What is the Event Viewer, and should I care?

Search First! Then browse: Categories | Full Archive | By Date | Newsletter

Summary: Many Windows components log messages and the Event Viewer displays those messages. Unfortunately those messages are often cryptic and inconsistent.

In an ideal world,you'd never care about Event Viewer. In an ideal world software and hardware would always work, always meet expectations, and there'd never be any need to try and figure out why things are happening the way they are.

In an ideal world we'd also be able to rely on the event viewer for clear and consistent information about what your system and all the applications running on it are experiencing.

Sadly, we do not live in an ideal world. Event viewer can be a source for excellent clues into system failures and behavior. It can also be a frustrating source of exactly nothing. But it's definitely a tool worth knowing about if you're running Windows NT, 2000 or XP.

•

There are lots of ways to get to Event Viewer but I typically hit Start, Run, and type eventvwr. There are typically three logs available:

Application: applications running under Windows are supposed to log their events here.
Security: when enabled Windows can log a host of security-related events which are logged here.
System: the operating system logs its events here.

If you click on the System node on the left hand side you'll get something much like this:

Event Viewer Window

Each line on the right corresponds to one event logged by the system. The event type can be a "Success Audit", Informational, a Warning, or an Error. Information here includes the date and time of the event, the source (the Windows component in this case) of the event, the "category", an event number, the user account in use when the event was logged, and the computer name.

This is where things start to get a little disorganized:

There are no hard and fast rules for what constitutes an error, warning, or informational event. In fact, a properly operating system might show Error entries in the event logs.
As you can see in this listing "category" is rarely used.
Each event is assigned a number. We'll see in a minute how to translate them but for the moment this display is rather meaningless to the casual observer.

If you double click on one of the event lines in the right hand pane you'll get something like this:

Event Viewer Details

This is actually a fairly useful warning. The error number corresponds to the message displayed in the Description box. Here my system is telling me that my clock might be off because it wasn't able to reach a time server for an extended period of time. Clearly, just a warning.

However from my application log comes another all-too-common type of entry:

Event Viewer Details

This "Success Audit"; of my run of Office Update is trying to tell me something. Unfortunately "The Description for Event ID (0) ... cannot be found" is a very common Event Log entry. Often there will be additional data included that might give a clue as to what was being logged. In this case it appears to be a successful install of "VSDEBUG_6707_ENG". I think.

And that leads to how things get even more obfuscated in the event log: applications often including the operating system itself fail to log things correctly or at all. In their defense the event log has a very convoluted interface to program to.

So, should you care? Absolutely. The Event Log is far from perfect but it can contain valuable data. At worst it will tell you nothing. At best it may hold important clues to problems you may be having with your computer or the applications you're using.

Go ahead and browse around in the event viewer. Don't panic when you see lots of warnings or errors; as I said, even a functioning computer will have those. In fact, if you look while your system is functioning normally you'll get a sense of what "normal" looks like in your event log. Then later when you see items that seem suspicious, out of place, or seem to be related to the problems you're seeing, that's information worth paying attention to.

Article C1917 - April 2, 2004

Was this article helpful? «Yes» «No»

Recent Comments

64 Comments

Can we write the data in to the event viewer in windows operating system..if yes.. How???

Posted by: Rakesh at July 29, 2008 4:23 AM

To me, the most mystifying thing about the Event Viewer is what programs were involved. I had one triggering off every 5 minutes, but it wasn't at all obvious what it was and a Google search came up with anything from malware to system and needed. Someone else suggested it was Symantec's updater, and once I eliminated everything that smelled of Symantec on my system that log entry went away. Makes me feel good not to be cluttering up stuff with unnecessary internet requests.

Posted by: Judy at January 1, 2009 12:19 PM

Thanx Leo! It's amazing that people who can write complex computer programs in code often seem to have great difficulty documenting their programs in a spoken language. It never occurred to me to right click a line in the event viewer, and apparently it never occurred to Microsoft to suggest it, either.

Posted by: Mike Maus at April 2, 2009 9:33 AM

event viewer can not be opened and short cut is disabled....how to retain it again..and not exist in administration tools....?
thanks

Posted by: walaa fawzy at December 9, 2009 12:06 AM

Do i need to clear my eventvwr, and is it safe to do so, i am very new to computers so any advice is very welcome

It's safe, but you don't need to anyway.

17-Jan-2010

Posted by: Darren at January 16, 2010 10:45 AM

See all 64 comments...

Post a comment on "What is the Event Viewer, and should I care?":

Name: (Required) Email Address: (Required) (Email Address will not be published.) Remember Me? YesNo	By popular demand... my tip jar Buy Leo a Latte!
Comments: (you may use HTML tags for style)	Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.
Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.
Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.

Don't spam. Excessive links to unrelated sites within a comment or across multiple comments will cause all such comments to be removed.
Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.
I can't respond to every comment. And I can't vouch for the accuracy of others who do.

Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...

Question? Ask Leo!

http://ask-leo.com/what_is_the_event_viewer_and_should_i_care.html

Copyright © 2003-2010 Puget Sound Software, LLC and Leo A. Notenboom
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC
Terms, Conditions & Privacy
Product Reviews, Recommendations and Affiliate Links Disclosure