Back to docs
Tools - DiagnosticsUpdated: November 23, 2024

eventvwr.msc

Open Event Viewer to see system, application, and security logs.

eventvwr.msc

Command: eventvwr.msc

Category: Diagnostics

Type: GUI

Purpose

Opens Windows Event Viewer, which displays detailed logs of system events, application errors, security audits, and administrative activities. Essential for troubleshooting system problems, investigating crashes, monitoring security, and understanding what's happening on your Windows system.

Quick Summary

Event Viewer is your system's black box recorder. Every error, warning, and significant event gets logged here. See when programs crash, when services start or stop, security events, system errors, and more. Critical for diagnosing problems, monitoring system health, and security auditing.

How to Use

  1. Press Win + R to open the Run dialog.
  2. Type eventvwr.msc and press Enter.
  3. The Event Viewer opens with a tree view on the left.
  4. Expand categories and click on specific logs to view events.
  5. Double-click any event for detailed information.

Alternative methods:

  • Type eventvwr.msc in Command Prompt, PowerShell, or Start menu search
  • Search for "Event Viewer" in the Start menu
  • Right-click "This PC" > Manage > Event Viewer
  • Administrative Tools > Event Viewer

Main Event Log Categories

Windows Logs:

  • Application: Program events (crashes, errors, warnings, information)
  • Security: Security-related events (logons, policy changes, auditing)
  • Setup: Windows installation and update events
  • System: Hardware, driver, and system service events
  • Forwarded Events: Events from remote computers (if configured)

Applications and Services Logs:

  • Detailed logs for specific Windows components
  • Microsoft > Windows contains logs for specific features
  • Individual applications may create their own logs here

Tips and Best Practices

  • Filter logs by level (Critical, Error, Warning) to focus on problems.
  • Use "Find" feature (Ctrl+F) to search for specific text within events.
  • Create custom views to quickly access filtered event sets.
  • Export logs for sharing with support: Action > Save Selected Events.
  • Right-click logs to clear old events (after saving if needed).
  • Check Event IDs online for detailed explanations and solutions.
  • Look at the time stamps to correlate events with system problems.

Common Use Cases

  • Crash investigation: Identify why programs or Windows crashed.
  • Blue screen analysis: Find BSOD details and related errors.
  • Service problems: See why services failed to start or stopped.
  • Security auditing: Review logon attempts, policy changes, and security events.
  • Performance troubleshooting: Identify events causing slowdowns.
  • Update issues: Diagnose Windows Update failures.
  • Hardware problems: Review driver and hardware failure events.

Prerequisites

  • No administrator rights required to view most logs
  • Administrator rights required to view Security log and some detailed events
  • Available on all Windows versions

Event Levels Explained

  • Critical: Serious errors that may cause system instability or data loss
  • Error: Problems that occurred but didn't stop the system
  • Warning: Not necessarily significant but may indicate future problems
  • Information: Successful operations and routine events
  • Verbose: Detailed diagnostic information (if enabled)

Understanding Event Properties

When you double-click an event:

  • Level: Severity (Critical, Error, Warning, Information)
  • Date and Time: When the event occurred
  • Source: Component or application that logged the event
  • Event ID: Unique identifier for this type of event
  • Task Category: Classification of the event
  • Description: Human-readable explanation
  • Actions: Some events suggest solutions or actions
  • Details: Technical information in Friendly View or XML format

Creating Custom Views

  1. Right-click "Custom Views" > Create Custom View
  2. Set filters (log types, event levels, event IDs, time range)
  3. Name and save the custom view
  4. Access quickly from Custom Views folder

Useful custom views:

  • All Critical and Error events from last 7 days
  • All application crashes
  • All security logon failures
  • All system service failures

Troubleshooting Common Issues

Application Crashes:

  1. Open Application log
  2. Filter by Error level
  3. Look for entries at time of crash
  4. Check Event ID (e.g., 1000 for Application Error)
  5. Note faulting application and module

Blue Screen of Death (BSOD):

  1. Open System log
  2. Filter for Critical level
  3. Look for Event ID 41 (unexpected shutdown)
  4. Check Kernel-Power or bugcheck events
  5. Note error codes and drivers mentioned

Service Won't Start:

  1. Open System log
  2. Search for service name
  3. Look for Error events near service start time
  4. Check Event ID 7000 (service failed to start)

Login Issues:

  1. Open Security log (requires admin)
  2. Look for Event ID 4625 (failed logon)
  3. Check Account Lockout events
  4. Review authentication errors

Common Event IDs

Application Log:

  • 1000: Application Error (crash)
  • 1001: Windows Error Reporting
  • 1002: Application Hang

System Log:

  • 41: Unexpected shutdown (BSOD or power loss)
  • 1074: Clean shutdown initiated
  • 6008: Unexpected shutdown
  • 7000: Service failed to start
  • 7001: Service start failure (dependency)
  • 7031: Service terminated unexpectedly

Security Log:

  • 4624: Successful logon
  • 4625: Failed logon
  • 4648: Explicit logon attempt
  • 4672: Special privileges assigned to new logon
  • 4768-4769: Kerberos authentication

Exporting and Sharing Logs

Export single log:

  1. Right-click log > Save All Events As
  2. Choose .evtx (native) or .csv/.txt format
  3. Share with support or archive

Export filtered view:

  1. Apply filters
  2. Action > Save Filtered Log File As
  3. Choose format and location

Copy event details:

  • Select event > Ctrl+C (copies to clipboard)
  • Or right-click > Copy > Copy Details as Text

Clearing Event Logs

Clear individual log:

  1. Right-click log > Clear Log
  2. Choose to save before clearing (recommended)
  3. Confirm clearing

Note: Clearing logs removes history; only do this if logs are too large or archived.

Log File Locations

Event logs stored as .evtx files:

C:\Windows\System32\winevt\Logs\

Common log files:

  • Application.evtx
  • Security.evtx
  • System.evtx

Maximum log sizes can be configured:

  • Right-click log > Properties
  • Set maximum log size
  • Choose behavior when maximum size reached

PowerShell Alternatives

Get recent errors:

Get-EventLog -LogName System -EntryType Error -Newest 20
Get-EventLog -LogName Application -EntryType Error -Newest 20

Get specific Event ID:

Get-EventLog -LogName Application -InstanceId 1000

Search for text:

Get-EventLog -LogName System | Where-Object {$_.Message -like "*error*"}

Export to CSV:

Get-EventLog -LogName System -Newest 100 | Export-Csv system-log.csv

Windows PowerShell 3.0+ (preferred):

Get-WinEvent -LogName Application -MaxEvents 100
Get-WinEvent -FilterHashtable @{LogName='System'; Level=2}

Remote Event Viewer

Connect to remote computer:

  1. Action > Connect to Another Computer
  2. Enter computer name
  3. Provide credentials if needed
  4. View remote computer's event logs

Requirements:

  • Admin rights on remote computer
  • Remote Event Log Management firewall exception enabled
  • Remote Registry service running
  • wevtutil - Command-line event log utility
  • Get-EventLog (PowerShell) - PowerShell cmdlet for event logs
  • Get-WinEvent (PowerShell) - Advanced event log querying
  • Reliability Monitor (perfmon /rel) - Visual event timeline
  • Windows Error Reporting - Submit crash reports to Microsoft