Written by
Yuri ZhangSummary: This post provides a concrete explanation of Event Viewer, the purpose or benefits of using Event Viewer, and how to use it in practice in depth from m3datarecovery.com. You can also spot common Event Viewer commands here.
The name Event Viewer may remind you that it can recall what operations you have done on your computer or things like history sites. In fact, it's not true. Then Event Viewer does not record every single action you perform on your computer, such as browsing history or specific application operations. What Event Viewer can record and perform will be unveiled gradually.
To get a clearer picture of Event Viewer, let's dive into what exactly is Event Viewer, Windows logs in Event Viewer, Event Viewer commands, and how to use Event Viewer in this post.
What is Event Viewer
Event Viewer has been a long-standing feature in Windows and has been available since the early versions of Windows NT. Event Viewer is supported on all major versions of Windows, from Windows NT to Windows 11, including corresponding server editions.
The Event Viewer is a tool used to monitor and manage system events on a computer, particularly within the Windows operating system. It allows users to view detailed logs of system activities, errors, warnings, and information messages generated by the operating system and various applications.
What is Event Viewer used for
Event Viewer helps in diagnosing system and application errors. It logs detailed information about crashes, errors, and warnings, which can be used to identify and resolve problems. It records events related to system performance, allowing users to monitor the health and performance of their computers over time.
Security-related events, such as login attempts and access to secure files, are logged. This is useful for monitoring unauthorized access and ensuring system security. Developers and IT professionals can use Event Viewer to track the behavior of applications, detect issues, and ensure they are running as expected.
Routine maintenance tasks and system updates are logged, providing a history of changes and updates applied to the system. In environments where compliance with certain regulations is necessary, Event Viewer can provide a record of system activity that may be required for audits.
What Event Viewer can record
Since Event Viewer does not record browsing history and detailed application operations, it only consists of types of events or kinds of Windows logs (contains the primary logs: Application, Security, Setup, System, Forwarded Events) as follows.
- Application: Logs related to applications.
- Security: Logs related to security events such as login attempts.
- System: Logs related to system events and operations.
- Setup: Logs related to system setup and installation events.
- Forwarded Events: Logs forwarded from other computers.
- Applications and Services Logs: Contains logs for specific applications and services.
Share this to help more people in cyberspace.
Where is Event Viewer stored?
The Event Viewer application itself is a built-in tool in Windows, and the logs it displays are stored as files on your system. Here's the Event Viewer logs location as follows. These stored logs provide a history of system and application events, which are essential for monitoring, troubleshooting, and auditing purposes.
Firstly, the event logs files are stored in the C:\Windows\System32\winevt\Logs directory by default. These files have the .evtx extension. For example, you might find files like Application.evtx, System.evtx, and Security.evtx in this directory.
Accessing Logs through Event Viewer:
Secondly, to view and manage these logs, you use the Event Viewer application. You can open Event Viewer by pressing Windows + R, typing eventvwr, and pressing Enter.
Thirdly, some settings related to event logging, such as the log size and retention policies, are stored in the Windows Registry. These settings can be found by pressing Win + R, typing regedit, and pressing Enter. Then type the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
Fourthly, in enterprise environments, logs can be collected from remote systems and centralized using features like event subscriptions and forwarding.
Look forward to your voluntary action to share.
How to use Event Viewer in Windows
Using the Event Viewer involves several steps, including opening the tool, navigating through different logs, filtering events, and exporting logs. Some steps can be neglected if you don't need them such as setting up subscriptions. Here's a step-by-step guide:
- To open Event Viewer, press Windows + R to open the Run dialog box. Type eventvwr and press Enter.
- Once Event Viewer is open, you will see a navigation pane on the left side with several Windows log categories such as Applications and Services Logs.
- To view and analyze logs, select a log category (e.g., Application). In the middle pane, you will see a list of events. Click on an event to see detailed information in the bottom pane.
- To filter events, right-click on the log category (e.g., Application) and select Filter Current Log. Set criteria such as Event Level (Information, Warning, Error), Event Source, Date, and more. Click OK to apply the filter.
- To search events, click on the Find option in the right pane and Enter keywords or event IDs to search for specific events.
- To create custom views, in the right pane, click on Create Custom View. Set the criteria for the custom view (e.g., specific Event Levels, event sources, time range). Save the custom view by giving it a name and description.
- To view Event Viewer export logs, right-click on a log category (e.g., Application) and select Save All Events As..., then choose a file format (e.g., .evtx, .xml, .csv, .txt) and specify the location to save the log file.
- To set up subscriptions (for Enterprise Use), in the left pane, right-click on Subscriptions and select Create Subscription. Configure the subscription to collect logs from remote computers.
Note: After identifying the issue using Event Viewer by checking the logs, you can use the corresponding methods or tools to solve the issue.
Event Viewer command
You can also use Command Prompt to use Event Viewer at an advanced level, here are common commands:
To open Event Viewer:eventvwr
List all event logs available on the system:wevtutil el
Export event logs:wevtutil epl <LogName> <FileName.evtx>
Example to export the specified log (e.g., System) to a file:wevtutil epl System C:\Logs\SystemLog.evtx
Clear event logs:wevtutil cl <LogName>
Example to clear the specified log (e.g., System):wevtutil cl System
Query event logs:wevtutil qe <LogName> /q:"<XPathQuery>" /f:text
Example to query logs, this command queries the System log for events with a Level of 2 (Errors) and formats the output as text.:wevtutil qe System /q:"*[System[(Level=2)]]" /f:text
Share this knowledge if you find it useful.