How to use Event Viewer to Troubleshoot Problems with your PC

thumb_Event_Viewer.pngEvent Viewer (EVENTVWR) is a component of Microsoft’s Windows NT line of operating systems that lets administrators and users view the event logs on a local or remote machines. it shows a log of application and system messages such as: errors, information messages and warnings. one of the downside of Event Viewer is that it is quite confusing – as it shows lots of warnings, errors and other messages. Without knowing what it all means, you  might think that your computer is broken when nothing actually is wrong with it. 

Understanding Event viewer is very important skill to figure out what exactly is wrong with your computer and / or how to troubleshoot it.

The Event Viewer can be very handy if you are having a problem with your PC or laptop. For example, if your computer is giving blue screening randomly and is rebooting, the Event Viewer will provide more information about the cause. An error event in the System log section may inform you which hardware driver crashed, which can help you to find a faulty driver or a defective hardware component. Just look for the error message with time stamp when your computer froze or restarted, an error message about a computer freeze will be marked as Critical. Event Viewer is three-panel interface alike other windows admin tools. Left side panel displays folders, where event logs are sorted and can be easily found.   Furthermore you can customize view of events in accordance to your needs.

event_viewer_img.jpg

For example, the Administrative Events in latest versions of Windows shows all of the Errors, Warnings and important events even if they are not originated from the applications log or the System log. Middle panel shows event list, if clicked on it you will see details in preview panel or double click to open it in pop up window, this can be helpful if you are going through lots of events. The right side panel lets you quickly access actions, create customer views, set filters or even schedule tasks based on events. 

 other events include:

– Application events: Program logs on Security, Setup, System, and Forwarded Events .
– Security events: Here you’ll see list of notifications, most or all of which will have label – Audit Success. Windows completes a security audit every time user logs in or every time a file is created, modified or deleted. In addition it logs any tries or attempts to use resources that user don’t have access to, where label would say – Audit Fail. It also checks your system integrity. 
– Setup events: events that are created every time  a software is installed or each time you Windows updates installed.
– System events: Most of the errors and warnings you see in the Administrative Events log come from system events. They’re reports from Windows system files about problems they’ve encountered. Almost all of them are self-healing.
– Forwarded events: These are events sent to this computer from other PCs.

once the event is selected, you will see some information displayed in middle panel that will contain next data:

event_viewer_1.JPG

Log Name – displays the name of event source.
Source – the name of the software that generates the event log, the name sometimes doesn’t match with the program name, but it still indicates which component did it.
Event ID – very important ID that can be quite confusing. If you’ll Google for “event ID 145” you’ll end up with useless information, unless you also include the Source or the application name. It is important as every application has its own Event IDs.
Level – This tells how serious the event is. Information – It simply shows that something changed, started or was modified. Warning or Error – tells you that something happened that shouldn’t have happened. Critical – means something is broken somewhere, therefore the part that triggered this event has most likely crashed.
User – this field tells you whether or not it had been a system part or your user account that was running the process which caused the error.
OpCode – basically it is what activity the application or component was doing when the event took place. Most of the times it will be displaying “info” – which I find very useless.
Computer – displays User name where the event took place.
Task category – displays more information about the event
Keywords – is a term used by Microsoft to group / classify types of events.

As a side note: There are continuously going to be errors and warnings in the event log, and you can’t fix all of them. The foremost necessary thing is to use Event Viewer to troubleshoot problems you already have, instead of trying to search a problem that you just didn’t know about and try to fix.

 as for the fixing the actual error – To get a full clarification of an error from the Event Properties click on Event Log online help, to be taken to Microsoft’s Tech web. it is created  with the expectation that every user is an expert, you might discover the same kind of information that is displayed in event viewer.  Microsoft also suggests EventIDNet, that may be a very little more understandable.  If you use EventIDNet, make sure to click on the “comments and links” link at at the bottom of the initial page. this is often wherever different users explain what happened to them and wherever you have more probability to find some more information. An alternative solution can be, just copy the error message and simply search for it in your favorite search engine (I would recommend Bing as it displays more of the Microsoft’s results).

careful with webpages that offer “Solutions” for Event ID “Problems”as they might be just Scammers.

There are lots of interesting logs to check once you are troubleshooting, however one amongst the foremost interesting is found in Microsoft \ Windows \ Diagnostics-Performance folder This leads to an event log that shows all of the items that Windows logs internally for performance checking. if your PC or laptop boots up slower than normal, Windows can have a log entry for it, and can list out the element that caused Windows to boot slower than usual.

event_viewer_img2

In my case it is high number of programs and services that are being started when computer boots (which does not bother me much). solution is to have the programs that requires update to be updated. Keeping your programs up to date doesn’t only help you keep a system clean and perform better, but also secure since a lot of programs have what we call “vulnerabilities” in them that can be exploited by virus and malware

You can also use Event Viewer to tell when your PC last rebooted or started:

Head into the Windows Logs -> System log and then filter by Event ID 6006 . which indicates that event log was shut down, one of the last things that happens before a reboot. you can also filter by Event ID 6005  to see when the system was last turned on.

6006 –  an event ID for shutdown or This event is written during an expected restart or shutdown after the user initiates an expected restart or shutdown by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down.)

6005  –  an event ID for start or This event is written at system startup after the user initiates an expected restart or shutdown by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down.

NOTE: You will need to have administrator privileges to view all the logs

Important Application and System events in Windows

Important events in Application log:

Event ID 3036 – “The content source <source name> cannot be accessed”. This means that Windows Search was unable to access a location for indexing. See our article about Windows Search and how to remove or add folders to search index.

Event ID 4099 – “Backup was cancelled” (only in Windows Vista, 7, 8, 8.1 and 10). This means that someone stopped a running backup and the latest backup is not complete. Run the backup task again as soon as possible.

Event ID 4103 – “The backup did not complete because of an error writing to the backup location <drive letter>. The error is: The backup location cannot be found or is not valid” (only in Windows Vista and newer). This means that Windows Backup could not access the drive you specified as the backup location. Connect the drive or update your Windows Backup configuration.

Event ID 4106 – “Some files were not backed up” (only in Windows Vista and later). This means that Windows Backup was unable to back up some files specified. Change Windows Backup settings to exclude those files.

Important events in System log:

Event ID 7 – “The device <device name> has a bad block”. If the device is something like \Device\CdRom0, there is no need to panic – a CD or DVD you entered had some unreadable sectors on it.  If the device name is like \Device\HardDisk0\Partition1, your hard disk drive might be faulty. There are some unreadable sectors on it and this will ultimately lead to data loss. You might have experienced computer slowdown before and after the event occurred. Back up your data immediately to an external drive and run disk check! Then try to find a replacement drive and restore Windows on it.

Event ID 41 – “The system has rebooted without cleanly shutting down first” or “The last sleep transition was unsuccessful”. This means that your computer rebooted by itself or the reboot was not completed cleanly; or that your computer could not go to sleep or hibernate. Try running Windows Update for newer device drivers and test your computer’s memory for errors.

Event ID 49 – “Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory”.
This happens when you manually set Page File size, then add Random Access Memory (RAM) to your computer and do not adjust Windows Page File size accordingly. A typical Windows Page File size is one and a half times of RAM size – if you have 1 GB of RAM, the Page File size should be at least 1.5 GB.

Event ID 55 – “The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume <volume name>”. Files and folders on a disk are messed up. Load Disk Management and see what drive letter(s) is/are assigned to the hard disk with specified number. Then run chkdsk.

Event ID 6008 – “The previous system shutdown at <time> on <date> was unexpected”. This means that your computer restarted or shut down by itself because of a system error; or someone turned computer off without shutting Windows down first; or a power failure occurred. If there are many such events, this might indicate a memory (RAM) problem or hardware failure. Try using MemTest for testing your computer’s memory.

events related to account (user) management in Windows Vista, 7, 8/8.1 and 10 are:

Event ID 4720 – a user account was created.
Event ID 4722 – a user account was enabled.
Event ID 4723 – a user attempted to change his/her password.
Event ID 4724 – a user attempted to reset other user’s password.
Event ID 4725 – a user account was disabled.
Event ID 4726 – a user account was deleted.
Event ID 4732 – a member was added to a security-enabled group (for example, a Standard user has been added to Administrators’ group).
Event ID 4733 – a member was removed from a security-enabled group (for example, a user has been removed from Administrators’ group).
Event ID 4738 – a user account was changed by that user or another user.
Event ID 4740 – a user account was locked out because of too many failed logon attempts.
Event ID 4767 – a user account was unlocked by another user.

Hope this information helps next time you will have an issue with hardware or software on your computer. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Up ↑

%d bloggers like this: