Navigation

Event Viewer in Windows

By . Last modified: 2014-08-14.

How to use Event Viewer for logging and tracking user actions in Windows XP, Vista, 7, 8 and 8.1

The second page of Event Viewer article explains how to track account management events (adding or deleting users and rights), which application and system log events to look for, how to clear event logs, create custom views and attach tasks to specific events.

After defining a Local Security Policy in Professional, Business or Ultimate editions of Windows, Event Viewer is the place for finding important information about successful and unsuccessful logons, policy changes and system and application events. Event Viewer is also an invaluable diagnosing tool when programs do not work as expected.
Those who have Windows Home or Starter editions, have most of the Local Security Policy settings in place already.

Comparing to Windows XP, Event Viewer in Windows Vista, 7, 8 and 8.1 has been much improved. You can read more detailed descriptions about events, see events by an application or service, see a quick summary of events, create custom views for finding events easily and even attach automated tasks to selected events. This is explained on page 2 of the article.
Unlike in Windows XP, you do not have to worry about log sizes and overwriting policies, these are set by default and they work just fine.

Starting Event Viewer in Windows

In all versions of Windows, use keyboard shortcut Windows Key+R to open Run dialog. Or open Start menu and click Run. Type eventvwr.msc and click OK.
Windows XP, Run dialog. Type eventvwr.msc and click OK to open Event Viewer.

In Windows Vista and 7, you can also open Start menu by clicking Start button or pressing Windows Key (or Ctrl+Esc) on your keyboard. Type event into Search box and click Event Viewer.
Windows Vista, Start menu. To start Event Viewer, type event into Search box and click Event Viewer.

In Windows 8 and 8.1, the quickest way is using keyboard shortcut WINDOWS KEY+X to open Quick Links menu (a list of system tools) and clicking Event Viewer. You can also use keyboard shortcut Windows Key+Q for opening App search (or Search everywhere in Windows 8.1), type event into Search box and click the result.
Touch screen users should swipe in from the right edge of screen and tap Search on Charms bar first.
Windows 8, Quick Links menu (Windows Key+X). Click Event Viewer to see Windows logs. Windows 8, Start screen, Apps search. To start Event Viewer, type 'event' into Search box and click Event Viewer.

In Windows Vista, User Account Control greets you with a confirmation prompt, click Continue.
Windows Vista, User Account Control dialog for Microsoft Management Console. Click Continue.

In Windows XP, Event Viewer opens with summary of logs and their sizes.
In Windows Vista, 7, 8 and 8.1, Event Viewer opens Overview and Summary screen with summary of recent Administrative Events, recently viewed log names and log size and overwriting policies summary.
Windows XP, Event Viewer Windows 7, Event Viewer

While most instructions below suggest using right-clicks, there is also the context-sensitive Action Pane available on the right side of Event Viewer in Windows Vista and later. It enables quick access to common commands.
Windows 8, Event Viewer, Action Pane. Most command are available here.

Configuring log sizes and event overwriting policies in Windows XP

In the left pane there are several log types - most usually Application, Security and System. Internet Explorer also adds the Internet log; several antivirus programs (such as avast! Antivirus) add the Antivirus log.

While Antivirus and Internet logs are well-configured by default, Windows XP default logs are not - they are too small and their event overwriting policy might create situations when a user cannot see latest events.
In Windows Vista, 7, 8 and 8.1, the log sizes are fine by default. If you start seeing "Event log is full" errors, verify that automatic overwriting of oldest events is enabled, and that log size is sufficient (at least 20 megabytes).

To set maximum size for a log, right-click on Application and select Properties.
Windows XP, Event Viewer. To configure log sizes and event overwriting policies, right-click on a log and click Properties.

In the Log size section, set Maximum log size to at least "5120" (5 megabytes); "20480" (20 megabytes) is the recommended size for a log. Do not make the logs too big, as they consume disk space and might make filtering the events slow.
Default event log size in Windows XP is measly 512 kilobytes, or half a megabyte - clearly not enough. In Windows Vista, 7 and 8, log size is 20 megabytes by default.
Under When maximum log size is reached select Overwrite events as needed.
Windows XP, Event Viewer, Application log properties. Set Maximum log size to at least 5120 and select Overwrite events as needed. Then click OK and repeat same configuration for Security and System logs.

Click OK to close Application log properties. Then repeat the same steps for Security and System logs.

Event Log types and event filtering in Windows

To see some typical events, click a log type. In Windows Vista and newer, expand Windows Logs section on the left first.

  • Application log includes events related to programs running on your computer - their important actions, warnings, errors and crashes.
    In Windows 8 and 8.1, you can also check Applications And Services Logs\Microsoft\Windows\AppHost\Admin log for errors that Modern UI (aka Metro) apps experience. The Applications And Services Logs\Microsoft\Windows\AppXDeployment-Server\
    Microsoft-Windows-AppXDeploymentServer/Operational log lists events related to installing and uninstalling apps.
  • Security log includes events about users logging on and off, changing security policies, locked out accounts, etc.
  • Setup log (only in Windows Vista, 7, 8 and 8.1) includes events about updating and patching Windows and Microsoft programs.
  • System log includes events about Windows and its system services starting and stopping, plus hardware events such as driver events, hardware failing, etc.
  • Forwarded events (only in Windows Vista and later) is not important for home users and users not on a domain. It collects events from other computers in case these are set up to forward events to this computer.

In most cases, only events of type "Critical", "Warning" and "Error" are important, informational events typically indicate that something is working correctly.

In Windows XP, you must double-click an event to see its details and description.
In Windows Vista, 7, 8 and 8.1, click an event and its description appears in the bottom part of the window. You can still double-click an event to open it in separate window.

When you click on an event, you will see its detailed description. The most important parts are Event ID and description in the General tab - you can use them while troubleshooting. Mostly you get the best overview of an event by reading its description.
Windows XP, Event Viewer, Event Properties. The most important parts while troubleshooting are Event ID and Description. Description usually includes an overview of an event and a link to support information. Windows 7, Event Viewer, Event Properties. The most important parts while troubleshooting are Event ID and description in the General tab. Description usually includes an overview of an event and a link to support information.

It is pretty tiresome to scroll through all events in all logs and find warning and error events. Use event filtering instead.

In Windows XP, activate the log you want to filter. Then open View menu and click the Filter... command.
In Windows Vista and later, right-click the log type you want to filter from the left pane. Then click the Filter Current Log... command.
Windows XP, Event Viewer. To find important events easily, use filtering. Open View menu and click Filter... Windows Vista, Event Viewer. To find important events easily, use filtering. Right-click the log you need to filter and click Filter Current Log.

In Windows XP, leave Warning, Error and Failure audit check boxes on to hide informational events. You can also use the From: and To: boxes to select a time frame.
In Windows Vista, 7, 8 and 8.1, select Critical, Warning and Error boxes. This displays only failure-related events after clicking OK button. You might also want to select a value from Logged: box for filtering events by time - predefined values are Last hour, Last 12 hours, Last 24 hours, Last 7 days and Last 30 days. You can also specify your own time frame by clicking Custom range....
Windows XP, Event Viewer. To see only warning and error events, deselect Information and Success audit boxes and click OK. Windows 7, Event Viewer filtering. To see only failure-related events, select Critical, Warning and Error boxes. Then click OK.

To see only events for a specific user, type his/her user name into User field.

To clear an event filter in Windows XP, select All Records from View menu.
To clear a filter in Windows Vista and newer, right-click the log again and select Clear Filter.
Windows XP, Event Viewer. To clear a filtered view, open View menu and click All Records. Windows Vista, Event Viewer filtering. To clear a filtered view, right-click the log and select Clear Filter command.

Searching events by keywords

Sometimes it is easier to search for a keyword in events, especially if you are looking for something in event descriptions. You can also search in the filtered view.

In Windows XP, open View menu and click Find....
In Windows Vista, 7, 8 and 8.1, right-click the log you want to search and click Find....
You can also use keyboard shortcut Ctrl+F to open Find dialog.
Windows XP, Event Viewer. To search for a keyword in event fields, open View menu and click Find... Windows 7, Event Viewer. To search for a keyword in events, right-click the log you want to search and select Find command

In Windows XP, the Find dialog is very much like the Filter dialog, but it does search in Description of an event. Type keyword(s) into Description field and click Find Next. Optionally, you can fill or select/deselect other fields and check boxes.
In Windows Vista and later, type keyword(s) into Find what field and click Find Next.
Windows XP, Event Viewer, finding events by keywords. Enter keyword(s) in Description field and click Find Next button. Windows 7, Event Viewer - finding events by a keyword. Type keyword(s) in Find what field and click Find Next button.

Event Viewer will highlight the first matching event. You can close Find box by clicking Close (Windows XP) or Cancel button; or if the event is not the one you need, click Find Next again until you find what you are looking for.

Tracking user logons and logoffs with Event Viewer in Windows

To see both successful and failed (wrong or expired passwords; account lockouts) user logons and logoffs, activate Security log in the left pane.

In Windows XP, open View menu and click Filter.... Select Security from Event source and Logon/Logoff from Category combo boxes. Click OK to filter events.
In Windows Vista, 7, 8 and 8.1, right-click the log and select Filter Current Log.... Type "4624-4625,4647,4778-4779" into <All Event IDs> box. Click OK to filter events.
Windows XP, Event Viewer, filtering logons and logoffs. Select Security log, open View menu and select Filter. Select 'Security' for Source and 'Logon/Logoff' for Category. Click OK button to filter events. Windows 7, Event Viewer, filtering logons and logoffs. Type 4624-4634,4778-4779 into All Event IDs box. Then click OK.

You will then see a list of events related to users logging in to or off of Windows, plus failures to do so. To refresh the list, press F5 key.

Important logon and logoff events in Windows XP are:

  • Event ID 528 - a user has successfully logged on.
  • Event ID 529 - a user has failed to log on due to wrong password.
  • Event ID 535 - a user has failed to log on due to expired password.
  • Event ID 538 - a user has logged off.
  • Event ID 539 - a user has failed to log on due to account lockout (too many wrong passwords).
  • Event ID 682 - a user has logged back on after using the Switch User command.
  • Event ID 683 - a user has logged off selecting the Switch User command.

Important logon and logoff events in Windows Vista, 7, 8 and 8.1 are:

  • Event ID 4624 - a user has successfully logged on.
  • Event ID 4625 - a user has failed to log on due to wrong password, expired password or account lockout (too many wrong passwords).
  • Event ID 4647 - a user has logged off.
  • Event ID 4738 (Windows 8 and 8.1 only) - A user account was changed, useful for tracking failed account logons (Event ID 4625) from Microsoft Accounts. Appears right after a failed sign in attempt.
  • Event ID 4778 - a user has logged off selecting the Switch user command (Fast User Switching).
  • Event ID 4779 - a user has logged back on after using the Switch user command (Fast User Switching).

In Windows XP, you have to double-click an event to see its details; in Windows Vista and newer, click on an event and see its details in the bottom pane (but you can still double-click an event to open details in a separate window if your screen resolution is too low).

As you can see from pictures below, Success Audit or Audit Success means a good logon attempt and Failure Audit or Audit Failure means an unsuccessful logon attempt.
Windows XP displays user names for Success Audits, but SYSTEM for Failure Audits (in the User column).
Windows Vista and later reveal more information about an event in the Task Category column in the top pane - Event ID 4625 can mean a failed logon due to wrong password, expired password, disabled account or account lockout because of too many failed logon attempts. The exact reason is described in bottom pane, Failure Reason field.
Windows XP, Event Viewer, filtered view. Event types can be Success or Failure. Windows 7, Event Viewer, filtered view. Event types can be Success or Failure.

Let's see an example of a typical failed logon attempt - Event ID 529 in Windows XP and Event ID 4625 in Windows Vista, 7, 8 and 8.1.
Please remember that Windows 8 and 8.1 display no account name or account domain in case a user with Microsoft Account fails to sign in (but local accounts are displayed as expected). To see which Microsoft Account failed to log on properly, see the next event with ID 4689 (Process Termination). Please note that you'll have to turn on the Enable process tracking option in Windows 8 and 8.1 Local Security Policy to see this event.

  • Reason (Windows XP) or Failure Reason displays why the logon attempt failed.
  • User Name (Windows XP) or Account Name line shows the user for which the attempt failed.
  • Logon Type field reveals from where the logon attempt was made. Most common examples for successful and failed logons are:
    • 2 - Interactive. Logging on from the Welcome Screen.
    • 3 - Network. Logging on from local network - connecting to Shared or Public Folders or shared printers is an example of this.
      You might also notice several logons by ANONYMOUS LOGON from Account Domain called NT AUTHORITY with Security ID equal to NULL SID. These ones are normal as long their Key Length is 0. Windows loves talking to itself when it's bored... Wink
    • 4 - Batch. This means that a Scheduled Task started and used saved credentials to log on.
    • 5 - Service. A service started and used saved credentials to log on.
    • 7 - Unlock. Logging back on after a password-protected screensaver or a user locks a session (keyboard shortcut Windows Key+L).
    • 10 - Remote Interactive. Logging on via Terminal Services/Remote Desktop Connection or Remote Assistance.
    • 11 - Cached Interactive. This one appears in Windows 8 or 8.1 if a user tries to sign in with his/her Microsoft Account (not the traditional local user account).
  • Logon Process (Windows XP) or Caller Process Name reveals how the logon attempt was made. Normally, it is Advapi or User32 in Windows XP and winlogon.exe in Windows Vista, 7, 8 and 8.1.
    If one uses the Run As/Run as administrator command, the line will read seclogon in Windows XP and consent.exe in Windows Vista and later.
  • Domain and Workstation Name (Windows XP) or Account Domain and Workstation Name are the same if the logon attempt originated from the local computer. In Windows 8 and 8.1, MicrosoftAccount is displayed in Account Domain field for those users who sign in with their Microsoft Account, not local user account. If someone tries to log on over network, his/her computer name will appear in the Workstation Name line. If the remote computer's name is unavailable, its IP-address will appear instead.
    Windows Vista, 7, 8 and 8.1 always reveal the IP-address on the corresponding line. If the address is 127.0.0.1 or ::1, it means your own computer.

Windows XP, Event Viewer. Event ID 529 - Unknown user name or bad password. The user name is in the User Name line. Windows Vista, Event Viewer. Event ID 4625 - Unknown user name or bad password. The user name is in the Account Name line.

And here's the Windows 8 and 8.1 example of failed sign-in with a Microsoft Account. No useful data whatsoever. See the next event with ID 4738 to see the user name.
Windows 8, Event Viewer. Event ID 4625 - Unknown user name or bad password. If a user with Microsoft Account fails to log in, Account Name line is blank.

Let's see an example of Run As/Run as administrator command. Because the failure audit only contains account name for which the logon was unsuccessful, it is requires extra effort to determine who tried to launch a program with administrator credentials.

First, find the Event ID 529 (in Windows XP) or 4625 (in Windows Vista, 7, 8 and 8.1).
In Windows XP, ensure that Logon Process is seclogon.
In Windows Vista and 7, make sure the Caller Process Name line reads consent.exe.
Windows Vista, Event Viewer. Event ID 4625 - Unknown user name or bad password. Caller Process Name consent.exe means that this happened while using the Run as administrator command.

In Windows XP, try to find the user who logged on normally before the failed Run As command (Event ID 528). The Logon Process should read Advapi or User32. As only one person can be logged on to Windows XP at a time, this must be the user who typed the password incorrectly.
In Windows Vista and 7, find an Audit Failure record with Event ID 4673 and Category Sensitive Privilege Use before the 4625 event. This one contains the user name who called the Run as administrator command. You might have to scroll through several 4673 events before the user name appears.
Windows XP, Event Viewer. Event ID 528 - Successful Logon. Windows Vista, Event Viewer. Event ID 4673 - A privileged service was called.

The second page of Event Viewer article explains how to track account management events (adding or deleting users and rights), which application and system log events to look for, how to clear event logs, create custom views and attach tasks to specific events.

 

Sub Navigation

Sub Navigation
Next: Event Viewer, page 2
Previous: Local Security Policy in Windows
comments powered by Disqus