Technical Bulletin-0056r2 Event Viewer and Logs Date Released Severity Symptoms Systems Effected Recommendations 06.30.2011 Troubleshooting. Any unusual activity, system crash, device/service/application issue. All computer operating systems create log files of some sort for reference. Use the Event Viewer to gather reference material about system activities or issues and possible solutions. Table of Contents Starting Event Viewer... 2 Views... 2 Windows XP... 2 Windows 7... 2 Using Event Viewer... 3 Searching for Resolutions... 5 Additional... 6 Open Event Viewer on Remote Computer... 6 Clear an event log by using a command line... 6 Additional Considerations... 7 Command-line tools... 7 Clear all the Event Logs from Powershell or Command line... 7 Delete Event Log Manually... 8 Clear event log command line... 8 Delete Corrupt Log Files... 8 NTFS... 9 FAT... 9 Quick links... 10 Windows Event Viewer tips and tricks... 14 The basics... 14 Other issues... 15 Subscriptions... 15 Run a task... 16 Messages... 16 Tasks... 16
Starting Event Viewer Start (ORB) Control Panel Administrative Tools Event Viewer. Views Windows XP Windows 7
Using Event Viewer The common logs you will be looking at are Application and System. Scroll through the logs and look for Errors and Warnings, right+click and select Properties. Read the Description details and determine if the log is relevant to your issue. If not then continue to the next Error or Warning log. If it is Note the Event ID. At the end of the log Description you will find a link to the Microsoft Event ID website.
Enter the Event ID in the Search for field and Go. You will be presented with as much detailed information that is available. Read thoroughly and note any details that may lead to a solution. In this example note that: This an Active Directory issue The symbolic name is DIRLOG_IDL _ DRS_GET_MEMBERSHIP_ENTRY These entries will lead you to post different searches In the Events and Errors Message Center.
Searching for Resolutions If you do not gain an insight or solution to the problem then utilize another search engine such as Google, Bing, or Ask. When using search engines you will find that there is a lot of information and postings of the issue, or similar ones external to Microsoft, but that is where you should start. Typically you will not be the first to have the issue so check for solutions from others. This can be a tedious and time consuming process. Before applying a possible solution, remember to create a system restore point, and ensure your data is backed up! Be sure the solution is related to your operating system or application. Sometimes there is crossover between solutions. With issues you cannot resolve or leery of, ask a professional for their input. Try this or this.
The amount of information you can/will find is staggering and will take time to digest. Troubleshooting skills are essential when working or resolving an issue and develop over time. So is due diligence and patience. Additional Open Event Viewer on Remote Computer Use Event Viewer to look at other computers' Event Logs. This is very useful to see what is going on another computer without Remote Desktop. eventvwr.msc /computer=other_name Where OTHER_NAME is the name of the other computer. Clear an event log by using a command line 1. To open a command prompt, click Start, type cmd in the Start Search box, and then press Enter. 2. Type the following command:
wevtutil cl <LogName> [/bu: <backup_file_name> To learn more about wevtutil command-line tool, type the following: wevtutil cl -? Additional Considerations You must have Clear permission on the log to perform this operation. By default, Administrators have permission to clear event logs. To set the Clear permission on a log for other groups, type the following command at a command prompt: wevtutil sl <LogName> /ca:<securitydescriptor> The Security Descriptor for each log is specified by using Security Descriptor Definition Language (SDDL) syntax. To construct an SDDL string, note that there are three distinct rights that pertain to event logs: Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string: 1= Read 2 = Write 4 = Clear To see the SDDL string for a log, type the following command at a command prompt: wevtutil gl <LogName> The following example shows how to add Clear permission to the Application log for the Backup Operators group (A;;0x4;;;BO): wevtutil sl Application /ca:o:bag:syd:(a;;0xf0007;;;sy)(a;;0x7;;;ba)(a;;0x7;;;so)(a;;0x3;;;iu)(a;;0x3;;;su)(a;;0x 3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x4;;;BO) Command-line tools You can also use command-line utilities to create and query event logs and associate programs with particular logged events. For example, you can use Eventcreate to customize an event entry to a specified event log. Eventquery.vbs is used to list the events and event properties from one or more event logs. Eventtriggers enables you to create triggers that will run programs upon the execution of specific events. Clear all the Event Logs from Powershell or Command line During development to debug an application it may be necessary to look at the Event Logs. The Event Log Service records application, security, and system events in Event Viewer. Usually the Event Log is populated by numerous entries that make difficult to analyse the issue. For this reason it may be helpful to clear the logs. This can be done by opening the Event Viewer, browse to the desired log and from the Actions menu select Clear Log or if you want to cleaar all the logs at once you you can use the following scripts: From Command line for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" From the Poweshell wevtutil el Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"}
Delete Event Log Manually If you want to delete the event log, and you cannot find it in the event log viewer then you can delete it manually: 1. Open Registry Editor (run > regedit) 2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog 3. Delete all entries with the name of your event log. 4. Go to C:\WINDOWS\system32\config\ 5. Delete the event log file. Note the file maybe locked by services.exe. A tool Like Unlocker can be used to release the service. Clear event log command line 1. To open a command prompt, click Start, enter cmd in the Start Search box, and Enter. 2. At the command prompt enter: wevtutil cl <LogName> [/bu: <backup_file_name> To learn more about the clear log option, enter wevtutil cl -? Delete Corrupt Log Files The Event Viewer Log files (Sysevent.evt, Appevent.evt, Secevent.evt) are always in use by the system, preventing the files from being deleted or renamed. The EventLog service cannot be stopped because it is required by other services, thus the files are always open. This article describes a method to rename or move these files for troubleshooting purposes. This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: When you launch Windows Event Viewer, the following error message may occur if one of the *.evt files is corrupt: The handle is invalid Dr. Watson Services.exe Exception: Access Violation (0xc0000005), Address: 0x76e073d4 When you click OK or cancel on the Dr. Watson error message, you may also receive the following error message: Event Viewer Remote Procedure Call failed The services.exe process may consume a high percentage of CPU utilization.
NTFS Start button Settings Control Panel Services. FAT 1. Select the EventLog service and click Startup. Change the Startup Type to Disabled, and then click OK. If you are unable to log on to the computer but can access the registry remotely, you can change the Startup value in the following registry key to 0x4: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog 2. Restart Windows. When the system starts up, several services may fail; a message informing the user to use Event Viewer to review errors may appear. 3. Rename or move the corrupt *.evt file from the following location: %SystemRoot%\System32\Config 4. In Control Panel Services, re-enable the EventLog service by setting it back to the default of Automatic startup, or the value back to 0x2. Boot to a MS-DOS prompt using a DOS bootable disk. 1. Rename or move the corrupt *.evt file from the following location: %SystemRoot%\System32\Config 2. Remove the disk and restart Windows. A new Event Log file will be recreated.
Quick links To Access Run Command Accessibility Controls access.cpl Accessibility Wizard accwiz Add Hardware Wizard hdwwiz.cpl Add/Remove Programs appwiz.cpl Administrative Tools control admintools Adobe Acrobat (if installed) acrobat Adobe Designer (if installed) formdesigner Adobe Distiller (if installed) acrodist Adobe ImageReady (if installed) imageready Adobe Photoshop (if installed) photoshop Automatic Updates wuaucpl.cpl Bluetooth Transfer Wizard fsquirt Calculator calc Certificate Manager certmgr.msc Character Map charmap Check Disk Utility chkdsk Clipboard Viewer clipbrd Command Prompt cmd Component Services dcomcnfg Computer Management compmgmt.msc Control Panel control Date and Time Properties timedate.cpl DDE Shares ddeshare Device Manager devmgmt.msc Direct X Control Panel (if installed)* directx.cpl Direct X Troubleshooter dxdiag Disk Cleanup Utility cleanmgr Disk Defragment dfrg.msc Disk Management diskmgmt.msc Disk Partition Manager diskpart Display Properties control desktop Display Properties desk.cpl Display Properties (w/appearance Tab Preselected) control color Dr. Watson System Troubleshooting Utility drwtsn32 Driver Verifier Utility verifier Event Viewer eventvwr.msc Files and Settings Transfer Tool migwiz File Signature Verification Tool sigverif
Findfast Firefox (if installed) Folders Properties Fonts Fonts Folder Free Cell Card Game Game Controllers Group Policy Editor (XP Prof) Hearts Card Game Help and Support HyperTerminal Iexpress Wizard Indexing Service Internet Connection Wizard Internet Explorer Internet Properties Internet Setup Wizard IP Configuration (Display Connection Configuration) IP Configuration (Display DNS Cache Contents) IP Configuration (Delete DNS Cache Contents) IP Configuration (Release All Connections) IP Configuration (Renew All Connections) IP Configuration (Refreshes DHCP & Re-Registers DNS) IP Configuration (Display DHCP Class ID) IP Configuration (Modifies DHCP Class ID) Java Control Panel (if installed) Java Control Panel (if installed) Keyboard Properties Local Security Settings Local Users and Groups Logs You Out Of Windows Malicious Software Removal Tool Microsoft Access (if installed) Microsoft Chat Microsoft Excel (if installed) Microsoft Frontpage (if installed) Microsoft Movie Maker Microsoft Paint Microsoft Powerpoint (if installed) Microsoft Word (if installed) findfast.cpl firefox folders control fonts fonts freecell joy.cpl gpedit.msc mshearts helpctr hypertrm iexpress ciadv.msc icwconn1 iexplore inetcpl.cpl inetwiz ipconfig /all ipconfig /displaydns ipconfig /flushdns ipconfig /release ipconfig /renew ipconfig /registerdns ipconfig /showclassid ipconfig /setclassid jpicpl32.cpl javaws control keyboard secpol.msc lusrmgr.msc logoff mrt msaccess winchat excel frontpg moviemk mspaint powerpnt winword
Microsoft Syncronization Tool Minesweeper Game Mouse Properties Mouse Properties Nero (if installed) Netmeeting Network Connections Network Connections Network Setup Wizard Notepad Nview Desktop Manager (if installed) Object Packager ODBC Data Source Administrator On Screen Keyboard Opens AC3 Filter (if installed) Outlook Express Paint Password Properties Performance Monitor Performance Monitor Phone and Modem Options Phone Dialer Pinball Game Power Configuration Printers and Faxes Printers Folder Private Character Editor Quicktime (If Installed) Quicktime Player (if installed) Real Player (if installed) Regional Settings Registry Editor Registry Editor Remote Access Phonebook Remote Desktop Removable Storage Removable Storage Operator Requests Resultant Set of Policy (XP Prof) Scanners and Cameras Scheduled Tasks mobsync winmine control mouse main.cpl nero conf control netconnections ncpa.cpl netsetup.cpl notepad nvtuicpl.cpl packager odbccp32.cpl osk ac3filter.cpl msimn pbrush password.cpl perfmon.msc perfmon telephon.cpl dialer pinball powercfg.cpl control printers printers eudcedit QuickTime.cpl quicktimeplayer realplay intl.cpl regedit regedit32 rasphone mstsc ntmsmgr.msc ntmsoprq.msc rsop.msc sticpl.cpl control schedtasks
Security Center wscui.cpl Services services.msc Shared Folders fsmgmt.msc Shuts Down Windows shutdown Sounds and Audio mmsys.cpl Spider Solitare Card Game spider SQL Client Configuration cliconfg System Configuration Editor sysedit System Configuration Utility msconfig System File Checker Utility (Scan Immediately) sfc /scannow System File Checker Utility (Scan Once At The Next Boot) sfc /scanonce System File Checker Utility (Scan On Every Boot) sfc /scanboot System File Checker Utility (Return Scan Setting To Default) sfc /revert System File Checker Utility (Purge File Cache) sfc /purgecache System File Checker Utility (Sets Cache Size to size x) sfc /cachesize=x System Information msinfo32 System Properties sysdm.cpl Task Manager taskmgr TCP Tester tcptest Telnet Client telnet Tweak UI (if installed) tweakui User Account Management nusrmgr.cpl Utility Manager utilman Windows Address Book wab Windows Address Book Import Utility wabmig Windows Backup Utility (if installed) ntbackup Windows Explorer explorer Windows Firewall firewall.cpl Windows Magnifier magnify Windows Management Infrastructure wmimgmt.msc Windows Media Player wmplayer Windows Messenger msmsgs Windows Picture Import Wizard (need camera connected) wiaacmgr Windows System Security Tool syskey Windows Update Launches wupdmgr Windows Version (to show which version of windows) winver Windows XP Tour Wizard tourstart Wordpad write
Windows Event Viewer tips and tricks The Event Viewer can tell you of impending PC problems, and set up to fix them automatically You will realize that the tool has many useful features. It can be difficult to find important events using the default settings. Creating a custom view will help you access data that matters. If you have a network, you can incorporate a copy of the Event Viewer to collect events from several, computers and manage them centrally. One feature allows you to run any program or task when an event occurs. The basics Event Viewer acts as a log for various applications and Windows components. You can access Event Viewer at Start Control Panel Administrative Tools Event viewer. Or select 'Start', type eventvwr.msc and select Event Viewer. These logs are presented in reverse chronological order, so the most recent events are at the top and as you scroll down you'll move back in time. There are detailed error messages for application and system crashes.
Other issues If you are having any kind of computer issues then use Event User as your first choice. Event Viewer provides methods to sort relevant data. The Windows 7 Event Viewer opens with a useful 'Summary of Administrative Events'. Particularly important event types, such as 'Critical', 'Error' and 'Warning', are listed right at the top and you can expand these to find out more. Trying this on our test system revealed seven disk errors in the past week. Double-clicking the entry revealed the details, and it turned out one of our drives was experiencing controller errors. Could the drive be about to fail? We're not sure, but at least the Event Viewer has given us a warning so we can back it up. Another possible option is to expand the 'Applications and Services Logs' section of the viewer. This area contains logs dedicated to applications and areas of your system, such as hardware events, Internet Explorer and Media Center. Browse to 'Applications and services logs Microsoft Windows Diagnostics-Performance Operational' and you will find information about your PC's boot and shutdown processes. Events will indicate different applications for slowing your PCs boot. There are general warning events such as Video memory resources are over-utilized and hard disk thrashing happening as a result. Subscriptions The Event Viewer isn't only able to reveal issues with your own PC. It can also collect information on Vista or Windows 7 systems all across your network, so you can troubleshoot many problems from the comfort of your own desktop. To set this up you must prepare the remote computers to forward events. First launch an elevated command prompt on each of these (do this by right-clicking the link 'cmd.exe' and selecting 'Run as administrator'), then enter the command winrm quickconfig. Next, go to the central PC where you'll be collecting these events, launch another elevated command prompt and enter the command wecutil qc. You can launch the Event Viewer on the collecting computer, click 'Subscriptions Create subscription' and tell the system exactly which events you'd like to collect from which computers. These will then appear in the log you specify, and you'll be able to view and filter them just as you can events on your own computer. In practice, there are typically some complications. You might have to specifically allow the Remove Event Log Management process to
connect through your firewall, or you will need to add an account with administrator privileges to the Event Log Readers group on each of the remote PCs. Check the 'Event viewer help' file under 'Manage subscriptions' for more details. Run a task Task Manager can also be dynamic, responding to events with a specific message or action. about important events. Messages Launch Event Viewer, expand the 'Applications and services logs'. Right-click the log of choice and select 'Attach a task to this log'. Click 'Next' twice, choose the 'Display a message' option, and click 'Next' again. Enter a title for your message, then the message itself, and click 'Next'. Click 'Finish'. Windows will display a pop-up alert with your selected message whenever an event is placed in this particular log. You can also attach a task to a specific event. If you see something that might be really important, like a message that a hard drive is returning controller errors, then right-click it, select 'Attach a task to this event' and the wizard will appear. With a few steps, you can ensure that you're informed directly Tasks Perhaps most usefully, the Event Viewer can also launch a task in response to a particular event. If your system is regularly displaying some low-level drive error, for example, you could automatically launch Windows chkdsk or some other drive error checker to confirm that all is well. If you're running short of hard drive space and related events are appearing, you could have this launch something like Disk Cleanup free up space. The principle is the same: right-click an event and select 'Attach a task to this event' to launch the Create Basic Task Wizard. When you get to the 'Action' point, select 'Start a program'. Click 'Next', choose your program or script and any optional command line arguments, and click 'Next', to finish the wizard and your configuration is complete. Windows will respond automatically to events as they occur, which can mean your problems are fixed before they become a serious issue. END Back