After defining a Local Security Policy in Professional, Business or Ultimate editions of Windows, Event Viewer is the place for finding important information about successful and failed logins, policy changes, and system and application events. Event Viewer is also an invaluable diagnosing tool when programs do not work as expected.
Those with Windows Basic, Home or Starter editions do not have the Local Security Policy editor, but some settings can be changed in Registry: use well-known online search engines for more information.
Comparing to Windows XP, Event Viewer in Windows Vista, 7, 8, 8.1 and 10 has been much improved. You can read more detailed descriptions about events, see events by an application or service, see a quick summary of events, create custom views for finding events easily and even attach automated tasks to selected events. This is explained on page 2 of the article.
Unlike in Windows XP, you do not have to worry about log sizes and overwriting policies, these are set by default and they work just fine.
In all versions of Windows, use keyboard shortcut Windows Key+R to open the Run dialog. Type eventvwr.msc and click OK.
In Windows Vista, 7 and 10, you can also open the Start menu by clicking the Start button or pressing Windows Key (or Ctrl+Esc) on your keyboard. Type event into the Search box and click Event Viewer.
In Windows 8 and 8.1, the quickest way is using keyboard shortcut WINDOWS KEY+X to open Quick Links menu (a list of system tools) and clicking Event Viewer. You can also use the keyboard shortcut Windows Key+Q for opening App search (or Search everywhere in Windows 8.1), type event into the Search box and click the result.
Touch screen users should swipe in from the right edge of the screen and tap Search on Charms bar first.
In Windows Vista, User Account Control greets you with a confirmation prompt, click Continue.
In Windows XP, Event Viewer opens with a summary of logs and their sizes.
In Windows Vista, 7, 8 and 8.1, Event Viewer opens Overview and Summary screen with a summary of recent Administrative Events, recently viewed log names and log size and overwriting policies summary.
While most instructions below suggest using right-clicks, there is also the context-sensitive Action Pane available on the right side of Event Viewer in Windows Vista and later. It enables quick access to common commands.
In the left pane, there are several log types - most usually Application, Security and System. Internet Explorer also adds the Internet log; several antivirus programs add the Antivirus log.
While Antivirus and Internet logs are well-configured by default, Windows XP default logs are not - they are too small and their event overwriting policy might create situations when a user cannot see latest events.
In Windows Vista, 7, 8/8.1 and 10, the log sizes are fine by default. If you start seeing "Event log is full" errors, verify that automatic overwriting of oldest events is enabled, and that log size is sufficient (at least 20 megabytes).
To set the maximum size for a log, right-click on Application and select Properties.
In the Log size section, set the Maximum log size to at least "5120" (5 megabytes); "20480" (20 megabytes) is the recommended size for a log. Do not make the logs too big, as they consume disk space and might make filtering the events slow.
Default event log size in Windows XP is measly 512 kilobytes, or half a megabyte - clearly not enough. In Windows Vista and newer, log size is 20 megabytes by default.
Set the When maximum log size is reached to Overwrite events as needed.
Click OK to close Application log properties. Then repeat the same steps for Security and System logs.
To see some typical events, click a log type. In Windows Vista and newer, expand Windows Logs section on the left first.
- Application log includes events related to programs running on your computer - their important actions, warnings, errors, and crashes.
In Windows 8, 8.1 and 10, you can also check Applications And Services Logs\Microsoft\Windows\AppHost\Admin log for errors that Modern UI (aka Metro) apps experience. The Applications And Services Logs\Microsoft\Windows\AppXDeployment-Server\
Microsoft-Windows-AppXDeploymentServer/Operational log lists events related to installing and uninstalling apps.
- Security log includes events about users logging on and off, changing security policies, locked out accounts, etc.
- Setup log (only in Windows Vista, 7, 8/8.1 and 10) includes events about updating and patching Windows and Microsoft programs.
- System log includes events about Windows and its system services starting and stopping, plus hardware events such as driver events, hardware failures, etc.
- Forwarded events (only in Windows Vista and later) is not important for home users and users not on a domain. It collects events from other computers in case these are set up to forward events to this computer.
Event Viewer in Windows 8, 8.1 and 10 also has the Custom Views section and the Administrative Events view. The latter gathers the events that might require immediate attention.
Custom Views are filtered lists of the events that the user considers important: for example, a view could only display login errors or disk failures.
Windows 10 Cumulative Update broke Custom Views in June 2019: opening Event Viewer can cause the error "MMC has detected an error in a snap-in and will unload it", followed by the "System.IO.IOException" error.
A temporary workaround is to open the C:\ProgramData\Microsoft\Event Viewer\Views folder and move all View_[number].xml files to your Documents folder. This removes your Custom Views and Event Viewer works again. After Microsoft fixes this bug, you can move the Custom View files back to that folder.
Windows 10 version 1809 (October 2018 Update) received its fix for the bug on the 18th of June, 2019 with the KB4501371 cumulative update.
Other versions of Windows 10 were fixed with July 2019 updates.
In most cases, only events of type "Critical", "Warning" and "Error" are important, informational events typically indicate that something is working correctly.
In Windows XP, you must double-click an event to see its details and description.
In Windows Vista, 7, 8, 8.1 and 10, click an event and its description appears in the bottom part of the window. You can still double-click an event to open it in a separate window.
The most important parts are Event ID and description: use these while troubleshooting. In most cases, you get the best overview of an event by reading its description.
It is pretty tiresome to scroll through all events in all logs and find warning and error events. Use event filtering instead.
In Windows XP, activate the log you want to filter. Then open the View menu and click the Filter command.
In Windows Vista and later, right-click or tap and hold the log type you want to filter in the left pane. Then choose the Filter Current Log command.
In Windows XP, leave Warning, Error and Failure audit checkboxes ticked to hide informational events. You can also use the From and To boxes to select a time frame.
In Windows Vista and newer, select Critical, Warning and Error boxes. This displays only failure-related events after clicking the OK button. You might also want to select a value from Logged box for filtering events by time - predefined values are Last hour, Last 12 hours, Last 24 hours, Last 7 days and Last 30 days. You can also specify your own time frame by choosing Custom range.
To see only events for a specific user, type his/her user name into User field.
To clear an event filter in Windows XP, select All Records from View menu.
To clear a filter in Windows Vista and later, right-click the log again and select Clear Filter.
Sometimes it is easier to search for a keyword in events, especially if you are looking for something in event descriptions. You can also search in the filtered view.
In Windows XP, open View menu and click Find.
In Windows Vista, 7, 8, 8.1 and 10, right-click the log you want to search and click Find.
You can also use the keyboard shortcut Ctrl+F to open the Find dialog.
In Windows XP, the Find dialog is very much like the Filter dialog, but it does search in Description of an event. Type keyword(s) into the Description field and click Find Next. Optionally, you can fill or select/deselect other fields and checkboxes.
In Windows Vista and later, type keyword(s) into Find what field and click Find Next.
Event Viewer will highlight the first matching event. You can close Find box by clicking Close (Windows XP) or Cancel button; or if the event is not the one you need, click Find Next again until you find what you are looking for.
To see both successful and failed user logons and logoffs, plus expired password and account lockout events, activate Security log in the left pane.
In Windows XP, open View menu and click Filter. Select Security from Event source and Logon/Logoff from Category combo boxes. Click OK to filter events.
In Windows Vista, 7, 8, 8.1 and 10, right-click the log and select Filter Current Log. Type "4624-4625,4647,4778-4779" into <All Event IDs> box. Click OK to filter events.
You will then see a list of events related to users logging in to or off of Windows, plus failures to do so. To refresh the list, press F5 key.
Important logon and logoff events in Windows XP are:
- Event ID 528 - a user has successfully logged on.
- Event ID 529 - a user has failed to log on due to the wrong password.
- Event ID 535 - a user has failed to log on due to an expired password.
- Event ID 538 - a user has logged off.
- Event ID 539 - a user has failed to log on due to account lockout (too many wrong passwords).
- Event ID 682 - a user has logged back on after using the Switch User command.
- Event ID 683 - a user has logged off selecting the Switch User command.
Important logon and logoff events in Windows Vista, 7, 8, 8.1 and 10 are:
- Event ID 4624 - a user has successfully logged on.
- Event ID 4625 - a user has failed to log on due to the wrong password, expired password or account lockout (too many wrong passwords).
- Event ID 4647 - a user has logged off.
- Event ID 4738 (Windows 8, 8.1 and 10 only) - A user account was changed, useful for tracking failed account logons (Event ID 4625) from Microsoft Accounts. Appears right after a failed sign-in attempt.
- Event ID 4778 - a user has logged off selecting the Switch user command (Fast User Switching).
- Event ID 4779 - a user has logged back on after using the Switch user command (Fast User Switching).
In Windows XP, you have to double-click an event to see its details; in Windows Vista and newer, click on an event and see its details in the bottom pane (but you can still double-click an event to open details in a separate window if your screen resolution is too low).
As you can see from pictures below, Success Audit or Audit Success means a good logon attempt and Failure Audit or Audit Failure means an unsuccessful logon attempt.
Windows XP displays user names for Success Audits, but SYSTEM for Failure Audits (in the User column).
Windows Vista and later reveal more information about an event in the Task Category column in the top pane - Event ID 4625 can mean a failed logon due to wrong password, expired password, disabled account or account lockout because of too many failed logon attempts. The exact reason is described in the bottom pane, Failure Reason field.
Let's see an example of a typical failed logon attempt - Event ID 529 in Windows XP and Event ID 4625 in Windows Vista, 7, 8/8.1 and 10.
Please remember that Windows 8, 8.1 and 10 display no account name or account domain in case a user with Microsoft Account fails to sign in (but local accounts are displayed as expected). To see which Microsoft Account failed to log on properly, see the next event with ID 4689 (Process Termination). Please note that you'll have to turn on the Enable process tracking option in Windows 8 and newer Local Security Policy to see this event.
- Reason (Windows XP) or Failure Reason displays why the logon attempt failed.
- User Name (Windows XP) or Account Name line shows the user for which the attempt failed.
- Logon Type field reveals from where the logon attempt was made. Most common examples for successful and failed logons are:
- 2 - Interactive. Logging on from the Welcome Screen.
- 3 - Network. Logging on from local network - connecting to Shared or Public Folders or shared printers is an example of this.
You might also notice several logons by ANONYMOUS LOGON from Account Domain called NT AUTHORITY with Security ID equal to NULL SID. These ones are normal as long their Key Length is 0. Windows loves talking to itself when it's bored...
- 4 - Batch. This means that a Scheduled Task started and used saved credentials to log on.
- 5 - Service. Service started and used saved credentials to log on.
- 7 - Unlock. Logging back on after a password-protected screensaver or a user locks a session (keyboard shortcut Windows Key+L).
- 10 - Remote Interactive. Logging on via Terminal Services/Remote Desktop Connection or Remote Assistance.
- 11 - Cached Interactive. This one appears in Windows 8, 8.1 or 10 if a user tries to sign in with his/her Microsoft Account (not the traditional local user account).
- Logon Process (Windows XP) or Caller Process Name reveals how the logon attempt was made. Normally, it is Advapi or User32 in Windows XP and winlogon.exe in Windows Vista and later.
If one uses the Run As/Run as administrator command, the line will read seclogon in Windows XP and consent.exe in Windows Vista, 7, 8/8.1 and 10.
- Domain and Workstation Name (Windows XP) or Account Domain and Workstation Name are the same if the logon attempt originated from the local computer. In Windows 8 and newer, MicrosoftAccount is displayed in Account Domain field for those users who sign in with their Microsoft Account, not a local user account. If someone tries to log on over network, his/her computer name will appear in the Workstation Name line. If the remote computer's name is unavailable, its IP-address will appear instead.
Windows Vista, 7, 8, 8.1 and 10 always reveal the IP-address on the corresponding line. If the address is 127.0.0.1 or ::1, it means your own computer (aka localhost).
And here's the Windows 8/8.1/10 example of failed sign-in with a Microsoft Account. No useful data whatsoever. See the next event with ID 4738 to find out the user name.
Let's see an example of Run As/Run as administrator command. Because the failure audit only contains the account name for which the logon was unsuccessful, it requires extra effort to determine who tried to launch a program with administrator credentials.
First, find the Event ID 529 (in Windows XP) or 4625 (in Windows Vista, 7, 8, 8.1 and 10).
In Windows XP, ensure that Logon Process is seclogon.
In Windows Vista and newer, make sure the Caller Process Name line reads consent.exe.
In Windows XP, try to find the user who logged on normally before the failed Run As command (Event ID 528). The Logon Process should read Advapi or User32. As only one person can be logged on to Windows XP at a time, this must be the user who typed the password incorrectly.
In Windows Vista and later, find an Audit Failure record with Event ID 4673 and Category Sensitive Privilege Use before the 4625 event. This one contains the user name who called the Run as administrator command. You might have to scroll through several 4673 events before the user name appears.
The second page of Event Viewer article explains how to track account management events (adding or deleting users and rights), which application and system log events to look for, how to clear event logs, create custom views and attach tasks to specific events.