The Basics About Working with the Event Viewer in Windows

I’m sure some of you are asking "What on earth is the Event Viewer, and why would I want to work with it?" Windows starts to keep track of what it is doing as soon as you start it up, and continuously saves log files that can provide a wealth of information when something goes wrong (and even when everything is fine). The Event Viewer gives you an easy way to look those logs. In this tutorial, we’ll take a look at the logs and the information Event Viewer gives you about what’s going on inside.

First, some terminology

Microsoft calls things like program installation, security management, and system setup "events." It also refers to the Event Viewer as a "Microsoft Management Console Snap-In," a term you might have encountered before: we’ve done tutorials on other snap-ins, like Local Users and Groups.

I’m not sure why Microsoft chose to call these useful programs snap-ins, but then programmers think in different terms from the rest of us. What it boils down to is that Microsoft calls it viewing events with a snap-in, and the rest of us call it looking at logs with Event Viewer.

Let’s get started

Start the Event Viewer by typing event viewer into the Start Menu search box. You can also go to Control Panel -> System and Security -> Administrative Tools -> Event Viewer.

In Windows 8, simply search for event viewer in the Start screen or go to the same path mentioned above, in the Desktop Control Panel.

It may take a few seconds for the display to appear, since the Event Viewer needs to be initialized before you use it for the first time. It will look something like this.

I’m going to talk about the various ways you can view and display Windows logs in this tutorial, and in the next one I’ll show you the more advanced options and the ways the Event Viewer can be customized.

Note that the display window in the center pane doesn’t work the same way other Windows programs do. When you use the scroll bar on the right, the display does not update until you release it. This can sometimes make finding specific entries more difficult than necessary.

Looking at the logs

Expand the menu item called Windows Logs in the left panel, and you’ll see that this includes the Application, Security, Setup, System, and Forwarded Events logs. Microsoft offers a brief explanation of what these logs contain here: What information appears in event logs (Event Viewer)?.

I am not going to talk about Forwarded Events here, since that is a more advanced topic, that is used very rarely, mostly by network administrators and other professionals.

NOTE: You will need to have administrator privileges to view all the logs. For example, the Security log is not available to standard users, but you can get access to it by right-clicking it and choosing Run As Administrator, when you start the Event Viewer.

First, maximize the Event Viewer window so you can see what’s going on more clearly. Then, click on the Applications menu in the left pane. Uh oh! Look at all those messages!

Actually, this is not at all unusual for an Applications log file. Remember, Windows keeps track of everything it’s been doing, and classifies the information in one of three ways: Error, Warning, or Information. An Error message means there might have been data loss, or some program is not working correctly, or a device driver failed to load. A Warning message is actually less serious than an Error message (programmer terminology at work again). You might get a Warning message if you’re running out of space on a flash drive, for example. Another example is when some wrong parameters have been sent to an application and it cannot use them in a useful way.

Most of the log entries are classified as Information, which simply means that Windows (or the applications) is doing exactly what it’s supposed to be doing, or, if there was an error (not what a programmer would call an "error") of some kind, it didn’t cause any actual problems. You can click on any individual entry (single click) to see an explanation displayed in the lower panel. You can also see the event displayed in the right panel, with a menu of actions you can take. I’ll get to those in a minute. Here I have switched back to the minimized view so you can see the whole Event Viewer screen.

The explanations that appear are often cryptic, and some of the error messages look downright ominous. Just keep in mind that most messages are just that—messages. They don’t mean that anything is radically wrong. Each event also has an Event ID, and there are a lot of those. To get information on those Event IDs, check the Microsoft web site here: Look up an error message.

Unfortunately, the information you get may be just as cryptic as the original message, or worse. Microsoft also suggests EventIDNet, which is a little more understandable.
If you use EventIDNet, be sure to click on the "comments and links" link at the bottom of the initial page. This is where other users explain what happened to them, and where you’re more likely to see an explanation that isn’t in programmer-ese.

Using the right pane

NOTE: The information in the right pane is the same for all of the Windows Logs in the left pane.

When you’ve selected an event, you’ll see its name duplicated and highlighted in the lower half of the right pane. Try clicking on different events to see this display change.

I’m going to be talking about the items in the lower half of the right pane, with the exception of Attach Task to This Event, which will be part of the tutorial for more advanced options.

Some of what appears in the right pane duplicates what you see in the bottom pane. For example, if you click on Event Properties in the right pane, a window will pop up with the same error message that you see in the lower pane. However, you can do more with the information from the Event Properties window.

If you click on Copy, it doesn’t just copy the error message—it copies that whole section of the error log. If you’re discussing a problem with technical support, the tech-support person may ask you to provide a transcript of the error log. This is the fastest and easiest way to get it. Click that Copy button and then use Ctrl+V to paste the result. Here’s what it looks like when I paste one such message into Notepad.

There is also a separate Copy menu item in the right pane, which gives you two options: Copy Table and Copy Details as Text. Copy Table simply copies the one-line error message that appears in the upper pane. Copy Details as Text works exactly the same as the Copy button in the Event Properties window.

To get a fuller explanation of an error, from the Event Properties window you can click Event Log Online Help, to be taken to Microsoft’s TechNet. Since TechNet is designed with the expert user in mind, the explanation you find there might not be any more instructive than the original cryptic message. In that case, you can also highlight the message, copy it, then paste it into your favorite search engine.

I have found that using Bing is somewhat more likely to list Microsoft pages, but your experience may be different. It’s worth trying more than one search engine to get understandable results. Usually what you will find is a forum of some sort where someone’s asking about that message. The replies to the question might or might not be useful. It would have been nice if Microsoft had provided some non-technobabble pages to explain these things to the rest of us.

Windows 7 does not refresh the display in real time, so you’ll want to click on Refresh in the right pane from time to time to see the most up to date display of messages.

If you click on Save Selected Event, a window will pop up with your Documents folder. If you store your documents somewhere else, you can use this window the same way you would use Windows Explorer to locate your preferred folder for storage. The event will be saved as an event file, with the suffix ".evtx". If you double click on that file, it will open up the Event Viewer—a second instance of the program if you already have it running.

Security auditing

Click on the Security menu in the left pane. Here you’ll find another list of messages, most or all of which will be labeled Audit Success. Windows 7 does a security audit each time you log on, and each time you create, modify, or delete a file. It also logs any attempt to use resources for which you don’t have authorized access, in which case the label would be Audit Fail. It also checks your system integrity. Scroll the display to the right, if necessary, or drag and drop the column widths so you can see the labels for each event.

Setup logs

Each time you set up new software, and each time you install Windows updates, the Event Viewer creates a log in the Setup menu. Each Windows Update item may generate multiple entries in the log. You can see here that a lot of things happened at the same time on February 14, 2012.

Each event also has an Event ID code. Those are as follows (my simplified explanation rather than the official Microsoft terminology):

  1. Windows 7 has been asked to install something and is working on it.
  2. The installation was successful.
  3. The software attempted to prepare itself for installation but did not succeed.
  4. The computer must be rebooted before the installation is complete.

System logs

The System log is, as you might expect, for system messages generated by Windows 7 and by other installed software such as device drivers. If something fails to load, there will be a log entry for it here, marked as a Warning. Here, I show a series of Warnings about my DVD-ROM drive. It did not mean the drive failed to work properly.

Each of these events has an event ID, but looking them up may or may not be informative. I’ve yet to find a web site that explains them all in everyday language. The EventIDNet web site I mentioned above does the best job of explaining, if you click through to where other users talk about their experiences.

Just the basics

This tutorial covered basic use of the Event Viewer, and we only looked at each log, rather than taking any action. While the Event Viewer is a program aimed at more advanced users, anyone can find useful information in it. In the next tutorial, I’ll talk about some of the ways that information can be put to use.