What is the Event Viewer, and should I care?

Search First! Then browse: Categories | Full Archive | By Date | Newsletter

Summary: Many Windows components log messages and the Event Viewer displays those messages. Unfortunately those messages are often cryptic and inconsistent.

In an ideal world,you'd never care about Event Viewer. In an ideal world software and hardware would always work, always meet expectations, and there'd never be any need to try and figure out why things are happening the way they are.

In an ideal world we'd also be able to rely on the event viewer for clear and consistent information about what your system and all the applications running on it are experiencing.

Sadly, we do not live in an ideal world. Event viewer can be a source for excellent clues into system failures and behavior. It can also be a frustrating source of exactly nothing. But it's definitely a tool worth knowing about if you're running Windows NT, 2000 or XP.

•

There are lots of ways to get to Event Viewer but I typically hit Start, Run, and type eventvwr. There are typically three logs available:

Application: applications running under Windows are supposed to log their events here.
Security: when enabled Windows can log a host of security-related events which are logged here.
System: the operating system logs its events here.

If you click on the System node on the left hand side you'll get something much like this:

Event Viewer Window

Each line on the right corresponds to one event logged by the system. The event type can be a "Success Audit", Informational, a Warning, or an Error. Information here includes the date and time of the event, the source (the Windows component in this case) of the event, the "category", an event number, the user account in use when the event was logged, and the computer name.

This is where things start to get a little disorganized:

There are no hard and fast rules for what constitutes an error, warning, or informational event. In fact, a properly operating system might show Error entries in the event logs.
As you can see in this listing "category" is rarely used.
Each event is assigned a number. We'll see in a minute how to translate them but for the moment this display is rather meaningless to the casual observer.

If you double click on one of the event lines in the right hand pane you'll get something like this:

Event Viewer Details

This is actually a fairly useful warning. The error number corresponds to the message displayed in the Description box. Here my system is telling me that my clock might be off because it wasn't able to reach a time server for an extended period of time. Clearly, just a warning.

However from my application log comes another all-too-common type of entry:

Event Viewer Details

This "Success Audit"; of my run of Office Update is trying to tell me something. Unfortunately "The Description for Event ID (0) ... cannot be found" is a very common Event Log entry. Often there will be additional data included that might give a clue as to what was being logged. In this case it appears to be a successful install of "VSDEBUG_6707_ENG". I think.

And that leads to how things get even more obfuscated in the event log: applications often including the operating system itself fail to log things correctly or at all. In their defense the event log has a very convoluted interface to program to.

So, should you care? Absolutely. The Event Log is far from perfect but it can contain valuable data. At worst it will tell you nothing. At best it may hold important clues to problems you may be having with your computer or the applications you're using.

Go ahead and browse around in the event viewer. Don't panic when you see lots of warnings or errors; as I said, even a functioning computer will have those. In fact, if you look while your system is functioning normally you'll get a sense of what "normal" looks like in your event log. Then later when you see items that seem suspicious, out of place, or seem to be related to the problems you're seeing, that's information worth paying attention to.

Article C1917 - April 2, 2004

Recent Comments

62 Comments

Hi Leo,
I have this error msg, 'Proccess Notification: Failed to send the mail message error code: -49'. May I know what is that means? Thanks.

Posted by: James at April 24, 2007 7:35 PM

Is there a way for me to know which files have been accessed and copied from my pc using the Event Viewer?

Posted by: Kofi Ampaabeng at July 19, 2007 3:21 AM

The event log shows action 6006 (log off?) when I was out. I suspect someone is using my computer while I am at work. Shouldn't there be a corresponding action 6005 (log on?) action? does this mean they have deleted the log on action but forgotten about the 6006? Thanks for your comments...

Posted by: carl at November 23, 2007 10:23 PM

I have an "illegal" entry in the event log and it seems to have rendered it inoperative. I was experimenting with a VB program and in trying to write to the event log, I inadvertently created a new category. The new category is actually something that looks like a global.asa entry: "Data Source=mis-sql;InitialCatlog=TimeEntry...." (more stuff)
I do not know how to remove it.
Even worse, in IIS, my Default Web Site service is stopped and will not start.

Any advice, including reinstall IIS, is appreciated.

Posted by: Henry Veldman at November 28, 2007 7:08 AM

I don't actually see an answer to Leo's question about the anonymous logon. I also have that line item in the audit section of the event viewer. If anyon know where it is coming from or if it is nothing to worry about I would apprciate it if they could send a reply....thanks

Posted by: Debbie Barras at April 23, 2008 7:46 AM

Hi, I have written a windows service with a code for logging any info/errors into the eventlog. The event source is not getting created/displayed. The message that I am getting in the application source is that the event source was created but the node is not displayed in the viewer.
Any advice

Posted by: Aditya at June 10, 2008 4:43 AM

EventViewer
i have system events has more error files.how to trouble shooting this error.
error message:cant register the ip address
can u help me

Posted by: sekar at July 7, 2008 11:54 PM

Can we write the data in to the event viewer in windows operating system..if yes.. How???

Posted by: Rakesh at July 29, 2008 4:23 AM

To me, the most mystifying thing about the Event Viewer is what programs were involved. I had one triggering off every 5 minutes, but it wasn't at all obvious what it was and a Google search came up with anything from malware to system and needed. Someone else suggested it was Symantec's updater, and once I eliminated everything that smelled of Symantec on my system that log entry went away. Makes me feel good not to be cluttering up stuff with unnecessary internet requests.

Posted by: Judy at January 1, 2009 12:19 PM

Thanx Leo! It's amazing that people who can write complex computer programs in code often seem to have great difficulty documenting their programs in a spoken language. It never occurred to me to right click a line in the event viewer, and apparently it never occurred to Microsoft to suggest it, either.

Posted by: Mike Maus at April 2, 2009 9:33 AM

See all 62 comments...

Post a comment on "What is the Event Viewer, and should I care?":

Name: (Required) Email Address: (Required) (Email Address will not be published.) Remember Me? YesNo	By popular demand... my tip jar Buy Leo a Latte!
Comments: (you may use HTML tags for style)	Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.
Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.
Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.
Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.

I can't respond to every comment. And I can't vouch for the accuracy of others who do.
Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...