What is the Event Viewer, and should I care?

Helping people with computers... one answer at a time.

Many Windows components log messages and the Event Viewer displays those messages. Unfortunately those messages are often cryptic and inconsistent.

•

In an ideal world,you'd never care about Event Viewer. In an ideal world software and hardware would always work, always meet expectations, and there'd never be any need to try and figure out why things are happening the way they are.

In an ideal world we'd also be able to rely on the event viewer for clear and consistent information about what your system and all the applications running on it are experiencing.

Sadly, we do not live in an ideal world. Event viewer can be a source for excellent clues into system failures and behavior. It can also be a frustrating source of exactly nothing. But it's definitely a tool worth knowing about if you're running Windows NT, 2000 or XP.

•

There are lots of ways to get to Event Viewer but I typically hit Start, Run, and type eventvwr. There are typically three logs available:

Application: applications running under Windows are supposed to log their events here.
Security: when enabled Windows can log a host of security-related events which are logged here.
System: the operating system logs its events here.

If you click on the System node on the left hand side you'll get something much like this:

Event Viewer Window

Each line on the right corresponds to one event logged by the system. The event type can be a "Success Audit", Informational, a Warning, or an Error. Information here includes the date and time of the event, the source (the Windows component in this case) of the event, the "category", an event number, the user account in use when the event was logged, and the computer name.

This is where things start to get a little disorganized:

There are no hard and fast rules for what constitutes an error, warning, or informational event. In fact, a properly operating system might show Error entries in the event logs.
As you can see in this listing "category" is rarely used.
Each event is assigned a number. We'll see in a minute how to translate them but for the moment this display is rather meaningless to the casual observer.

If you double click on one of the event lines in the right hand pane you'll get something like this:

Event Viewer Details

This is actually a fairly useful warning. The error number corresponds to the message displayed in the Description box. Here my system is telling me that my clock might be off because it wasn't able to reach a time server for an extended period of time. Clearly, just a warning.

However from my application log comes another all-too-common type of entry:

Event Viewer Details

This "Success Audit"; of my run of Office Update is trying to tell me something. Unfortunately "The Description for Event ID (0) ... cannot be found" is a very common Event Log entry. Often there will be additional data included that might give a clue as to what was being logged. In this case it appears to be a successful install of "VSDEBUG_6707_ENG". I think.

And that leads to how things get even more obfuscated in the event log: applications often including the operating system itself fail to log things correctly or at all. In their defense the event log has a very convoluted interface to program to.

So, should you care? Absolutely. The Event Log is far from perfect but it can contain valuable data. At worst it will tell you nothing. At best it may hold important clues to problems you may be having with your computer or the applications you're using.

Go ahead and browse around in the event viewer. Don't panic when you see lots of warnings or errors; as I said, even a functioning computer will have those. In fact, if you look while your system is functioning normally you'll get a sense of what "normal" looks like in your event log. Then later when you see items that seem suspicious, out of place, or seem to be related to the problems you're seeing, that's information worth paying attention to.

Article C1917 - April 2, 2004

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Recent Comments

131 Comments

@Gwyn
One of these scams involves having people look at their event viewer. If they do a Google search they find this article and leave comments. So it makes sense that comments are on this article also. Looks like it's helped a lot of folks avoid the scam!

Posted by: Connie at November 30, 2011 10:42 PM

I kept getting calls from a WA number throughout the day. I finally decided to answer the phone and it was a guy saying he was from Xion technologies and they were receiving messages from my computer. I was passed back and forth between him and his female "tech". I did open up my event viewer as they said. I even looked up the company's website. I asked if I could go to a place to have this done and they said no it had to be done online. Definitely suspicious to me. However, I told them to call back later as I was busy. Now that I know, I'm going to tell them to stop calling when they call back. I gave no credit card info or computer info to them. Just opened the event viewer and they obviously know the number I connect to the internet with. I've fallen for one of these before and now I'm stressed over using my computer for banking needs. Please tell me they cannot get into my computer without me going to a specific website and entering info?!

Posted by: Lili at December 27, 2011 5:14 PM

@Lili
Just opening the event viewer while talking to them on the phone won't give them access to your computer. That's why they are asking you for access. The only way for them to gain access to your computer is by you giving it to them by installing a program on your computer or logging their website.
As an extra precaution, I'd run a couple of antimalware programs like Malwarebytes Antimalware and Spybot Search and Destroy.
Spyware: How do I remove and avoid spyware?

Posted by: Mark J at December 28, 2011 2:23 AM

All right; this is all new to me. I asked the question "Why do computers and/or games freeze?" As you can imagine, I got a whole page of things to look at, one including a reference to the Event Viewer and Event Log (which I had never heard of, let alone knew that it existed). After following the instructions I opened my event viewer and saw the event log. I am not computer savvy. It was all too confusing. It did concern me however, the amount of "ERRORS" that were there. Then I read something about clearing the event log. This would suit me fine if I knew it was going to remove all these errors. I am worried though that doing so might hurt my computer. Can you help me with this in any way? My computer is about 5 or 6 years old and I use Windows XP, 32 bit if that helps at all. Thank you in advance for any help you may be able to provide. I read your article on the event viewer, but it didn't seem to answer my question.

Posted by: Carol K at January 5, 2012 8:29 PM

@Carol
As the article states "Don't panic when you see lots of warnings or errors; as I said, even a functioning computer will have those"

Clearing the event log will neither fix your errors nor harm your computer.It will simply clear out a textfile which keeps a record of the Event Viewer errors, so it is generally safe to clear.

Posted by: Mark J at January 6, 2012 1:24 AM

See all 131 comments...

Post a comment on "What is the Event Viewer, and should I care?":

Name: (Required - will be included when your comment is published.)

Email Address: (Required - will not be published.)

Remember Me? YesNo

Comments: (You may use HTML tags for style)

Before commenting, please...

READ THE ARTICLE. A comment that shows you didn't will be deleted and ignored.
Comment only on the article. Use the search box at the top of the page if you have a question about something else.
NO PERSONAL INFORMATION in the comment. No email addresses. No phone numbers. No physical addresses.

Anything that looks the least bit like spam will be deleted. Links to unrelated sites or links that appear to be primarily promotional will be deleted, or the comment will be deleted.
Don't ask me to recover lost passwords or hacked accounts. I can't. Those comments will be deleted.
I can't respond to every comment. And I can't vouch for the accuracy of others who do.

Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
READ THE ARTICLE. A comment that shows you didn't will be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...

Question? Ask Leo!
The Tip Jar: Buy Leo a Latte!

Categories | Full Archive
By Date | Business Card | About

Advertisements do not imply my endorsement of any product or service.

Copyright © 2003-2012 Puget Sound Software, LLC and Leo A. Notenboom
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC
Terms, Conditions & Privacy
Product Reviews, Recommendations and Affiliate Links Disclosure

http://ask-leo.com/what_is_the_event_viewer_and_should_i_care.html