Home > Sample chapters

Troubleshooting Windows 10

Event Viewer

Technically, we should probably have included Event Viewer (Eventvwr.msc) in the previous section. It is, after all, just another troubleshooting tool. But we think that this, the most powerful of all the diagnostic tools in Windows 10, deserves its own section in this chapter.

In Windows, an event is any occurrence that is potentially noteworthy—to you, to other users, to the operating system, or to an application. Events are recorded by the Windows Event Log service, and their history is preserved in one of several log files, including Application, Security, Setup, System, and Forwarded Events. Event Viewer, a Microsoft Management Console (MMC) snap-in supplied with Windows, allows you to review and archive these event logs, as well as other logs created by the installation of certain applications and services.

You can examine the history of errors on your system by creating a filtered view of the Application log in Event Viewer. Why would you want to do this? The most likely reasons are to troubleshoot problems that have occurred, to keep an eye on your system to forestall problems, and to watch out for security breaches. If a device has failed, a disk has filled close to capacity, a program has crashed repeatedly, or some other critical difficulty has arisen, the information recorded in the event logs can help you—or a technical support specialist—figure out what’s wrong and what corrective steps are required.

To start Event Viewer, find it by searching for event and then click Event Viewer or View Event Logs in the search results. Figure 17-7 offers an overview of Event Viewer.

Figure 17-7

Figure 17-7 Event Viewer’s console tree (left) lists available logs and views; the details pane (center) displays information from the selected log or view; the Actions pane (right) provides a menu of tasks relevant to the current selection.

When you select the top-level folder in Event Viewer’s console tree, the details pane displays summary information, as shown in Figure 17-7. This view lets you see at a glance whether any significant events that might require your attention have occurred in the past hour, day, or week. You can expand each category to see the sources of events of that event type. Seeing a count of events of various types in various time periods is interesting—but not particularly useful in and of itself. If you see an unusually large number of recent errors from a particular source, for example, you might want to see the full list to determine whether a particular error needs closer examination. Right-click an event type or an event source under Summary Of Administrative Events, and then click View All Instances Of This Event, as shown here.

The resulting filtered list of events is drawn from multiple log files, sparing you from having to search in multiple places. Armed with this information, you can quickly scroll through and examine the details of each one, perhaps identifying a pattern or a common factor that will help you find the cause and, eventually, the cure for whatever is causing the event.

Types of events

As a glance at the console tree confirms, events are recorded in one of several logs. The following default logs are visible under the Windows Logs heading:

  • Application. Application events are generated by applications, including programs you install, programs that are preinstalled with Windows, apps from the Windows Store, and operating system services. Program developers decide which events to record in the Application log and which to record in a program-specific log under Applications And Services Logs.
  • Security. Security events include sign-in attempts (successful and failed) and attempts to use secured resources, such as an attempt to create, modify, or delete a file.
  • Setup. Setup events are generated by application installations.
  • System. System events are generated by Windows itself and by installed features, such as device drivers. If a driver fails to load when you start a Windows session, for example, that event is recorded in the System log.
  • Forwarded Events. The Forwarded Events log contains events that have been gathered from other computers.

Under the Applications And Services Logs heading, you’ll find logs for individual applications and services. The other logs generally record events that are system-wide in nature, but each log in Applications And Services Logs records the events related only to a particular program or feature. The Applications And Services Logs folder contains a Microsoft\Windows folder, which in turn contains a folder for each of hundreds of features that are part of Windows 10. Each of these folders contains one or more logs.

Viewing logs and events

When you select a log or a custom view from the console tree, the details pane shows a list of associated events, in reverse chronological order, with each event occupying a single line. A preview pane below the list displays the contents of the saved event record. Figure 17-8 shows one such listing from the System log.

Figure 17-8

Figure 17-8 All the details you need for an individual event are visible in this preview pane. Double-click an event to see those same details in a separate window.

Each event is classified by severity level (more on that shortly) and has a date and time stamp. The Source column reports the application or Windows feature that generated the event, and each entry has an Event ID—a numerical value that you can use as part of the criteria when filtering for similar events or searching for solutions online. The Task Category column is provided for some events but is blank for many others.

Events in most log files are classified by severity, with one of three entries in the Level field: Error, Warning, or Information. Error events represent possible loss of data or functionality. Examples of errors include events related to a malfunctioning network adapter and loss of functionality caused by a device or service that doesn’t load at startup. Warning events represent less significant or less immediate problems than error events. Examples of warning events include a nearly full disk, a timeout by the network redirector, and data errors on local storage. Other events that Windows logs are identified as information events.

The Security log file uses two different icons to classify events: a key icon identifies Audit Success events, and a lock icon identifies Audit Failure events. Both types of events are classified as Information-level events; “Audit Success” and “Audit Failure” are stored in the Keywords field of the Security log file.

The preview pane shows information about the currently selected event. (Drag the split bar between the list and preview pane up to make the preview pane larger so that you can see more details, or double-click the event to open it in a separate dialog box that includes Next and Previous buttons and an option to copy the event to the Clipboard.)

The information you find in Event Viewer is evidence of things that happened in the past. Like any good detective, you have the task of using those clues to help identify possible issues. One hidden helper, located near the bottom of the Event Properties dialog box, is a link to more information online. Clicking this link opens a webpage that might provide more specific and detailed information about this particular combination of event source and event ID, including further action you might want to take in response to the event.

Filtering the log display

As you can see from a cursory look at your System log, events can pile up quickly, obscuring those generated by a particular source or those that occurred at a particular date and time. Sorting and grouping can help you to find that needle in a haystack, but to get the hay out of the way altogether, use filtering. With filtering, you can select events based on multiple criteria; all other events are hidden from view, making it much easier to focus on the items you currently care about.

To filter the currently displayed log or custom view, click Filter Current Log or Filter Current Custom View in the Actions pane on the right. A dialog box like the one shown in Figure 17-9 appears. To fully appreciate the flexibility of filtering, click the arrow by each filter. You can, for example, filter events from the past hour, 12 hours, day, week, month, or any custom time period you specify. In the Event Sources, Task Category, and Keywords boxes, you can type text to filter on (separate multiple items with commas), but you’ll probably find it easier to click the arrow and then click each of the items you want to include in your filtered view. In the Includes/Excludes Event IDs box, you can enter multiple ID numbers and number ranges, separated by commas; to exclude particular event IDs, precede their number with a minus sign.

Figure 17-9

Figure 17-9 If you don’t select any Event Level check boxes, Event Viewer includes all levels in the filtered results. Similarly, any other field you leave blank includes all events without regard to the value of that property.

Click OK to see the filtered list. If you want to save your criteria for reuse later, click Save Filter To Custom View in the Actions pane on the right. To restore the unfiltered list, in the Event Viewer window, click Clear Filter.