Navigation

Follow me:

Facebook Twitter

Surf safer for free
Recover data from unbootable drives
Free protection from viruses
Free automatic patching

Content

Tip: keyboard shortcut Ctrl+F searches in the page contents

Event Viewer, page 2

Author: . Last modified: 2013-04-05 16:56:28 EEST

In this tutorial: How to use Event Viewer for tracking account management events, creating custom views and attaching tasks to events in Windows XP, Vista, 7 and 8

The first page of Event Viewer article explains how to access Event Viewer, filter or search for specific events and track user logons and logoffs.

Tracking account management with Event Viewer in Windows

In Windows XP, activate Security log and select Filter... from View menu. Set Event Source to Security and Category to Account Management. Click OK to filter events.
In Windows Vista, 7 and 8, activate and right-click Security log and select Filter Current Log.... Type "4720-4769" into <All Event IDs> box. Click OK to filter events.
Windows XP, Event Viewer, filtering user management events. Activate Security log, open View menu and select Filter. Select Security for Event source and Account Management for Category. Click OK to filter events. Windows Vista, Event Viewer, filtering user management events. Type 4720-4769 into All Event IDs box. Then click OK.

Important events related to account (user) management in Windows XP are:

  • Event ID 624 - user account created.
  • Event ID 626 - user account enabled.
  • Event ID 627 - change password attempt.
  • Event ID 628 - user account password set by another user.
  • Event ID 629 - user account disabled.
  • Event ID 630 - user account deleted.
  • Event ID 636 - security enabled local group member added (for example, a limited user has been added to Administrators' group).
  • Event ID 637 - security enabled local group member removed (for example, a user has been removed from Administrators' group).
  • Event ID 642 - user account changed by that user or another user.
  • Event ID 644 - user account locked out because of too many failed logon attempts.
  • Event ID 671 - user account unlocked by another user.

Important events related to account (user) management in Windows Vista, 7 and 8 are:

  • Event ID 4720 - a user account was created.
  • Event ID 4722 - a user account was enabled.
  • Event ID 4723 - a user attempted to change his/her password.
  • Event ID 4724 - a user attempted to reset other user's password.
  • Event ID 4725 - a user account was disabled.
  • Event ID 4726 - a user account was deleted.
  • Event ID 4732 - a member was added to a security-enabled group (for example, a Standard user has been added to Administrators' group).
  • Event ID 4733 - a member was removed from a security-enabled group (for example, a user has been removed from Administrators' group).
  • Event ID 4738 - a user account was changed by that user or another user.
  • Event ID 4740 - a user account was locked out because of too many failed logon attempts.
  • Event ID 4767 - a user account was unlocked by another user.

Most of the events above can be successful or failed attempts. In case of failure audit, the action was not successful and no changes were applied to the user account.

Let's see event 628 (Windows XP) or 4724 - someone has changed other user's password.
In Windows XP, the Target Account Name line shows whose account was changed. Caller User Name reveals who made the change - so Mirjam reset Margus's password in this example.
In Windows Vista, 7 and 8, the Account Name line in Subject category means the user who tried to change other user's password. The Target Account category holds Account Name field - the user whose password was reset. So Margus changed Mirjam's account in this example.
Windows XP, Event Viewer, Event ID 628 - User Account password set. The Caller User Name line reveals who changed the password for Target Account. Windows Vista, Event Viewer, Event ID 4724 - An attempt was made to reset an accounts password. The Account Name line in the Subject section displays who changed the password for Target Account.

The same logic applies to all events related to account management. In case a user makes changes to his/her own account, Target Account Name and Caller (Subject) Account Name are the same. As said before, most of these events can be success or failure reports. For example, when a user attempts to change password, but the new passphrase does not meet minimum requirements (length, uniqueness or complexity), the generated event will be a failure audit and no change to the user's password is made.

Important Application and System events to look for

As you know by now, events are identified by Event ID-s. As Event ID-s are not unique, check if their description matches the list below. There are certain events that you should look for from time to time to identify potential problems. Even better - you can also attach tasks to these events so that a message is displayed automatically when such event occurs. Scroll down to read about attaching tasks to events.
Right-click the log type you want to filter from the left pane. Then click Filter Current Log... command. Type the event number into <All Event IDs> field and click OK.

Important events in Application log:

  • Event ID 3036 - "The content source <source name> cannot be accessed". This means that Windows Search was unable to access a location for indexing. See our article about Windows Search and how to remove or add folders to search index.
  • Event ID 4099 - "Backup was cancelled" (only in Windows Vista, 7 and 8). This means that someone stopped a running backup and the latest backup is not complete. Run the backup task again as soon as possible.
  • Event ID 4103 - "The backup did not complete because of an error writing to the backup location <drive letter>. The error is: The backup location cannot be found or is not valid" (only in Windows Vista, 7 and 8). This means that Windows Backup could not access the drive you specified as the backup location. Connect the drive or update your Windows Backup configuration.
  • Event ID 4106 - "Some files were not backed up" (only in Windows Vista, 7 and 8). This means that Windows Backup was unable to back up some files specified. Change Windows Backup settings to exclude those files.

Important events in System log:

  • Event ID 7 - "The device <device name> has a bad block". If the device is something like \Device\CdRom0, there is no need to panic - a CD or DVD you entered had some unreadable sectors on it.
    If the device name is like \Device\HardDisk0\Partition1, your hard disk drive might be faulty. There are some unreadable sectors on it and this will ultimately lead to data loss. You might have experienced computer slowdown before and after the event occurred. Back up your data immediately to an external drive and run disk check! Then try to find a replacement drive and restore Windows on it.
  • Event ID 41 - "The system has rebooted without cleanly shutting down first" or "The last sleep transition was unsuccessful". This means that your computer rebooted by itself or the reboot was not completed cleanly; or that your computer could not go to sleep or hibernate. Try running Windows Update for newer device drivers and test your computer's memory for errors.
  • Event ID 49 - "Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory".
    This happens when you manually set Page File size, then add Random Access Memory (RAM) to your computer and do not adjust Windows Page File size accordingly. A typical Windows Page File size is one and a half times of RAM size - if you have 1 GB of RAM, the Page File size should be at least 1.5 GB.
  • Event ID 55 - "The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume <volume name>". Files and folders on a disk are messed up. Load Disk Management and see what drive letter(s) is/are assigned to the hard disk with specified number. Then run chkdsk.
  • Event ID 6008 - "The previous system shutdown at <time> on <date> was unexpected". This means that your computer restarted or shut down by itself because of a system error; or someone turned computer off without shutting Windows down first; or a power failure occurred. If there are many such events, this might indicate a memory (RAM) problem or hardware failure. Try using MemTest for testing your computer's memory.

Extended troubleshooting using Internet search engines

There are links to the Help and Support Center (Windows XP) or Event Log Online Help in almost every event. These sometimes provide an overview of the event with possible solutions.

But often the links provide no information or working solution for the event. You can then use Internet search engines, such as Google, Yahoo or Bing for finding solutions.

To do that, note Event ID of the event. Then select a part of Description by holding down mouse button, dragging the mouse pointer over text and then releasing the button. Press Ctrl+C on your keyboard to copy the selected text.

Do not select the whole Description field! Select just the most important part - error description.

Now open your favorite search engine. Write "event id <number>" and then paste the copied Description text by pressing Ctrl+V on your keyboard. For example: "event id 7 the device, \Device\CdRom0, has a bad block". You can omit all punctuation marks, and "the"-s and "a"-s while searching.

Press Search button and try finding working solutions. You can narrow down search results by adding the"windows 7" to search criteria.

I never said that troubleshooting would be easy... Wink

Clearing Event logs

On rare occasions, Event log files might get corrupted and they must be cleared before new events can be recorded. In that case you will see an error message while opening a log.

To reset a log, right-click on the corrupted log and select Clear all Events (Windows XP) or Clear Log.
Windows XP, Event Viewer. To delete all events in a log, right-click on the log and select Clear all Events. Windows Vista, Event Viewer. To delete all events in a log, right-click on the log and select Clear Log.

Windows offers to save the log contents, but as the log is corrupted, there is no point in saving it. Click No (Windows XP) or Clear to confirm.
Windows XP, Event Viewer. To confirm deleting all events, click No. Windows 7, Event Viewer. To confirm deleting all events in a log, click Clear.

Note that in Windows Vista, 7 and 8, the first entry in the log will be with Event ID 104 or 1102 - "The log was cleared". The event also specifies the user name who cleared the log in User or Account Name field.
Windows 7, Event Viewer. After clearing a log, an event with ID 1102 will be recorded in the same log. Account Name field shows the name of the user who cleared the log.

Creating Custom Views in Windows Vista, 7 and 8 for quick loading of event filters

Filtering and searching event logs are nice features, but creating the same filters again and again might get tiresome. In Windows Vista, 7 and 8, you can create Custom Views with your own filters.

To create a Custom View from the scratch, right-click Custom Views in the left pane and select Create Custom View...:
Windows 7, Event Viewer. To create a Custom View (saved filter), right-click Custom Views and select Create Custom View.

Let's create a Custom View for logon errors this time.
Click the Event logs: field, expand Windows Logs and check the Security box. This means that we will filter events in Security log.
Windows 7, Event Viewer, Create Custom View. Click Event logs field, expand Windows Logs section and check Security. This filters events in Security log.

Type "4625" in <All Event IDs> field and click OK.
Windows 7, Event Viewer, Create Custom View. Type 4625 in <All Event IDs> field to filter out logon errors. Click OK.

Type a name and description for the Custom View and click OK. The All Users check box means that the Custom View is available for all users with access to Event Viewer.
Windows 7, Event Viewer, Create Custom View. In Save Filter to Custom View window type a name and description for the Custom View. Then click OK.

The Custom View will be saved and opened after this.

To load the filter the next time, just expand Custom Views on the left and click the filter name.

Creating a Custom View from a filter already applied

If you have already applied a filter to a log, you do not need to create your Custom View from the very beginning. Just right-click the filtered log and click Save Filter to Custom View...:
Windows 7, Event Viewer, Create Custom View. If you have already filtered an event log, right-click it and select Save Filter to Custom View.

Again, type something in Name and Description fields and click OK to save the Custom View.

Attaching automatic tasks to specified events in Windows Vista and 7

Custom Views are great for quickly finding events, but people normally don't open Event Viewer every hour or so to see if critical events have occurred. You can now set a task to run automatically after a specified event has been recorded in Event Log - for example, you can display a message or run a program or send an e-mail about the event.

Sadly, Microsoft decided to deprecate messages and e-mail notifications in Windows 8. This makes Event Tasks somewhat pointless - most users do not know which program to launch; furthermore, there is often no need to run a program or a script in case an error event occurs.
Windows 8 users can safely skip these steps.
Windows 8, Event Viewer, Create Basic Task Wizard, Action. "Send an e-mail" and "Display a message" options are deprecated.

Let's set up an automatic task for Windows Search event 3036 - a location cannot be accessed for indexing.
Filter or search Application log for Event ID 3036. Right-click the event in the upper pane and select Attach Task To This Event...:
Windows 7, Event Viewer. If you want an automated task to run every time a specific event occurs, right-click the event and select Attach Task To This Event.

Create Basic Task Wizard opens. I usually leave the Name field alone and fill the Description field. Click Next.
Windows 7, Event Viewer, Create Basic Task Wizard. Leave Name as specified and write something in Description field. Click Next.

Just click Next in When an Event Is Logged step - this one is filled automatically for you.
Windows 7, Event Viewer, Create Basic Task Wizard. Just click Next in When an Event Is Logged step.

As there is no point in running a program or sending an e-mail in case Windows Search cannot index a location, select Display a message. Click Next.
Windows 7, Event Viewer, Create Basic Task Wizard. Select Display a message in Action step. Then click Next.

Now specify title for the message and the message itself. Make the message as descriptive as possible and do not press Enter key on your keyboard - this would take you to the next step. You will see this popping up the next time Windows Search records an event with ID 3036.
Click Next.
Windows 7, Event Viewer, Create Basic Task Wizard. Fill Title and Message fields to display in case the selected event occurs and click Next.

In the step wisely named Finish, click Finish button.
Windows 7, Event Viewer, Create Basic Task Wizard, Finish step. Click Finish to add the automated task to Scheduled Tasks list.

Event Viewer notifies you that the task has been created and that you can modify it in Task Scheduler. Click OK.
Windows 7, Event Viewer, Create Basic Task Wizard. After creating the task, Event Viewer will notify you about the task created. Click OK.

Umm, what's the Task Scheduler? Just open Start menu and type "schedule" in Search box. Click Task Scheduler.
Windows 7, Start menu. To run Task Scheduler, type "schedule" in the Search box and click Task Scheduler.

Windows Vista opens another User Account Control dialog to remind you how much it loves and protects you. Click Continue.
Windows Vista, User Account Control dialog for Microsoft Management Console. Click Continue.

Expand Task Scheduler Library and click Event Viewer Tasks on the left.
Windows 7, Task Scheduler. To see tasks attached to events, expand Task Scheduler Library and click Event Viewer Tasks.

Here you can see all tasks related to Event Viewer.
To modify the task, right-click it and click Properties.
To stop or remove a task, right-click it and select Disable or Delete.
Windows 7, Task Scheduler, list of Event Viewer Tasks. To disable or delete a task, right-click it and select either Disable or Delete.

Displaying Applications and Services Logs in Windows Vista, 7 and 8

Most applications and services have their own operational logs in Windows Vista, 7 and 8. Some of these contain useful information for troubleshooting, for example the Diagnostics-Performance log helps in troubleshooting slow startup and shutdown problems.

Expand Applications and Services Logs, then expand Microsoft and Windows. Expand the service you want to check - Backup in this example. Click Operational.
Check the times between Event IDs 1 and 14 ("The backup operation has started" and "The backup operation has completed"). Please note that this does not mean successful or unsuccessful backups, just times of starting and stopping. You should see Application log for backup statuses.
Windows 7, Event Viewer, Applications and Services Logs. Here applications and services record the times they started and stopped.

Additional reading:
Local Security Policy in Windows
User management in Windows
Troubleshoot performance in Windows Vista, 7 and 8

 Comments? Suggestions? Ideas? Let me know! 
Your name (public):
Your e-mail (will not be displayed):
Title:
Notify me of new comments to this page: (send e-mail to info[at]winhelp.us to stop receiving)
Your comments/suggestions/ideas (no HTML code!)
winhelp.us owners reserve the right to remove or not publish comments that they find unacceptable because of strong language, inappropriate contents, advertising or spamming.
winhelp.us Privacy Policy.
This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

Next: Disk Management in Windows

Previous: Event Viewer in Windows

^ Top

PluginCheck Print this page Search Donate