Windows Event Viewer is the built-in log aggregation tool that records everything from application crashes and service failures to successful logons and policy changes. When something goes wrong on a Windows machine — a blue screen, a service that won't start, an application that crashes — the event logs are almost always where the answer lies. This guide teaches you how to read those logs and use them effectively for troubleshooting.
Opening Event Viewer
- Press Win + R, type
eventvwr.msc, press Enter - Or search "Event Viewer" in the Start menu
- Or right-click the Start button and select Event Viewer
Event Viewer Structure
The left navigation pane is organised into four main sections:
- Custom Views — Pre-filtered views and any custom views you create. Administrative Events is a built-in custom view that shows Warning, Error, and Critical events across all logs — a good starting point for quick triage.
- Windows Logs — The core operating system logs: Application, Security, Setup, System, and Forwarded Events.
- Applications and Services Logs — Per-application and per-service logs. Microsoft products like Active Directory, DNS, DHCP, and Windows Defender each have their own detailed logs here.
- Subscriptions — Configure Windows Event Forwarding to collect logs from remote machines into a central collector.
The Five Core Windows Logs
Application
Events logged by applications and runtimes. Application crashes (.NET exceptions, unhandled exceptions) appear here with the application name, exception code, and faulting module. When a user reports "the software keeps crashing," start here.
Security
Audit log for logon/logoff events, privilege use, object access, and policy changes. Requires audit policies to be configured (via Local Security Policy or Group Policy) to populate meaningfully. Key event IDs:
- 4624 — Successful logon
- 4625 — Failed logon (with reason code)
- 4648 — Logon attempt using explicit credentials
- 4720 — User account created
- 4740 — User account locked out
System
Events from Windows components, drivers, and services. Service failures, driver errors, hardware problems, and disk errors appear here. Key event IDs:
- 7034 — Service terminated unexpectedly
- 7036 — Service entered a state (started or stopped)
- 41 — Kernel-Power — System was not shut down cleanly (unexpected shutdown/crash)
- 6008 — Previous shutdown was unexpected
- 1001 — BugCheck — Blue screen crash record
Setup
Records Windows installation and update activity. Useful when diagnosing Windows Update failures.
Security (Forwarded Events)
Receives events forwarded from remote machines via Windows Event Forwarding (WEF). Empty unless you have configured a subscription.
Reading an Event
Click any event to see its details in the lower pane. The key fields are:
- Level — Information, Warning, Error, Critical, or Audit (Success/Failure)
- Date and Time — When the event occurred. Always check the time zone.
- Source — Which component logged the event
- Event ID — A numeric code that identifies the specific event type. Search Event ID + source name online for detailed documentation.
- Task Category — Sub-classification within the source
- Description — Human-readable explanation and any relevant data (file name, process ID, error code)
Filtering Events
Right-click a log and select Filter Current Log to open the filter dialog. You can filter by:
- Event level (Error, Warning, etc.)
- Date and time range
- Event sources
- Specific Event IDs (comma-separated, e.g.,
4625, 4740)
Querying Event Logs with PowerShell
PowerShell is far more efficient than the GUI for programmatic log analysis:
# Get the last 20 System log errors
Get-EventLog -LogName System -EntryType Error -Newest 20 |
Select-Object TimeGenerated, EventID, Source, Message
# Find all failed logon attempts in the Security log
Get-WinEvent -FilterHashtable @{LogName="Security"; Id=4625} -MaxEvents 50 |
Select-Object TimeCreated, Message
# Find unexpected shutdowns (Event ID 41 - Kernel-Power)
Get-WinEvent -FilterHashtable @{LogName="System"; Id=41} |
Select-Object TimeCreated, Message
# Search Application log for a specific source (e.g., Application Error)
Get-WinEvent -FilterHashtable @{
LogName = "Application"
ProviderName = "Application Error"
} -MaxEvents 10 | Select-Object TimeCreated, Id, Message
# Export filtered events to CSV for analysis
Get-WinEvent -FilterHashtable @{LogName="System"; Level=2} -MaxEvents 100 |
Select-Object TimeCreated, Id, ProviderName, Message |
Export-Csv -Path "$env:USERPROFILEDesktopSystemErrors.csv" -NoTypeInformationCreating Custom Views
For ongoing monitoring, create a Custom View that filters across multiple logs simultaneously. In Event Viewer, right-click Custom Views and select Create Custom View. This is useful for creating a "crash and error" view that spans Application, System, and Setup logs without manually switching between them.
Attaching a Task to an Event
Right-click any event and select Attach Task To This Event. This opens Task Scheduler and allows you to trigger an action — send an email, run a script, display a message — whenever that specific Event ID occurs. For example, you could trigger a PowerShell notification script every time Event ID 4740 (account lockout) appears in the Security log.
Clearing and Managing Log Size
By default, event logs have a maximum size and overwrite older events when full. For security logs on servers, increase the maximum size or configure archiving:
- Right-click a log > Properties to set maximum size and retention behaviour
- Set maximum size to at least 128 MB for the Security log on domain controllers
- Use Archive log when full to preserve old events rather than overwriting them