The first page of Event Viewer article explains how to access Event Viewer, filter or search for specific events and track user logons and logoffs.
In Windows XP, activate Security log and select Filter... from View menu. Set Event Source to Security and Category to Account Management. Click OK to filter events.
In Windows Vista, 7, 8 and 8.1, activate and right-click Security log and select Filter Current Log.... Type "4720-4769" into <All Event IDs> box. Click OK to filter events.
Important events related to account (user) management in Windows XP are:
- Event ID 624 - user account created.
- Event ID 626 - user account enabled.
- Event ID 627 - change password attempt.
- Event ID 628 - user account password set by another user.
- Event ID 629 - user account disabled.
- Event ID 630 - user account deleted.
- Event ID 636 - security enabled local group member added (for example, a limited user has been added to Administrators' group).
- Event ID 637 - security enabled local group member removed (for example, a user has been removed from Administrators' group).
- Event ID 642 - user account changed by that user or another user.
- Event ID 644 - user account locked out because of too many failed logon attempts.
- Event ID 671 - user account unlocked by another user.
Important events related to account (user) management in Windows Vista, 7, 8 and 8.1 are:
- Event ID 4720 - a user account was created.
- Event ID 4722 - a user account was enabled.
- Event ID 4723 - a user attempted to change his/her password.
- Event ID 4724 - a user attempted to reset other user's password.
- Event ID 4725 - a user account was disabled.
- Event ID 4726 - a user account was deleted.
- Event ID 4732 - a member was added to a security-enabled group (for example, a Standard user has been added to Administrators' group).
- Event ID 4733 - a member was removed from a security-enabled group (for example, a user has been removed from Administrators' group).
- Event ID 4738 - a user account was changed by that user or another user.
- Event ID 4740 - a user account was locked out because of too many failed logon attempts.
- Event ID 4767 - a user account was unlocked by another user.
Most of the events above can be successful or failed attempts. In case of failure audit, the action was not successful and no changes were applied to the user account.
Let's see event 628 (Windows XP) or 4724 - someone has changed other user's password.
In Windows XP, the Target Account Name line shows whose account was changed. Caller User Name reveals who made the change - so Mirjam reset Margus's password in this example.
In Windows Vista and later, the Account Name line in Subject category means the user who tried to change other user's password. The Target Account category holds Account Name field - the user whose password was reset. So Margus changed Mirjam's account in this example.
The same logic applies to all events related to account management. In case a user makes changes to his/her own account, Target Account Name and Caller (Subject) Account Name are the same. As said before, most of these events can be success or failure reports. For example, when a user attempts to change password, but the new passphrase does not meet minimum requirements (length, uniqueness or complexity), the generated event will be a failure audit and no change to the user's password is made.
As you know by now, events are identified by Event ID-s. As Event ID-s are not unique, check if their description matches the list below. There are certain events that you should look for from time to time to identify potential problems. Even better - you can also attach tasks to these events so that a message is displayed automatically when such event occurs. Scroll down to read about attaching tasks to events.
Right-click the log type you want to filter from the left pane. Then click Filter Current Log... command. Type the event number into <All Event IDs> field and click OK.
Important events in Application log:
- Event ID 3036 - "The content source <source name> cannot be accessed". This means that Windows Search was unable to access a location for indexing. See our article about Windows Search and how to remove or add folders to search index.
- Event ID 4099 - "Backup was cancelled" (only in Windows Vista, 7, 8 and 8.1). This means that someone stopped a running backup and the latest backup is not complete. Run the backup task again as soon as possible.
- Event ID 4103 - "The backup did not complete because of an error writing to the backup location <drive letter>. The error is: The backup location cannot be found or is not valid" (only in Windows Vista and newer). This means that Windows Backup could not access the drive you specified as the backup location. Connect the drive or update your Windows Backup configuration.
- Event ID 4106 - "Some files were not backed up" (only in Windows Vista and later). This means that Windows Backup was unable to back up some files specified. Change Windows Backup settings to exclude those files.
Important events in System log:
- Event ID 7 - "The device <device name> has a bad block". If the device is something like \Device\CdRom0, there is no need to panic - a CD or DVD you entered had some unreadable sectors on it.
If the device name is like \Device\HardDisk0\Partition1, your hard disk drive might be faulty. There are some unreadable sectors on it and this will ultimately lead to data loss. You might have experienced computer slowdown before and after the event occurred. Back up your data immediately to an external drive and run disk check! Then try to find a replacement drive and restore Windows on it.
- Event ID 41 - "The system has rebooted without cleanly shutting down first" or "The last sleep transition was unsuccessful". This means that your computer rebooted by itself or the reboot was not completed cleanly; or that your computer could not go to sleep or hibernate. Try running Windows Update for newer device drivers and test your computer's memory for errors.
- Event ID 49 - "Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory".
This happens when you manually set Page File size, then add Random Access Memory (RAM) to your computer and do not adjust Windows Page File size accordingly. A typical Windows Page File size is one and a half times of RAM size - if you have 1 GB of RAM, the Page File size should be at least 1.5 GB.
- Event ID 55 - "The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume <volume name>". Files and folders on a disk are messed up. Load Disk Management and see what drive letter(s) is/are assigned to the hard disk with specified number. Then run chkdsk.
- Event ID 6008 - "The previous system shutdown at <time> on <date> was unexpected". This means that your computer restarted or shut down by itself because of a system error; or someone turned computer off without shutting Windows down first; or a power failure occurred. If there are many such events, this might indicate a memory (RAM) problem or hardware failure. Try using MemTest for testing your computer's memory.
There are links to the Help and Support Center (Windows XP) or Event Log Online Help in almost every event. These sometimes provide an overview of the event with possible solutions.
But often the links provide no information or working solution for the event. You can then use Internet search engines, such as Google, Yahoo or Bing for finding solutions.
To do that, note Event ID of the event. Then select a part of Description by holding down mouse button, dragging the mouse pointer over text and then releasing the button. Press Ctrl+C on your keyboard to copy the selected text.
Do not select the whole Description field! Select just the most important part - error description.
Now open your favorite search engine. Write "event id <number>" and then paste the copied Description text by pressing Ctrl+V on your keyboard. For example: "event id 7 the device, \Device\CdRom0, has a bad block". You can omit all punctuation marks, and "the"-s and "a"-s while searching.
Press Search button and try finding working solutions. You can narrow down search results by adding "windows 7" to search criteria.
I never said that troubleshooting would be easy...
On rare occasions, Event log files might get corrupted and they must be cleared before new events can be recorded. In that case you will see an error message while opening a log.
To reset a log, right-click on the corrupted log and select Clear all Events (Windows XP) or Clear Log.
Windows offers to save the log contents, but as the log is corrupted, there is no point in saving it. Click No (Windows XP) or Clear to confirm.
Note that in Windows Vista, 7, 8 and 8.1, the first entry in the log will be with Event ID 104 or 1102 - "The log was cleared". The event also specifies the user name who cleared the log in User or Account Name field.
Filtering and searching event logs are nice features, but creating the same filters again and again might get tiresome. In Windows Vista and newer, you can create Custom Views with your own filters.
To create a Custom View from the scratch, right-click Custom Views in the left pane and select Create Custom View...:
Let's create a Custom View for logon errors this time.
Click the Event logs: field, expand Windows Logs and check the Security box. This means that we will filter events in Security log.
Type "4625" in <All Event IDs> field and click OK.
Type a name and description for the Custom View and click OK. The All Users check box means that the Custom View is available for all users with access to Event Viewer.
The Custom View will be saved and opened after this.
To load the filter the next time, just expand Custom Views on the left and click the filter name.
Creating a Custom View from a filter already applied
If you have already applied a filter to a log, you do not need to create your Custom View from the very beginning. Just right-click the filtered log and click Save Filter to Custom View...:
Again, type something in Name and Description fields and click OK to save the Custom View.
Custom Views are great for quickly finding events, but people normally don't open Event Viewer every hour or so to see if critical events have occurred. You can now set a task to run automatically after a specified event has been recorded in Event Log - for example, you can display a message or run a program or send an e-mail about the event.
Sadly, Microsoft decided to deprecate messages and e-mail notifications in Windows 8 and 8.1. This makes Event Tasks somewhat pointless - most users do not know which program to launch; furthermore, there is often no need to run a program or a script in case an error event occurs.
Windows 8 and 8.1 users can safely skip these steps.
Let's set up an automatic task for Windows Search event 3036 - a location cannot be accessed for indexing.
Filter or search Application log for Event ID 3036. Right-click the event in the upper pane and select Attach Task To This Event...:
Create Basic Task Wizard opens. I usually leave the Name field alone and fill the Description field. Click Next.
Just click Next in When an Event Is Logged step - this one is filled automatically for you.
As there is no point in running a program or sending an e-mail in case Windows Search cannot index a location, select Display a message. Click Next.
Now specify title for the message and the message itself. Make the message as descriptive as possible and do not press Enter key on your keyboard - this would take you to the next step. You will see this popping up the next time Windows Search records an event with ID 3036.
In the step wisely named Finish, click Finish button.
Event Viewer notifies you that the task has been created and that you can modify it in Task Scheduler. Click OK.
Umm, what's the Task Scheduler? Just open Start menu and type "schedule" in Search box. Click Task Scheduler.
Windows Vista opens another User Account Control dialog to remind you how much it loves and protects you. Click Continue.
Expand Task Scheduler Library and click Event Viewer Tasks on the left.
Here you can see all tasks related to Event Viewer.
To modify the task, right-click it and click Properties.
To stop or remove a task, right-click it and select Disable or Delete.
Most applications and services have their own operational logs in Windows Vista and later. Some of these contain useful information for troubleshooting, for example the Diagnostics-Performance log helps in troubleshooting slow startup and shutdown problems.
Expand Applications and Services Logs, then expand Microsoft and Windows. Expand the service you want to check - Backup in this example. Click Operational.
Check the times between Event IDs 1 and 14 ("The backup operation has started" and "The backup operation has completed"). Please note that this does not mean successful or unsuccessful backups, just times of starting and stopping. You should see Application log for backup statuses.