Troubleshooting tool: in-depth analysis of Windows event logs

Windows event logs are a treasure trove for recording system events and error information. It can help you identify and solve various problems, such as application crashes, system errors, and security audits.

These log files are located in the C: \ windows \ system32 \ config \ path, but do not support opening with a text editor. For ease of viewing, Windows provides two utility tools:

Event Viewer: The default tool for viewing and managing Windows event logs.
Reliability Monitor: A tool that displays event logs and system performance data in a more intuitive way.
Both of these tools can help you analyze various errors and warnings on Windows. If you encounter frequent application crashes or blue screen crashes (BSOD), they can assist you in identifying the root cause of the problem.

Next, we will introduce how to use Event Viewer and Reliability Monitor to identify and understand various issues.

What is Windows Event Log
Windows event logs are files that record system events, including application errors, system errors, and security events. Through these logs, we can trace the cause of the problem, understand the health status of the computer, and troubleshoot.

For example, when the system crashes, Windows will create a log to record the cause of the crash.

Sometimes, error messages are very intuitive and can help us solve problems at a glance (complete with scattered flowers) 🎉)。 But occasionally, there is only one error code, such as 0xC000021A (looking confused) 😳)。 This requires us to search the Microsoft knowledge base, search further online, or consult with system engineers to find detailed solutions.

Event logs typically include the following information:

Log Name: The type to which the event belongs.
Source: The application or component that generated the event.
Event ID: The number used to identify a specific event.
Level: The severity of the event, such as “information”, “warning”, and “error”.
User: The user account at the time of the event.
Operation code: also known as OpCode, records the operation performed when an event is triggered.
Record time: The specific time when the event occurred.
Task category: Provide a classification of events with more details.
Keywords: Keywords used to classify events, commonly including “classic”.
Computer: The name of the computer that records events.
Windows Event Viewer
Common Information in Event Viewer
Types and categories of Windows event logs
Understanding the types and categories of Windows event logs is the first step in understanding and analyzing system errors. Mastering this knowledge can help you quickly identify the root cause of problems and effectively solve system failures.

Event log type
According to the importance of events, event logs can be divided into the following 5 types:

Example of Event Type Description Severity
Information recording of events running normally, low service startup successful
Warning prompt for potential issues in events with insufficient disk space
Error indicates an event with serious issues, high system crash
Successful Audit Record Security Audit Successful Events Low Successful Login
Audit Failure Record Security Audit Failed Events Moderate Inaccessibility to Network Resources
We should pay special attention to event logs of warning and error types, which are often closely related to system failures.

Event log categories
Event logs are also divided into the following categories based on their source and content:

Example of Event Category Description
Application records application related events, application startup failure, application crash
Security record system security related event login attempts, file access, and permission changes
The system records events related to the system kernel, drivers, etc. kernel errors, hardware failures, and service startup failures
Installation records of Windows components, events related to Windows Update installation, successful installation of components, and failed download of updates
Event logs forwarded from other devices, remote server login failure, network connection interruption
Understanding these categories helps to quickly locate relevant logs and narrow down the scope of troubleshooting when problems arise.

Method 1: Use Windows Event Viewer
In the Event Viewer, you can view all event logs recorded in the system. The operation steps are as follows:

Open Windows Event Viewer

  1. Use the Windows+R shortcut to open the “Run” dialog box and execute eventvwr.msc to open the Event Viewer.

On the left navigation bar, expand “Windows Logs”.

Select the log category you want to view.

Windows Event Viewer
Select log category
View Events
Scroll through the logs in the middle pane, locate and double-click on the events to view detailed information.

Windows Event Viewer
Double click to view event properties
Filter events
If there are too many logs, filters can be used to quickly filter useful information:

In the right pane, click “Filter Current Logs”.

Select filtering conditions as needed, for example:

Record time: the time range within which the event occurred.
Event level: The severity of the event, such as information, warning, or error.
Event ID: The code (Event ID) that specifies the event.
Click “OK” to apply the filter.

For example, to filter out records of Windows system shutdowns, restarts, or logouts in the past 30 days, the following filtering criteria can be used:

Select “System” in the log category and click “Filter Current Logs”

Select “Last 30 Days” in “Record Time” and fill in 1074 in “Event ID”.

Event ID: 1074 is an event log record about Windows system shutdown, restart, or logout.

Windows Event Viewer
Filter specified events
After clicking “OK”, you can see the history of Windows logout, shutdown, and restart within the last 30 days in the results.

Windows Event Viewer
View filtering results
Create and manage custom views
If you want to keep an eye on a certain issue and don’t want to set filtering criteria repeatedly, you can create a custom view:

In the right pane, click “Create Custom View”.

In the drop-down list of “By Log”, select the log category you want to follow.

Windows Event Viewer
Create custom views
Select “Event Level” and click “OK”.

Name the custom view as 4 and click OK again.

If you need to adjust the filtering conditions of a custom view: you can right-click on the view, select “Properties”>”Edit Filter” to make the changes.
When a custom view is no longer needed: you can right-click on the view and select “Delete” to easily remove it.
Method 2: Use Windows Reliability Monitor
The reliability monitor will display events in a timeline (by day or week) to help you intuitively understand errors and issues that may affect system reliability and performance. Although it is not as detailed as the Event Viewer, it is more direct in viewing critical error logs.

Open Windows Reliability Monitor

  1. Use the Windows+R shortcut to open the “Run” dialog box and execute the control to open the control panel.

Click on “System and Security”>”Security and Maintenance”>”View Reliability History” in sequence.

control panel
Click on “View Reliability History”
View Events
Next to “View by”, select “Day” or “Week” to view, and then click on the date column.

Windows Reliability Monitor
Using Windows Reliability Monitor
Double click on the entry at the bottom to view detailed information about the event.

Windows Reliability Monitor
View event details
Some insights for ordinary users
Distinguish severity levels
Everything has a priority and urgency. When facing Windows system problems, we first need to distinguish the severity and have a clear understanding in order to take corresponding measures:

Serious problems may not be urgent: some problems, although serious, do not affect current work or life and can be addressed later. For example, at 2am, all AMTs in the city went down, and there were not many people depositing and depositing money in the middle of the night. This problem is not very urgent, but it is quite serious.
Urgent issues may not be serious: Some problems may seem insignificant, but they may affect important work or activities and require urgent handling. For example, if you tell the engineer that Powerpoint cannot be opened, this problem may not seem serious. But you are about to give an academic presentation at an international conference, which is quite urgent. A professional engineer will not spend time solving Powerpoint problems, but will immediately provide you with a backup machine to prioritize the smooth progress of the report.
Learn to view event logs
Event logs are like a “black box” in Windows, recording all events and error messages during system operation. Learning to interpret these logs can help you quickly identify and solve various problems, rather than simply restarting, resetting, and reinstalling them all at once. In the event log, the main focus should be on:

Record time: When consulting a question, engineers usually ask what you have done before? The answer from the vast majority of users is: I didn’t do anything (that’s why there’s a ghost) 👻)。 And the event log records the specific time and date of each event, making it convenient for you to track the time and correlation of the problem occurrence.
Source: To prevent headaches, the event source indicates the application or system component that generated the event, which can help you quickly locate the part where the problem is located.
Event ID: Each event has a unique identifier called an Event ID. You can search for specific issues and solutions online based on the Event ID.
Actively utilizing online resources
To gain a deeper understanding of event logs and troubleshoot issues, you should actively utilize the following online resources:

Microsoft Knowledge Base: Provides detailed information and solutions about event logs.
Microsoft Support Community: Help can be sought for specific event IDs and error codes.
I hope this article can help you better understand and use Windows event logs, making your computer more stable and smooth!

Leave a Reply

Your email address will not be published. Required fields are marked *