Site search
Logo

Event Viewer in Windows

By , winhelp.us logo. Last updated: 2019-07-12

How to use Event Viewer for logging and tracking user actions in Windows XP, Vista, 7, 8, 8.1 and 10

After defining a Local Security Policy in Professional, Business or Ultimate editions of Windows, Event Viewer is the place for finding important information about successful and failed logins, policy changes, and system and application events. Event Viewer is also an invaluable diagnosing tool when programs do not work as expected.
Those with Windows Basic, Home or Starter editions do not have the Local Security Policy editor, but some settings can be changed in Registry: use well-known online search engines for more information.

Comparing to Windows XP, Event Viewer in Windows Vista, 7, 8, 8.1 and 10 has been much improved. You can read more detailed descriptions about events, see events by an application or service, see a quick summary of events, create custom views for finding events easily and even attach automated tasks to selected events. This is explained on page 2 of the article.
Unlike in Windows XP, you do not have to worry about log sizes and overwriting policies, these are set by default and they work just fine.

Starting Event Viewer in Windows

In all versions of Windows, use keyboard shortcut Windows Key+R to open the Run dialog. Type eventvwr.msc and click OK.
Windows XP, Run dialog. Type 'eventvwr.msc' and click OK to open Event Viewer.

In Windows Vista, 7 and 10, you can also open the Start menu by clicking the Start button or pressing Windows Key (or Ctrl+Esc) on your keyboard. Type event into the Search box and click Event Viewer.
Windows Vista, Start menu. To start Event Viewer, type 'event' into Search box and click Event Viewer.

In Windows 8 and 8.1, the quickest way is using keyboard shortcut WINDOWS KEY+X to open Quick Links menu (a list of system tools) and clicking Event Viewer. You can also use the keyboard shortcut Windows Key+Q for opening App search (or Search everywhere in Windows 8.1), type event into the Search box and click the result.
Touch screen users should swipe in from the right edge of the screen and tap Search on Charms bar first.
Windows 8, Quick Links menu (Windows Key+X). Click 'Event Viewer' to see Windows logs. Windows 8, Start screen, Apps search. To start Event Viewer, type 'event' into Search box and click Event Viewer.

In Windows Vista, User Account Control greets you with a confirmation prompt, click Continue.
Windows Vista, User Account Control dialog for Microsoft Management Console. Click Continue.

In Windows XP, Event Viewer opens with a summary of logs and their sizes.
In Windows Vista, 7, 8 and 8.1, Event Viewer opens Overview and Summary screen with a summary of recent Administrative Events, recently viewed log names and log size and overwriting policies summary.
Windows XP, Event Viewer Windows 7, Event Viewer

While most instructions below suggest using right-clicks, there is also the context-sensitive Action Pane available on the right side of Event Viewer in Windows Vista and later. It enables quick access to common commands.
Windows 8, Event Viewer, Action Pane. Most commands are available here.

Configuring log sizes and event overwriting policies in Windows XP

In the left pane, there are several log types - most usually Application, Security and System. Internet Explorer also adds the Internet log; several antivirus programs add the Antivirus log.

While Antivirus and Internet logs are well-configured by default, Windows XP default logs are not - they are too small and their event overwriting policy might create situations when a user cannot see latest events.
In Windows Vista, 7, 8/8.1 and 10, the log sizes are fine by default. If you start seeing "Event log is full" errors, verify that automatic overwriting of oldest events is enabled, and that log size is sufficient (at least 20 megabytes).

To set the maximum size for a log, right-click on Application and select Properties.
Windows XP, Event Viewer. To configure log sizes and event overwriting policies, right-click on a log and choose Properties.

In the Log size section, set the Maximum log size to at least "5120" (5 megabytes); "20480" (20 megabytes) is the recommended size for a log. Do not make the logs too big, as they consume disk space and might make filtering the events slow.
Default event log size in Windows XP is measly 512 kilobytes, or half a megabyte - clearly not enough. In Windows Vista and newer, log size is 20 megabytes by default.
Set the When maximum log size is reached to Overwrite events as needed.
Windows XP, Event Viewer, Application log properties. Set 'Maximum log size' to at least 5120 and enable the 'Overwrite events as needed' option. Then click OK and apply the same configuration to Security and System logs.

Click OK to close Application log properties. Then repeat the same steps for Security and System logs.

Event Log types and event filtering in Windows

To see some typical events, click a log type. In Windows Vista and newer, expand Windows Logs section on the left first.

  • Application log includes events related to programs running on your computer - their important actions, warnings, errors, and crashes.
    In Windows 8, 8.1 and 10, you can also check Applications And Services Logs\Microsoft\Windows\AppHost\Admin log for errors that Modern UI (aka Metro) apps experience. The Applications And Services Logs\Microsoft\Windows\AppXDeployment-Server\
    Microsoft-Windows-AppXDeploymentServer/Operational log lists events related to installing and uninstalling apps.
  • Security log includes events about users logging on and off, changing security policies, locked out accounts, etc.
  • Setup log (only in Windows Vista, 7, 8/8.1 and 10) includes events about updating and patching Windows and Microsoft programs.
  • System log includes events about Windows and its system services starting and stopping, plus hardware events such as driver events, hardware failures, etc.
  • Forwarded events (only in Windows Vista and later) is not important for home users and users not on a domain. It collects events from other computers in case these are set up to forward events to this computer.

Event Viewer in Windows 8, 8.1 and 10 also has the Custom Views section and the Administrative Events view. The latter gathers the events that might require immediate attention.

Custom Views are filtered lists of the events that the user considers important: for example, a view could only display login errors or disk failures.

Windows 10 Cumulative Update broke Custom Views in June 2019: opening Event Viewer can cause the error "MMC has detected an error in a snap-in and will unload it", followed by the "System.IO.IOException" error.
A temporary workaround is to open the C:\ProgramData\Microsoft\Event Viewer\Views folder and move all View_[number].xml files to your Documents folder. This removes your Custom Views and Event Viewer works again. After Microsoft fixes this bug, you can move the Custom View files back to that folder.

Windows 10 version 1809 (October 2018 Update) received its fix for the bug on the 18th of June, 2019 with the KB4501371 cumulative update.
Other versions of Windows 10 were fixed with July 2019 updates.

In most cases, only events of type "Critical", "Warning" and "Error" are important, informational events typically indicate that something is working correctly.

In Windows XP, you must double-click an event to see its details and description.
In Windows Vista, 7, 8, 8.1 and 10, click an event and its description appears in the bottom part of the window. You can still double-click an event to open it in a separate window.

The most important parts are Event ID and description: use these while troubleshooting. In most cases, you get the best overview of an event by reading its description.
Windows XP, Event Viewer, Event Properties. The most important parts while troubleshooting are Event ID and Description. Windows 7, Event Viewer, Event Properties. The most important parts while troubleshooting are Event ID and description in the General tab.

It is pretty tiresome to scroll through all events in all logs and find warning and error events. Use event filtering instead.

In Windows XP, activate the log you want to filter. Then open the View menu and click the Filter command.
In Windows Vista and later, right-click or tap and hold the log type you want to filter in the left pane. Then choose the Filter Current Log command.
Windows XP, Event Viewer. To find important events easily, use filtering. Open View menu and click Filter Windows Vista, Event Viewer. To find important events easily, use filtering. Right-click a log and choose 'Filter Current Log'.

In Windows XP, leave Warning, Error and Failure audit checkboxes ticked to hide informational events. You can also use the From and To boxes to select a time frame.
In Windows Vista and newer, select Critical, Warning and Error boxes. This displays only failure-related events after clicking the OK button. You might also want to select a value from Logged box for filtering events by time - predefined values are Last hour, Last 12 hours, Last 24 hours, Last 7 days and Last 30 days. You can also specify your own time frame by choosing Custom range.
Windows XP, Event Viewer, Filter. To see only warning and error events, deselect 'Information' and 'Success audit' boxes and click OK. Windows 7, Event Viewer filtering. To see only failure-related events, tick the 'Critical', 'Warning' and 'Error' boxes. Then click OK.

To see only events for a specific user, type his/her user name into User field.

To clear an event filter in Windows XP, select All Records from View menu.
To clear a filter in Windows Vista and later, right-click the log again and select Clear Filter.
Windows XP, Event Viewer. To clear a filtered view, open View menu and click 'All Records'. Windows Vista, Event Viewer filtering. To clear a filtered view, right-click the log and select the 'Clear Filter' command.

Searching events by keywords

Sometimes it is easier to search for a keyword in events, especially if you are looking for something in event descriptions. You can also search in the filtered view.

In Windows XP, open View menu and click Find.
In Windows Vista, 7, 8, 8.1 and 10, right-click the log you want to search and click Find.
You can also use the keyboard shortcut Ctrl+F to open the Find dialog.
Windows XP, Event Viewer. To search for a keyword in event fields, open View menu and click Find. Windows 7, Event Viewer. To search for a keyword in events, right-click the log you want to search and select 'Find'.

In Windows XP, the Find dialog is very much like the Filter dialog, but it does search in Description of an event. Type keyword(s) into the Description field and click Find Next. Optionally, you can fill or select/deselect other fields and checkboxes.
In Windows Vista and later, type keyword(s) into Find what field and click Find Next.
Windows XP, Event Viewer, finding events by keywords. Type keyword(s) in the Description field and click the 'Find Next' button. Windows 7, Event Viewer, finding events by a keyword. Type keyword(s) in the 'Find what' field and click 'Find Next'.

Event Viewer will highlight the first matching event. You can close Find box by clicking Close (Windows XP) or Cancel button; or if the event is not the one you need, click Find Next again until you find what you are looking for.

Tracking user logons and logoffs with Event Viewer in Windows

To see both successful and failed user logons and logoffs, plus expired password and account lockout events, activate Security log in the left pane.

In Windows XP, open View menu and click Filter. Select Security from Event source and Logon/Logoff from Category combo boxes. Click OK to filter events.
In Windows Vista, 7, 8, 8.1 and 10, right-click the log and select Filter Current Log. Type "4624-4625,4647,4778-4779" into <All Event IDs> box. Click OK to filter events.
Windows XP, Event Viewer, filtering logons and logoffs. Select Security log, open View menu and choose Filter. Select 'Security' for Source and 'Logon/Logoff' for Category. Click OK button to filter events. Windows 7, Event Viewer, filtering logons and logoffs. Type '4624-4634,4778-4779' into the 'All Event IDs' field. Then click OK.

You will then see a list of events related to users logging in to or off of Windows, plus failures to do so. To refresh the list, press F5 key.

Important logon and logoff events in Windows XP are:

  • Event ID 528 - a user has successfully logged on.
  • Event ID 529 - a user has failed to log on due to the wrong password.
  • Event ID 535 - a user has failed to log on due to an expired password.
  • Event ID 538 - a user has logged off.
  • Event ID 539 - a user has failed to log on due to account lockout (too many wrong passwords).
  • Event ID 682 - a user has logged back on after using the Switch User command.
  • Event ID 683 - a user has logged off selecting the Switch User command.

Important logon and logoff events in Windows Vista, 7, 8, 8.1 and 10 are:

  • Event ID 4624 - a user has successfully logged on.
  • Event ID 4625 - a user has failed to log on due to the wrong password, expired password or account lockout (too many wrong passwords).
  • Event ID 4647 - a user has logged off.
  • Event ID 4738 (Windows 8, 8.1 and 10 only) - A user account was changed, useful for tracking failed account logons (Event ID 4625) from Microsoft Accounts. Appears right after a failed sign-in attempt.
  • Event ID 4778 - a user has logged off selecting the Switch user command (Fast User Switching).
  • Event ID 4779 - a user has logged back on after using the Switch user command (Fast User Switching).

In Windows XP, you have to double-click an event to see its details; in Windows Vista and newer, click on an event and see its details in the bottom pane (but you can still double-click an event to open details in a separate window if your screen resolution is too low).

As you can see from pictures below, Success Audit or Audit Success means a good logon attempt and Failure Audit or Audit Failure means an unsuccessful logon attempt.
Windows XP displays user names for Success Audits, but SYSTEM for Failure Audits (in the User column).
Windows Vista and later reveal more information about an event in the Task Category column in the top pane - Event ID 4625 can mean a failed logon due to wrong password, expired password, disabled account or account lockout because of too many failed logon attempts. The exact reason is described in the bottom pane, Failure Reason field.
Windows XP, Event Viewer, logon events filtered. Event types can be Success or Failure. Windows 7, Event Viewer, logon events filtered. Event types can be Success or Failure.

Let's see an example of a typical failed logon attempt - Event ID 529 in Windows XP and Event ID 4625 in Windows Vista, 7, 8/8.1 and 10.
Please remember that Windows 8, 8.1 and 10 display no account name or account domain in case a user with Microsoft Account fails to sign in (but local accounts are displayed as expected). To see which Microsoft Account failed to log on properly, see the next event with ID 4689 (Process Termination). Please note that you'll have to turn on the Enable process tracking option in Windows 8 and newer Local Security Policy to see this event.

  • Reason (Windows XP) or Failure Reason displays why the logon attempt failed.
  • User Name (Windows XP) or Account Name line shows the user for which the attempt failed.
  • Logon Type field reveals from where the logon attempt was made. Most common examples for successful and failed logons are:
    • 2 - Interactive. Logging on from the Welcome Screen.
    • 3 - Network. Logging on from local network - connecting to Shared or Public Folders or shared printers is an example of this.
      You might also notice several logons by ANONYMOUS LOGON from Account Domain called NT AUTHORITY with Security ID equal to NULL SID. These ones are normal as long their Key Length is 0. Windows loves talking to itself when it's bored... Wink
    • 4 - Batch. This means that a Scheduled Task started and used saved credentials to log on.
    • 5 - Service. Service started and used saved credentials to log on.
    • 7 - Unlock. Logging back on after a password-protected screensaver or a user locks a session (keyboard shortcut Windows Key+L).
    • 10 - Remote Interactive. Logging on via Terminal Services/Remote Desktop Connection or Remote Assistance.
    • 11 - Cached Interactive. This one appears in Windows 8, 8.1 or 10 if a user tries to sign in with his/her Microsoft Account (not the traditional local user account).
  • Logon Process (Windows XP) or Caller Process Name reveals how the logon attempt was made. Normally, it is Advapi or User32 in Windows XP and winlogon.exe in Windows Vista and later.
    If one uses the Run As/Run as administrator command, the line will read seclogon in Windows XP and consent.exe in Windows Vista, 7, 8/8.1 and 10.
  • Domain and Workstation Name (Windows XP) or Account Domain and Workstation Name are the same if the logon attempt originated from the local computer. In Windows 8 and newer, MicrosoftAccount is displayed in Account Domain field for those users who sign in with their Microsoft Account, not a local user account. If someone tries to log on over network, his/her computer name will appear in the Workstation Name line. If the remote computer's name is unavailable, its IP-address will appear instead.
    Windows Vista, 7, 8, 8.1 and 10 always reveal the IP-address on the corresponding line. If the address is 127.0.0.1 or ::1, it means your own computer (aka localhost).

Windows XP, Event Viewer. Event ID 529, Unknown user name or bad password. See the 'User Name' line. Windows Vista, Event Viewer. Event ID 4625, Unknown user name or bad password. The user name is in the 'Account Name' line.

And here's the Windows 8/8.1/10 example of failed sign-in with a Microsoft Account. No useful data whatsoever. See the next event with ID 4738 to find out the user name.
Windows 8, Event Viewer. Event ID 4625, Unknown user name or bad password. If a user with Microsoft Account fails to log in, 'Account Name' line is blank.

Let's see an example of Run As/Run as administrator command. Because the failure audit only contains the account name for which the logon was unsuccessful, it requires extra effort to determine who tried to launch a program with administrator credentials.

First, find the Event ID 529 (in Windows XP) or 4625 (in Windows Vista, 7, 8, 8.1 and 10).
In Windows XP, ensure that Logon Process is seclogon.
In Windows Vista and newer, make sure the Caller Process Name line reads consent.exe.
Windows Vista, Event Viewer. Event ID 4625, Unknown user name or bad password. Caller Process Name consent.exe means that this happened while using the Run as administrator command.

In Windows XP, try to find the user who logged on normally before the failed Run As command (Event ID 528). The Logon Process should read Advapi or User32. As only one person can be logged on to Windows XP at a time, this must be the user who typed the password incorrectly.
In Windows Vista and later, find an Audit Failure record with Event ID 4673 and Category Sensitive Privilege Use before the 4625 event. This one contains the user name who called the Run as administrator command. You might have to scroll through several 4673 events before the user name appears.
Windows XP, Event Viewer. Event ID 528, Successful Logon. Windows Vista, Event Viewer. Event ID 4673, A privileged service was called.

The second page of Event Viewer article explains how to track account management events (adding or deleting users and rights), which application and system log events to look for, how to clear event logs, create custom views and attach tasks to specific events.

The article Event Viewer in Windows appeared first on www.winhelp.us

 

Ctrl+F searches in the contents







Next: Event Viewer, page 2
Previous: Local Security Policy in Windows