Helping people with computers... one answer at a time.
Many Windows components log messages and the Event Viewer displays those messages. Unfortunately, those messages are often cryptic and inconsistent.
What is the Event Viewer? And should I care?
In an ideal world, you'd never care about Event Viewer. In an ideal world, software and hardware would always work, always meet expectations, and there'd never be any need to try and figure out why things are happening the way they are.
In an ideal world, we'd also be able to rely on the Event Viewer for clear and consistent information about what your system and all the applications running on it are experiencing.
Sadly, we do not live in an ideal world. Event Viewer can be a source for excellent clues into system failures and behavior. It can also be a frustrating source of exactly nothing. But it's definitely a tool worth knowing about if you're running Windows NT, 2000, or XP.
There are lots of ways to get to Event Viewer, but I typically hit Start, Run, and type eventvwr. There are typically three logs available:
If you click on the System node on the left side, you'll get something much like this:
Each line on the right corresponds to one event logged by the system. The event type can be a "Success Audit," informational, a warning, or an error. Information here includes the date and time of the event, the source (the Windows component in this case) of the event, the "category," an event number, the user account in use when the event was logged, and the computer name.
This is where things start to get a little disorganized:
There are no hard and fast rules for what constitutes an error, warning, or informational event. In fact, a properly operating system might show error entries in the event logs.
As you can see in this listing, "category" is rarely used.
Each event is assigned a number. We'll see in a minute how to translate them, but for the moment, this display is rather meaningless to the casual observer.
If you double-click one of the event lines in the right pane, you'll get something like this:
This is actually a fairly useful warning. The error number corresponds to the message displayed in the Description box. Here, my system is telling me that my clock might be off because it wasn't able to reach a time server for an extended period of time. Clearly, just a warning.
However, from my application log comes another all-too-common type of entry:
This "Success Audit" of my run of Office Update is trying to tell me something. Unfortunately, "The Description for Event ID (0) ... cannot be found" is a very common Event Log entry. Often, there will be additional data included that might give a clue as to what was being logged. In this case, it appears to be a successful install of "VSDEBUG_6707_ENG". I think.
And that leads to how things get even more obfuscated in the Event Log: applications often including the operating system itself fail to log things correctly or at all. In their defense, the Event Log has a very convoluted interface to program to.
So, should you care? Absolutely. The Event Log is far from perfect, but it can contain valuable data. At worst, it will tell you nothing. At best, it may hold important clues to problems that you may be having with your computer or the applications you're using.
Go ahead and browse around in the Event Viewer. Don't panic when you see lots of warnings or errors. As I said, even a functioning computer will have those. In fact, if you look while your system is functioning normally, you'll get a sense of what "normal" looks like in your Event Log. Then, later when you see items that seem suspicious, out of place, or seem to be related to the problems you're seeing, that's information worth paying attention to.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.