replacing the old mutable FilterModel shape.
• Signature-based change detection so the UI no longer refilters on every flip.
• Parallel filtering above a threshold when combined event count is large; only-new-events filtering on arrival instead of re-filtering all active logs.
• Filters are now indexed so position in the pane is preserved.
• New-filter drafts render as pane-/group-local pending rows instead of dispatching IsEditing placeholders, with stale row state cleared on group collapse.
• FilterService.TryParse string escaping now handles quotes, backslashes, and whitespace consistently across top-level, sub-filter, and MultiSelect paths.
• Date-range default logic moved into a single DateRangeDefaults helper.
• Filter spinner: filter-generation guard added for stale-result races.

Performance & Memory

• K-way merge of pre-sorted per-log lists for combined events (replaces full re-sort); per-log/combined default aligned to DateAndTime.
• Pooled StringBuilder via thread-static cache; replaced per-call format-token allocations with IFormattable direct paths, plus primitive specializations on logging interpolated handlers.
• System.Text.Json source generators for provider database DTO serialization.
• Streamed JSON directly to/from GZipStream in CompressedJsonValueConverter — eliminates intermediate string and byte[] allocations.
• Per-provider Lazy gates coalesce first-touch ProviderDetails work; replaced shared Registry.LocalMachine with an owned base key for parallel local resolution.
• Single-pass GetKeywordsFromBitmask, with hoisted Keywords value and mask-gated standard-keyword loop.
• stackalloc bounded in EventMethods native-render paths, with ArrayPool fallback above 4096 chars.
• ScrollToSelectedEvent collapsed from FirstOrDefault + IndexOf into a single indexed pass over DisplayedEvents.
• Multi-event clipboard copy reuses a single StringBuilder; replaced OwningLog.Split.Last with a LastIndexOf slice (also in the row template).
• Deferred KeywordsDisplayName join until first read.
• Rotating cache for NTStatus and HResult lookups.
• Caches are instance-based so they release at end of life cycle.
• Faster event table loading (batch loading + improved indexing).
• Sort-in-place on load (no ImmutableArray round-trip); event table compares updated vs. current combined lists before triggering an update; status bar only triggers updates on actual value changes.
• Logger allocates only when an event is actually logged, and uses a temp file instead of in-memory buffering.
• Property-count function reuses the same caching as the format-properties function; better template matching when multiple candidates exist.
• Optimized hot paths and reduced redundant allocations across the app.

Reliability

• Live event subscriptions: native subscription handle released and ThreadPool wait honored on the finalizer path.
• Handler exceptions are isolated and reentrant stops are rejected in EventLogWatcher.
• Initial backlog drained outside the lifecycle lock to avoid stalls.
• More descriptive Win32 messages on UnauthorizedAccessException.
• HandleOpenLog uses channels instead of run-jobs, with a semaphore to throttle threads when multiple logs are opened.

UI / CSS / Accessibility

• New a11y infrastructure: focus-visible...

v26.5.1.960

All changes since the last stable release (v26.3.5.912).

Highlights

• Light mode is now available, with an option to follow the system theme (title bar included).
• Column drag-and-drop reordering in the event table, with persistent column sizing and ordering across sessions.
• MUI-aware event message resolution — events on international Windows installs (and from exported .evtx files with LocaleMetaData folders) now resolve correctly via .mui satellites instead of falling back to placeholders.
• Faster combined-events sorting via a k-way merge of pre-sorted per-log lists (replaces the full re-sort), and a cross-log RecordId equality bug is fixed.
• Filter pipeline overhaul — immutable BasicFilterSource / CompiledFilter model, signature-based change detection, parallel filtering above a threshold, and only-new-events filtering on arrival instead of re-filtering all active logs.
• Custom menu bar replaces the XAML one and simplifies context menus across the app.
• Accessibility infrastructure: skip link, live regions, focus-visible, reduced-motion, landmarks, role=button, non-color cues.
• Details pane height is now remembered as a user preference.
• DbTool now supports MTA files; added missing severity levels and additional event types / EvtVariantTypes for broader event coverage.
• Major memory and performance pass — pooled StringBuilder via thread-static cache, System.Text.Json source generators for provider DB serialization, IFormattable direct-write logging, primitive specializations on interpolated log handlers, and many smaller hot-path wins.

Features

• Light mode with follow-system-theme option, and the title bar honors the OS theme.
• Column drag-and-drop reordering in the event table, with persistent column sizing and ordering.
• Details pane height persisted as a user preference.
• XML resolution no longer requires the toggle — XML is automatically available, but only resolved when a filter actually needs it.
• Custom menu bar with templated menu items, replacing the XAML menu bar (also simplifies context menus).
• Improved keyboard navigation in the event table, with refactored event selection.
• LogName parser now creates folder structure that aligns with the MMC.
• Support for exported LocaleMetaData folders when resolving events from exported .evtx files.
• DbTool supports MTA files for provider details.
• Added missing severity levels so more events display the correct level.
• Added additional event types and EvtVariantTypes for broader event coverage.
• Title bar shows app name and version before log names.
• Markdown italics now render in release notes / in-app Markdown.

Filter Improvements

• New immutable filter model: BasicFilterSource, CompiledFilter, and a FilterCompiler replacing the old mutable FilterModel shape.
• FilterEditorModel split into Main + flat SubClauses with mutable draft types, leaving the persisted FilterModel immutable.
• Signature-based change detection computed during filter construction (no more refilter on UI flip).
• Parallel filtering above a threshold when combined event count is large; only-new-events filtering on arrival instead of re-filtering all active logs.
• FilterCategoryEditor items cached per ActiveLogs snapshot via ConditionalWeakTable to avoid per-render recomputation.
• EventFilter.RequiresXml precomputed at construction instead of scanned on every access.
• FilterService.TryParse string escaping now handles quotes, backslashes, and whitespace consistently across top-level, sub-filter, and MultiSelect paths.
• New-filter drafts now render as FilterPane-local / FilterGroup-local pending rows instead of dispatching IsEditing placeholders, with stale row state cleared on group collapse.
• Filters are now indexed so position in the pane is preserved.
• Generic BaseFilterRow / EditableFilterRowBase shares common row code; FilterGroup.SetFilter is now an upsert.
• Favorites import deduplication and filter group display rebuild consolidated and optimized.
• Date-range default logic moved into a single DateRangeDefaults helper.
• Filter spinner: replaced ToggleIsLoading with SetIsLoading and added a filter-generation guard for stale-result races.
• Retired FilterModel.IsEditing and the legacy in-state edit actions/reducers/effects; finalized init-only FilterModel fields.

Performance & Memory

• K-way merge of pre-sorted per-log lists for combined events (replaces full re-sort); per-log/combined default aligned to DateAndTime.
• Pooled StringBuilder via thread-static cache; replaced per-call format-token allocations with IFormattable direct paths, plus primitive specializations on logging interpolated handlers.
• System.Text.Json source generators for provider database DTO serialization.
• Streamed JSON directly to/from GZipStream in CompressedJsonValueConverter — eliminates intermediate string and byte[] allocations.
• Per-provider Lazy gates coalesce first-touch ProviderDetails work; replaced shared Registry.LocalMachine with an owned base key for parallel local resolution.
• Single-pass GetKeywordsFromBitmask: hoisted Keywords value, mask-gated the standard-keyword loop, replaced .Keys+indexer with KVP enumeration.
• stackalloc bounded in EventMethods native-render paths, with ArrayPool fallback above 4096 chars.
• GetComparer ascending/descending instances cached as static readonly singletons.
• ScrollToSelectedEvent collapsed from FirstOrDefault + IndexOf into a single indexed pass over DisplayedEvents.
• Multi-event clipboard copy reuses a single StringBuilder; replaced OwningLog.Split.Last with a LastIndexOf slice (also in the row template).
• Deferred KeywordsDisplayName join until first read.
• Rotating cache for NTStatus and HResult lookups.
• Caches are instance-based so they release at end of life cycle.
• Faster event table loading (batch loading + improved indexing).
• Refactored string cache and keywords display (created on init instead of per call); consolidated to IReadOnlyList and removed extra allocations.
• Sort-in-place on load (no ImmutableArray round-trip); event table compares updated vs. current combined lists before triggering an update; status bar only triggers updates on actual value changes.
• Logger allocates only when an event is actually logged, and uses a temp file instead of in-memory buffering.
• Property-count function reuses the same caching as the format-properties function; better template matching when multiple candidates exist.
• Optimized hot paths and reduced redundant allocations across the app.

Async / Threading Cleanup

• HandleOpenLog uses channels instead of run-jobs, with a semaphore to throttle threads when multiple logs are opened.
• Replaced FireAndForget with InvokeAsync so the render thread and JS interop play nicely.
• Converted certain async void methods to async Task; wrapped InvokeAsync calls with exception handlers and removed redundant InvokeAsync calls.
• Updated CTS flow for cleaner cancellation; tests updated to use cancellation tokens.
• Simplified the provider lock pattern.
• Set a threshold for switching filtering to parallel; removed IsLoading for table updates with multi-log loading.
• Refactored the logger to use an event instead of an action property.

UI / CSS / Accessibility

• New a11y infrastructure: focus-visible, reduced-motion, landmarks.
• New a11y behavior: skip link, live regions, role=button, non-color cues.
• Converted ID selectors to classes, removed !important overrides, and dropped the forced-colors override.
• Consolidated CSS tokens and removed unused/redundant CSS; row styles share a common base.
• Generic modal service replaces individual modal components; per-modal sizing variables and an inline alert header for modals.
• Boolean select restyled to be theme-consistent — enabled state now uses the positive color (no more red/green polarity confusion).
• ValueSelect dropdowns: bug fixes and optimizations.
• Removed unused HTML / navigation scaffolding and dropped aria-expanded from the Razor side (handled by JS).
• Markdown parser now supports italics.

Bug Fixes

• Cross-log RecordId equality bug in the combined-events view (records from different logs no longer collide).
• Index out of range when event messages contain a trailing %n or use 0 as a terminator.
• Variant type mismatch that could cause event resolution issues; added a missing variant and a more diagnostic default.
• Reading a log file after it was deleted.
• Temp file creation failure when encryption was involved (now uses a file stream directly instead of copying).
• Dispose method on the DB event resolver and a watcher constructor bug.
• Logger DI issue.
• Failure dialogs now only appear when a manual scan is initiated (no more startup-scan noise).
• Several smaller bugs and optimizations in ValueSelect.
• Added a failure path when Deserialize returns null.
• Added IDisposable to several components to prevent leaks; cleaned up unneeded dispose patterns.

v26.4.22.1179

What's New in v26.4.22.1179

Features

• Light mode is now available, with an option to follow the system theme
• Column drag-and-drop reordering in the event table, with persistent column sizing and ordering across sessions
• Details pane height is now remembered as a user preference
• XML resolution no longer requires the toggle — XML is automatically available, but only resolved when a filter actually needs it
• Improved keyboard navigation in the event table with refactored event selection
• Support for exported LocaleMetaData folders when resolving events from exported .evtx files
• DbTool now supports MTA files for provider details
• Added missing severity levels so more events display the correct level
• Added additional event types and EvtVariantTypes for broader event coverage
• Title bar now shows app name and version before the log names

Improvements

• Faster event table loading with batch loading and improved indexing performance
• Better performance when opening multiple logs (channels + semaphore-throttled threading)
• Filtering automatically switches to parallel processing above a threshold
• Smoother UI updates — the event table and status bar only refresh when values actually change
• Added a rotating cache for NTStatus and HResult lookups
• Caches are now instance-based so they release at end of life cycle
• Reduced memory usage and optimized hot paths throughout the app (string cache, keyword display, property/format caching, sort-in-place, IReadOnlyList)
• Refactored logger to allocate only when an event is actually logged; uses a temp file instead of in-memory buffering
• Refactored async patterns: removed FireAndForget in favor of InvokeAsync, converted async void to async Task, wrapped InvokeAsync calls with exception handlers
• Simplified provider lock pattern and refactored event resolver
• Improved event template matching when multiple potential templates exist
• Refactored filtering references to keyword display name
• Unified State naming across the app for consistency
• Release notes now render properly as Markdown on GitHub
• Removed unused HTML/navigation since the app does not use page navigation
• Removed aria-expanded from the Razor side (handled in JS now)
• Created a GitHub PR pipeline and removed unused legacy pipelines
• Hardened the release workflow to run with least required permissions
• Treat warnings as errors and cleaned up remaining warnings
• Added additional debug logging for event debugging

Bug Fixes

• Fixed index out of range errors when event messages contain a trailing %n or use 0 as a terminator
• Fixed variant type mismatch that could cause event resolution issues
• Fixed issue reading a log file after it was deleted
• Fixed temp file creation failure when encryption was involved (now uses a file stream directly)
• Fixed dispose method on the DB event resolver and a watcher constructor bug
• Fixed logger DI issue
• Fixed several smaller bugs and applied optimizations to ValueSelect dropdowns
• Fixed CI issue related to needs-upgrade checks
• Added a failure path when Deserialize returns null
• Added IDisposable to several components to prevent leaks; cleaned up unneeded dispose patterns

v26.4.21.94

What's New in v26.4.21.94

Features

• Column drag-and-drop reordering in the event table, with persistent column sizing and ordering across sessions
• Details pane height is now remembered as a user preference
• Support for exported LocaleMetaData folders when resolving events from exported .evtx files
• DbTool now supports MTA files for provider details
• Added missing severity levels so more events display the correct level
• Title bar now shows app name and version before the log names

Improvements

• Faster event table loading with batch loading and improved indexing performance
• Better performance when opening multiple logs (reworked threading/throttling)
• Smoother UI updates — the event table and status bar only refresh when values actually change
• Filtering automatically switches to parallel processing above a threshold for better responsiveness
• Added a rotating cache for NTStatus and HResult lookups
• Reduced memory usage and optimized hot paths throughout the app

Bug Fixes

• Fixed index out of range errors when event messages contain a trailing %n or 0 terminator
• Fixed issue reading a log file after it was deleted
• Fixed temp file creation failure when encryption was involved (now uses a file stream directly)
• Fixed a variant type mismatch that could cause event resolution issues
• Fixed several smaller bugs and optimizations in the value selector dropdowns
• Addressed potential memory leaks by properly disposing components
• Updated dependencies/packages

v26.3.5.912

Changes:

• eb8927e Added missing categories to basic filter

This list of changes was auto generated.

v26.2.12.1177

Changes:

• 67098ee Added labels to sub filter and fixed issue with dropdown list being aria hidden
• a07e682 Added aria label for main table
• 7328987 Fixed aria labels in EventTable
• 17642c2 Fixed aria labels on ValueSelect
• 0aacf74 Updated section toggles to show current state
• f463011 Fixed spaces in id params
• 7ead433 Updated labels for section toggles
• 04b0fac Adjusted more labels
• e0003ee Disable forced color adjust
• 74e5772 Added tab and keyboard toggle support to dropdown toggles

See More

• 99e1a15 Added focus element to input components
• f465a01 Added error prompt when trying to rename filter group
• 87cb4c5 Added Aria labels to missing components
• 8975826 Moved title logic to resolve race condition

This list of changes was auto generated.

v26.2.11.1429

Changes:

• a07e682 Added aria label for main table
• 7328987 Fixed aria labels in EventTable
• 17642c2 Fixed aria labels on ValueSelect
• 0aacf74 Updated section toggles to show current state
• f463011 Fixed spaces in id params
• 7ead433 Updated labels for section toggles
• 04b0fac Adjusted more labels
• e0003ee Disable forced color adjust
• 74e5772 Added tab and keyboard toggle support to dropdown toggles
• 99e1a15 Added focus element to input components

See More

• f465a01 Added error prompt when trying to rename filter group
• 87cb4c5 Added Aria labels to missing components
• 8975826 Moved title logic to resolve race condition

This list of changes was auto generated.

v26.2.10.1249

Changes:

• 7ead433 Updated labels for section toggles
• 04b0fac Adjusted more labels
• e0003ee Disable forced color adjust
• 74e5772 Added tab and keyboard toggle support to dropdown toggles
• 99e1a15 Added focus element to input components
• f465a01 Added error prompt when trying to rename filter group
• 87cb4c5 Added Aria labels to missing components
• 8975826 Moved title logic to resolve race condition

This list of changes was auto generated.