How does "EnableLevel" in Autologger\EventLog work?

Question

I want to filter out Warnings, but keep Errors and Critical events in Event Viewer for a particular event.

Does "EnableLevel"=dword:00000002 accomplish this?

For example

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\Autologger\EventLog-System\{1c95126e-7eea-49a9-a3fe-a378b03ddb4d}]
"EnableLevel"=dword:00000002
; Default = 0, everything is logged

The Warning events I'm trying to filter from my System Log happen randomly and sometimes days between events, so it's very difficult to determine if changing the value actually works.

The docs seem to indicate that 2 is what I want to only log Error and Critical-level events.

From here

Microsoft defines the semantics of levels 1-5 as shown below.

| Value                       | Meaning                                    |
|-----------------------------|--------------------------------------------|
| TRACE_LEVEL_CRITICAL (1)    | Abnormal exit or termination events        |
| TRACE_LEVEL_ERROR (2)       | Severe error events                        |
| TRACE_LEVEL_WARNING (3)     | Warning events such as allocation failures |
| TRACE_LEVEL_INFORMATION (4) | Non-error informational events             |
| TRACE_LEVEL_VERBOSE (5)     | Detailed diagnostic events                 |

Answer 1

I had to get creative to test this, but I'm confident I've learned the following:

- EnableLevel 0 = Logs all events
- EnableLevel 1 = Logs Critical
- EnableLevel 2 = Logs Critical, Error
- EnableLevel 3 = Logs Critical, Error, Warning
- EnableLevel 4 = Logs Critical, Error, Warning, Information
- EnableLevel 5 = Logs Critical, Error, Warning, Information, Verbose

Notes: There are other levels besides 0-5. I'm not sure what Verbose logs, probably for debugging. I've seen levels as high as 255, probably also for debugging.

From what I can tell, a bitmask value does not work. In other words, there is no OR operator to choose to log, for example, Critical OR Information only.

I can find no documentation for an answer anywhere, so hopefully this helps someone. If anyone has first-hand knowledge of the proper canonical answer, post it and I'll mark it correct.