Windows event log

The Windows event log is a detailed record of system, security and application notifications stored by the Windows operating system that is used by administrators to diagnose system problems and predict future issues.

Applications and the operating system (OS) use these event logs to record important hardware and software actions that the administrator can use to troubleshoot issues with the operating system. The Windows operating system tracks specific events in its log files, such as application installations, security management, system setup operations on initial startup, and problems or errors.

The elements of a Windows event log

Each event in a log entry contains the following information:

Date: The date the event occurred.

Time: The time the event occurred.

User: The username of the user logged onto the machine when the event occurred.

Computer: The name of the computer.

Event ID: A Windows identification number that specifies the event type.

Source: The program or component that caused the event.

Type: The type of event, including information, warning, error, security success audit or security failure audit.

For example, an information event might appear as:

Information        5/16/2018 8:41:15 AM    Service Control Manager              7036       None

A warning event might look like:

Warning               5/11/2018 10:29:47 AM  Kernel-Event Tracing      1              Logging

By comparison, an error event might appear as:

Error                      5/16/2018 8:41:15 AM    Service Control Manager              7001       None

A critical event might resemble:

Critical   5/11/2018 8:55:02 AM    Kernel-Power    41           (63)

The type of information stored in Windows event logs

The Windows operating system records events in five areas: application, security, setup, system and forwarded events. Windows stores event logs in the C:\WINDOWS\system32\config\ folder.

Application events relate to incidents with the software installed on the local computer. If an application such as Microsoft Word crashes, then the Windows event log will create a log entry about the issue, the application name and why it crashed.

Security events store information based on the Windows system's audit policies, and the typical events stored include login attempts and resource access. For example, the security log stores a record when the computer attempts to verify account credentials when a user tries to log on to a machine.

Setup events include enterprise-focused events relating to the control of domains, such as the location of logs after a disk configuration.

System events relate to incidents on Windows-specific systems, such as the status of device drivers.

Forwarded events arrive from other machines on the same network when an administrator wants to use a computer that gathers multiple logs.

Using the Event Viewer

Microsoft includes the Event Viewer in its Windows Server and client operating system to view Windows event logs. Users access the Event Viewer by clicking the Start button and entering Event Viewer into the search field. Users can then select and inspect the desired log.

Windows Event Viewer
The Event Viewer application in the Windows operating system

Windows categorizes every event with a severity level. The levels in order of severity are information, warning, error and critical.

Most logs consist of information-based events. Logs with this entry usually mean the event occurred without incident or issue. An example of a system-based information event is Event 42, Kernel-Power which indicates the system is entering sleep mode.

Warning level events are based on particular events, such as a lack of storage space. Warning messages can bring attention to potential issues that might not require immediate action. Event 51, Disk is an example of a system-based warning related to a paging error on the machine's drive.

An error level indicates a device may have failed to load or operate expectedly. Event 5719, NETLOGON is an example of a system error when a computer cannot configure a secure session with a domain controller.

Critical level events indicate the most severe problems. Event ID 41, Kernel-Power is an example of a critical system event when a machine reboots without a clean shutdown.

Other tools to view Windows event logs

Microsoft also provides the wevtutil command-line utility in the System32 folder that retrieves event logs, runs queries, exports logs, archives logs and clear logs.

Third-party utilities that also work with Windows event logs include SolarWinds Log & Event Manager, which provides real-time event correlation and remediation; file integrity monitoring; USB device monitoring; and threat detection. Log & Event Manager automatically collects logs from servers, applications and network devices.

ManageEngine EventLog Analyzer builds custom reports from log data and sends real-time text message and email alerts based on specific events.

Using PowerShell to query events

Microsoft builds Windows event logs in extensible markup language (XML) format with an EVTX extension. XML provides more granular information and a consistent format for structured data.

Administrators can build complicated XML queries with the Get-WinEvent PowerShell cmdlet to add or exclude events from a query.

This was last updated in May 2018

Continue Reading About Windows event log

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Enterprise Desktop
Virtual Desktop