What is the Event Viewer, and should I care?

Helping people with computers... one answer at a time.

Many Windows components log messages and the Event Viewer displays those messages. Unfortunately, those messages are often cryptic and inconsistent.

What is the Event Viewer? And should I care?

•

In an ideal world, you'd never care about Event Viewer. In an ideal world, software and hardware would always work, always meet expectations, and there'd never be any need to try and figure out why things are happening the way they are.

In an ideal world, we'd also be able to rely on the Event Viewer for clear and consistent information about what your system and all the applications running on it are experiencing.

Sadly, we do not live in an ideal world. Event Viewer can be a source for excellent clues into system failures and behavior. It can also be a frustrating source of exactly nothing. But it's definitely a tool worth knowing about if you're running Windows NT, 2000, or XP.

•

There are lots of ways to get to Event Viewer, but I typically hit Start, Run, and type eventvwr. There are typically three logs available:

Application: Applications running under Windows are supposed to log their events here.
Security: When enabled, Windows can log a host of security-related events which are logged here.
System: The operating system logs its events here.

If you click on the System node on the left side, you'll get something much like this:

Event Viewer Window

Each line on the right corresponds to one event logged by the system. The event type can be a "Success Audit," informational, a warning, or an error. Information here includes the date and time of the event, the source (the Windows component in this case) of the event, the "category," an event number, the user account in use when the event was logged, and the computer name.

This is where things start to get a little disorganized:

There are no hard and fast rules for what constitutes an error, warning, or informational event. In fact, a properly operating system might show error entries in the event logs.
As you can see in this listing, "category" is rarely used.
Each event is assigned a number. We'll see in a minute how to translate them, but for the moment, this display is rather meaningless to the casual observer.

If you double-click one of the event lines in the right pane, you'll get something like this:

Event Viewer Details

This is actually a fairly useful warning. The error number corresponds to the message displayed in the Description box. Here, my system is telling me that my clock might be off because it wasn't able to reach a time server for an extended period of time. Clearly, just a warning.

However, from my application log comes another all-too-common type of entry:

Event Viewer Details

This "Success Audit" of my run of Office Update is trying to tell me something. Unfortunately, "The Description for Event ID (0) ... cannot be found" is a very common Event Log entry. Often, there will be additional data included that might give a clue as to what was being logged. In this case, it appears to be a successful install of "VSDEBUG_6707_ENG". I think.

And that leads to how things get even more obfuscated in the Event Log: applications often including the operating system itself fail to log things correctly or at all. In their defense, the Event Log has a very convoluted interface to program to.

So, should you care? Absolutely. The Event Log is far from perfect, but it can contain valuable data. At worst, it will tell you nothing. At best, it may hold important clues to problems that you may be having with your computer or the applications you're using.

Go ahead and browse around in the Event Viewer. Don't panic when you see lots of warnings or errors. As I said, even a functioning computer will have those. In fact, if you look while your system is functioning normally, you'll get a sense of what "normal" looks like in your Event Log. Then, later when you see items that seem suspicious, out of place, or seem to be related to the problems you're seeing, that's information worth paying attention to.

Article C1917 - April 2, 2004 « »

Share this article with your friends:

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

You may also be interested in:

Why are there so many errors and warnings in Event Viewer? Don't be fooled by errors in Event Viewer, or by those who try to get you to pay for a cure! It doesn't mean your computer is dying

Recent Comments

136 Comments

Laura
March 5, 2012 8:57 AM

Is there a "bad" number for your system's events. I was also falling into the trap of one of the Microsoft scams, but i ended the call before ever giving him information. However, I had never looked at my event viewer before and after that scam call, it got me wondering.... And after reading your article, I am thinking I should be caring a bit more over this number. I have had this computer for more than 3 years and I apparently have over 55,000 events... that seems quite bad. But my computer runs fine enough for me on a daily basis. What do you think?

The event viewer is a mess. Particularly if your computer is working well I wouldn't worry at all about what's in event viewer.

06-Mar-2012

Glen B
March 13, 2012 11:48 AM

Hi I have noticed my screen goes off just before login which never happened before I used event view to maybe see if I could get help.

http://imageshack.us/f/703/0001dm.png/

It says about a app slowing pc down any help would be excellent.
Thanks

Robert
March 30, 2012 8:10 PM

Phone call claiming to be from Esoving Global Software asking me to go to "eventvwr" and click ok. I told him that I would contact a PC friend and authenticate his request before I did anything. He claimed his return ph.# was {removed}. Name {removed}. He got nothing.

Kat
May 10, 2012 12:03 PM

I just had a Microsoft scam call about the event viewer. Some company claiming to be local in my area (but with a blocked number) tried to sell me a software warranty based on the items in my event viewer. They have been calling for weeks but I finally picked up today when I saw the number. I asked what they were trying to sell so aggressively since they called so much. The guy claimed he wasn't trying to sell me anything but wanted to help me see errors in my computer which is about to crash. It was all suppose to alarm me, I guess, since there are a lot of error logs and warnings. I had to force him to give me the company web address and saw on whois lookup that it's a company out of India and the website was just created in November 2011. I told him that I admired his persistence but was annoyed with him wasting my time and that he had better not call this number ever again.

patricia ware
May 30, 2012 9:04 AM

i gave the guy my information, is this a bad thing. he had remote comtrol of my computer; i turned it off will this stop the remote on their end?

Yes, it's a bad thing. He may have placed malware on your machine that could, indeed, include ongoing remote access. At a minimum I would run up-to-date anti-malware scans asap.

30-May-2012

See all 136 comments...

Question? Ask Leo!
The Tip Jar: Buy Leo a Latte!

Categories | Full Archive
By Date | Business Card | About

Advertisements do not imply my endorsement of any product or service.

Copyright © 2003-2013 Puget Sound Software, LLC and Leo A. Notenboom
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC
Terms, Conditions & Privacy
Product Reviews, Recommendations and Affiliate Links Disclosure

http://ask-leo.com/what_is_the_event_viewer_and_should_i_care.html