Check the system event log for error messages

macOS, Linux, and Windows OS are the three operating systems that have the most number of users worldwide. If you want to know which operating system crashes the most, you should ask any tech nerd. Then everyone will say that there is no operating system that does not crash, but the Windows operating system has the most crashes, freezes, and hangs out of all operating systems.

There are several potential causes of a computer crash, some of which are flaws with the hardware, some with the operating system, and still others with software. Some of the popular and well-known issues are :

1 Virus and malware.

2 Corrupted OS and third party Software

3 Outdated and Corrupted Drivers.

4 Insufficient and low capacity hardware resources like CPU, RAM, and Harddisk.

5 Overheating Systems, Faulty Manufacturing.

6 InCompatible Software

7 Unreliable or unstable source of power supply

Actually finding errors and troubleshooting errors is a difficult task. Instead of doing random things from random advice which may be poorly stated the problem, the best solution is to try and read this blog thoroughly which helps you to understand the problem and solve it accordingly.

One thing to note is that finding and fixing crashes may take time. Some can be fixed soon and some may take days. These steps mentioned here help in identifying and narrowing down the problem that you are facing with your pc.

Find Windows 10 / 11 Errors Logs Using Event Viewer

When your hardware or software of the system crashes, hangs, or freezes then the operating system generates and maintains a crash log record to identify the causes of the crashes. Windows Operating System maintains this log-in Event Viewer.

Event Viewer captures all the information like how your system software and drivers are loaded. That captured information can be of various types like errors types, informational types, warning types, success audit types, alert types, notice types, and debug types failure audit types. Though there are a large amount of data in logs, our mission should be to find and filter specific problem.

Event Severity Types:

There are mainly 3 event severity types: Information, Warning, and Error.

Follow the below steps for finding errors in Event Viewer.

1 Goto search bar and type event and select Event Viewer from the list.

Event Viewer will be opened up as shown below.

As soon as you opened the event viewer, you will get a summary of Administrative Events which provides various event type information as shown below.

Here, we can see, that within 7 days, 142 Error Levels are detected, 9 within 24 hours, and 2 within the last hour.

Similarly, you can find other event types like a warning, informational, and audit success information.

For finding out error and crashes log information, we will focus on two logs.

• Windows Logs
• Applications and Services Logs 

Now, let’s find out the simple errors.

2 Under Windows Logs, click on System. Then on the main panel, you will find all the log information. Scroll down in the main panel, you will find the Error Level log as shown below.

It provides information like when was this error recorded, its Event Id, Task Category, Source from where the error occurs, etc. When you click on the error you will get general and detailed information about the error.

General Tab shows general information.

Detail Tab shows raw event data and you can view those data in Friendly View as well as XML View.

Create Custom View of Error Logs

We can create and filter the custom views of the logs so that we can view only a particular level. 

1 Click on Create Custom View located at the top-right pane as shown below.

2 Select Error from Event Level and under Event Logs dropdown select  Windows Logs > System and press Ok.

Here, I am filtering Error Level for System Category.

3 Give a name for Custom View. Here I have given «Windows System Error Logs» as shown below.

4 Those custom views are recorded under the Custom Views folder located at the top left pane.

As I have just created a «Windows System Error Logs» custom view, click on it. And we will get all error which is present under Windows Log > System.

We can easily archive those error and crashes in various format like .evt, .txt, .csv etc.

Find Windows 10 / 11 Errors Log Using Powershell

Powershell is a powerful Microsoft tool that provides a command-line interface for task automation and configuration management framework.

Let’s find out error logs using Powershell.

Syntax:

Get-EventLog -Log LogName | where {$_.entryType -match «LogType«}

Eg. Finding Error Level Log from Windows System records related to programs installed on the system.

Get-EventLog -Log system  | where {$_.entryType -match «Error«}

or simply

Get-EventLog -LogName System -EntryType Error

Now, 

let’s get the newest 15 error log from System Event.

Get-EventLog -LogName System -Newest 15 -EntryType Error

Here, instead of 15, you can use any number.

Find Windows 10 / 11  Crashes and Error Logs using Reliability Monitor

Windows 7 introduced Reliability Monitor features and later adopted them in Windows 8,8.1,10 and 11. Reliability Monitor gives a quick overview of how your system is. It describes errors, warnings, and crash information in graphical format in a much more readable way. Overall, Reliability Monitor tells about how reliable and stable your system has been.

So, let’s find Windows 10 crashes and error logs using Reliability Monitor.

1 Goto search bar and type reliability and then select «view reliability history» from the list.

Reliability Monitor looks like this:

It has a stability Score ranging from one to ten. And, according to your system, its score changes on a regular basis. The horizontal line in the figure above clearly shows that on 5/24/2021, the stability index is around 5, and the system was performing well up to 6/2/2021. The stability score then fell on 6/3/2021.

It has 4 different categories. As shown in the right red rectangle above.

• Application Failures: These tracks like unexpectedly closed the application, applications not responding information, etc.
• Windows Failures: This tracks Operating system failed to start, OS crashes, driver failure, etc.
• Miscellaneous Failures: Other failures not included in application and windows failures.
• Warnings: such as Unable to update windows etc.
• Information: such as Successful windows update.

Here in the chart, critical Errors are shown by red circles, warnings are shown by yellow triangles, and information is shown in blue circles. Note that: Warning and information are not taken while calculating the stability index.

In the graph, we can see that the first error took place on 5/24/2021, as indicated by the red X circle. This error is connected to application failures, as the graph shows. On June 5th, 2021, we can see that problems and faults relating to applications and windows have happened. On the same day, we can also see that warnings and informational messages have been displayed.

When you click on any row in the chart, you will get respective date failures(if any)/warning(if any)/information(if any) just below the chart.

When clicked on the row of date: 6/3/2021, those errors are shown as below. Here we can clearly see that system is having critical errors as Windows Hardware errors and Asus System Analysis Stopped working error. Also, it is showing Windows Update failure warning and Windows.

Find Windows 10 / 11 crashes log with the help of the Windows Memory Dump File

If your Windows system crashes and you want to record the issue and prevent/troubleshoot it from happening again, a Windows Memory dump file may be useful. It helps in the recovery of information from a crashed computer. It contains an error message associated with a blue-screen of death(BSOD). (Tested in Both Windows 10 and Windows 11)

If your system is currently running, enable a memory dump to collect memory dumps if the freeze issue occurs again.

1 Goto run and type: sysdm.cpl and press enter.

2 Click on the Advance tab 

3 Under the Startup and Recovery section, click on Settings.

4 Then Check «Write an event to the system log» and uncheck «Automatically restart» 

5 Select «Complete Memory Dump» if you have a large disk size otherwise select a Small memory dump(256 KB) if you have limited disk space.

6 Select «Overwrite any existing file» to overwrite the existing file.

7 Click on the Ok button.

Now when your system crashes and you want to find crashed information then you will get it at path «%SystemRoot%MEMORY.DMP»

Note: To create a memory dump file, Windows requires at least a 2 MB paging file on the boot volume.

Find Windows 10 / 11 Crashes and Error Logs using Third-Party Software

There are lots of Windows 10 / 11 Event Logs third-party software which can be handy for you. So here is the list of some commonly used Windows 10 Event Logs Viewer for Finding Crashes and Error Logs

1 SysMon

Sysmon (System Monitor) is a component of SysInternals Tools. It is a Windows system service and device driver. Once installed, it remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information on what is happening in the operating system, such as process creation, network connections, and changes to file creation time.

Download

2 Splunk 

Splunk Cloud Platform can be used to monitor Windows Event Log channels. Splunk universal or heavy forwarder is utilized here to collect data and send it to Splunk Cloud Platforms.

Download

3 Event Log Explorer

Event Log Explorer is a powerful software tool that allows you to observe, analyze, and monitor Windows Event Log activities. Event Log Explorer significantly simplifies and accelerates event log examination of all types, including security, system, application, setup, DNS, and others.

Download

4 LOGalyze

Logalyze is open-source software that is free and lightweight for centralized log management and network monitoring.LOGalyze can analyze server and application logs and can report data in PDF, CSV, and HTML format. It is compatible with both Linux and Windows operating systems.
It also offers powerful search capabilities and can detect real-time events in services distributed across multiple nodes.

Download

5 SnakeTail

SnakeTail is another Windows Tail log analyzer tool for monitoring large text files and Windows Event Logs with no administrative rights.

Download

How to Fix Crash in Windows 10 and Windows 11?

 You can fix or reduce the crashing issue on Windows 10 or 11 by following the steps below.

1 Reboot your PC: It’s possible that simply restarting your computer will solve the problem. It will clean the memory and put a stop to any processes that are hogging your resources, such as RAM and CPU, for no apparent reason. A reboot can fix problems with hardware and peripheral devices as well.

2 Disable CPU Overclocking: There are situations when your CPU will crash due to overheating, and the overheating could be caused by an overclocked CPU. Stopping the CPU from being overclocked is therefore one technique to prevent the overheating and crashing issue.

3 Updates Driver from Guenine Source: Keeping your drivers up to date and updating those that are out of date can prevent your computer from crashing.
An obsolete driver or missing updates or corrupted updates could be responsible for a BSOD that prevents you from accessing the desktop.

If you experience crashes in your programs, such as Zoom, Skype, and games, then you probably blame this application; however, this does not always happen, and the problem could be with your driver; thus, you should update your driver as soon as you can.

4 System Restore: If you are having issues with the functionality of your Windows machine, you can use the System Restore feature to revert the system files, program files, and registry information to an earlier version themselves. If these files are damaged or corrupted in any way, using System Restore to restore them to an earlier point in time will fix the issue for you.

5 Scan your system for the error

You can try any of the below commands to scan your system.

sfc /scannow

When you use the command sfc /scannow, it will check all of the protected system files and, if any of them are corrupted, it will replace them with a cached duplicate that is stored in a compressed folder at the path %WinDir%System32dllcache

You can try DISM Command: The Dism command does a check for corruption and fixes any issues that it discovers with the operating system into which you are currently logged.

dism.exe /online /cleanup-image /restorehealth

FAQ:

1 What are the most common crashes in Windows OS?

Ans: Almost all the crashes and error logs of windows OS can be found in Event Viewer. Event Log can tell you why and when a crash occurred.

There are 3 most common crashes in Windows OS are :

• Unexpected Shutdown and restart.
•  Application Hangs
• Application Level Fault.

2 Where to find startup problems?

Ans: You can find boot/startup logs in Event Viewer, Reliability Monitor, and Boot Logs.

You can look above for the Event Viewer method and reliability monitor methods. Here I will explain using Boot Logs. Actually, Boot Logs contains both Successful as well as unsuccessful information that occurs during boot. Those logs are found in the Ntbtlog.txt file.

3 What is BSOD?

BSOD stands for Blue Screen Of Death. As a name, they are a kind of fatal windows system crash displayed in Blue Screen as shown below.

BSOD signifies a system crash in which the operating system is unable to operate safely. The General Cause of BSOD is hardware and software driver issues.

4 How to fix Windows Corrupted System Files?

If there are corrupted system files in Windows, then SRC(System File Checker) can fix most of them.

• Open Command Prompt with admin privileges.
• Type the below command and press Enter

sfc /scannow

Then wait for the process to complete.

Can I Clear Error Log in Windows 11 ?

Ans: You are free to go. Windows Error Logs are small in size and can be left as it is. You should not be concerned about them at all.You are free to clear them if you wish.

Introduction

Acronis software may give errors, freeze or produce other undesired effects when there are issues with parts of the computer environment it operates in:

Examples of error messages in Acronis software, when you would want to check the environment:

Unable to create volume snapshot

Failed to read snapshot

Failed to read from sector…

Failed to read from disk…

Failed to write the snapshot manager volume

Various types of read and write errors

Input/Output (I/O) errors

Errors referencing \?GLOBALROOTDevice…

Cyclic redundancy check (CRC) error

Failed to enumerate directory

WMI ExecQuery failed

MFT bitmap corrupted

The semaphore timeout period has expired

Solution

Acronis has developed a free tool that automates the process of checking the environment particularly for Volume Shadow Copy Service (VSS)-related issues: Acronis VSS Doctor. This tool saves time on gathering and analyzing diagnostic information from various sources, including Windows Event Log, but it does not cover all possible root causes and applies to VSS-related issues only.

A more universal approach consists in checking Windows Event Log for issues with computer environment using Windows Event Viewer:

1. Open Windows Start Menu.

2. Type Event Viewer and press Enter:

If Windows Search does not find Event Viewer by name, press the combination of the button with Windows logo on keyboard and R, and run the command evenvwr.msc

3. Windows Event Viewer will open:

4. Navigate to Windows Logs — System:

5. Click Filter Current Log… on the right panel:

6. Mark Critical, Error and Warning checkboxes in the upper part of the window, click OK to apply the filter:

7. At this point you can click OK and review the recent warnings and errors, recorded in the System event log, and look for any information related to the issue observed in Acronis software. Pay special attention to events registered at the time the issue occurred, or just before that:

8. As there may be many unrelated events, you can narrow the search further, by applying the following suggested filter. Click Filter Current Log.. again:

9. Expand Event sources list:

10. Scroll through the list and mark the following items:

Short list (most popular sources of errors):

disk

Disk

Ntfs

Ntfs (Microsoft-Windows-Ntfs)

Ntfs (Ntfs)

Extended list (click to expand)

11. Click OK and review the filtered list of events. Your further actions will depend on what parts of the environment were reported to have issues and on their current status:

12. When troubleshooting a VSS or WMI-related issue, it is useful to also check warnings, errors and critical events under Windows Logs — Application section. In addition to troubleshooting issues with Windows environment, Application logs are also used to detect application crash and hang events.

Further troubleshooting

Look up the detailed error/warning text, as well as the Event ID number on the Internet. Issues with environment are common and are likely to have a solution or a workaround already documented or described.

If you are not sure if the found errors and warnings could be the cause of the issue with Acronis software, contact Acronis Support with a system report and screenshots of the issue with Acronis, log of the operation in Acronis (if any) and the found records in Windows Event Log.

Журнал событий Windows (Event Log) — это важный инструмент, который позволяет администратору отслеживать ошибки, предупреждения и другие информационные сообщения, которые регистрируются операционной системой, ее компонентами и различными программами. Для просмотра журнала событий Windows можно использовать графическую MMC оснастку Event Viewer (
eventvwr.msc
). В некоторых случаях для поиска информации в журналах событий и их анализа гораздо удобнее использовать PowerShell. В этой статье мы покажем, как получать информацию из журналов событий Windows с помощью командлета Get-WinEvent.

На данный момент в Windows доступны два командлета для доступа к событиям в Event Log: Get-EventLog и Get-WinEvent. В подавляющем большинстве случаев рекомендуем использовать именно Get-WinEvent, т.к. он более производителен, особенно в сценариях обработки большого количества событий с удаленных компьютеров. Командлет Get-EventLog является устаревшим и использовался для получения логов в более ранних версиях Windows. Кроме того, Get-EventLog не поддерживается в современных версиях PowerShell Core 7.x.

Получение логов Windows с помощью Get-WinEvent

Для использования команды Get-WinEvent нужно запустить PowerShell с правами администратора (при запуске Get-WinEvent от имени пользователя вы не сможете получить доступ к некоторым логам, например, к Security).

Для получения списка событий из определенного журнала, нужно указать его имя. В данном примере мы выведем последние 20 событий из журнала System:

Get-WinEvent -LogName Application -MaxEvents 20

Можно выбрать события сразу из нескольких журналов. Например, чтобы получить информацию о ошибках и предупреждениях из журналов System и Application за последние 24 часа (сутки), можно использовать такой код:

$StartDate = (Get-Date) - (New-TimeSpan -Day 1)
Get-WinEvent Application,System | Where-Object {($_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning") -and ($_.TimeCreated -ge $StartDate )}

Чтобы вывести только определенные поля событий, можно использовать Select-Object или Format-Table:

Get-WinEvent -LogName System | Format-Table Machinename, TimeCreated, Id, UserID

Можно выполнить дополнительные преобразования с полученными данными. Например, в этом примере мы сразу преобразуем имя пользователя в SID:

Get-WinEvent -filterhash @{Logname = 'system'} |
Select-Object @{Name="Computername";Expression = {$_.machinename}},@{Name="UserName";Expression = {$_.UserId.translate([System.Security.Principal.NTAccount]).value}}, TimeCreated

Get-WinEvent: быстрый поиск в событиях Event Viewer с помощью FilterHashtable

Рассмотренный выше способ выбора определенных событий из журналов Event Viewer с помощью Select-Object прост для понимая, но выполняется крайне медленно. Это особенно заметно при выборке большого количества событий. В большинстве случаев для выборки событий нужно использовать фильтрацию на стороне службы Event Viewer с помощью параметра FilterHashtable.

Попробуем сформировать список ошибок и предупреждений за 30 дней с помощью Where-Object и FilterHashtable. Сравнима скорость выполнения этих двух команд PowerShell с помощью Measure-Command:

$StartDate = (Get-Date).AddDays(-30)

Проверим скорость выполнения команды с Where-Object:

(Measure-Command {Get-WinEvent Application,System | Where-Object {($_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning") -and ($_.TimeCreated -ge $StartDate )}}).TotalMilliseconds

Аналогичная команда с FilterHashtable:

(Measure-Command {Get-WinEvent -FilterHashtable @{LogName = 'System','Application'; Level =2,3; StartTime=$StartDate }})..TotalMilliseconds

В данном примере видно, что команда выборки событий через FilterHashtable выполняется в 30 раз быстрее, чем если бы обычный Where-Object (
2.5
сек vs
76
секунд).

Если вам нужно найти события по EventID, используйте следующую команду с FilterHashtable:

Get-WinEvent -FilterHashtable @{logname='System';id=1074}|ft TimeCreated,Id,Message

В параметре FilterHashtable можно использовать фильтры по следующим атрибутам событий:

• LogName
• ProviderName
• Path
• Keywords (для поиска успешных событий нужно использовать значение 9007199254740992 или для неуспешных попыток 4503599627370496)
• ID
• Level (1=FATAL, 2=ERROR, 3=Warning, 4=Information, 5=DEBUG, 6=TRACE, 0=Info)
• StartTime
• EndTime
• UserID (SID пользователя)
• Data

Пример поиска события за определенный промежуток времени:

Get-WinEvent -FilterHashTable @{LogName='System'; StartTime=(get-date).AddDays(-7); EndTime=(get-date).AddHours(-1); ID=1234}

Если нужно найти определенный текст в описании события, можно использовать такую команду:

Get-WinEvent -FilterHashtable @{logname='System'}|Where {$_.Message -like "*USB*"}

Расширенный фильтры событий Get-WinEvent с помощью FilterXml

Фильтры Get-WinEvent с параметром FilterHashtable являются несколько ограниченными. Если вам нужно использовать для выборки событий сложные запросы с множеством условий, нужно использовать параметр FilterXml, который позволяет сформировать запрос на выбор событий в Event Viewer с помощью XML запроса. Как и FilterHashtable, фильтры FilterXml выполняется на стороне сервера, поэтому результат вы получите довольно быстро.

Например, аналогичный запрос для получения последних ошибок из журнала System за последние 30 дней может выглядеть так:

$xmlQuery = @'
<QueryList>
<Query Id="0" Path="System">
<Select Path="System">*[System[(Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]]</Select>
</Query>
</QueryList>
'@
Get-WinEvent -FilterXML $xmlQuery

Для построения кода сложных XML запросов можно использовать графическую консоль Event Viewer:

1. Запустите
   eventvwr.msc
   ;
2. Найдите журнал для которого вы хотите создать и выберите Filter Current Log;
3. Выберите необходимые параметры запроса в форме. В этом примере я хочу найти события с определенными EventID за последние 7 дней от определенного пользователя;
4. Чтобы получить код XML запроса для параметра FilterXML, перейдите на вкладку XML и скопируйте полученный код (CTRL+A, CTRL+C);
5. Если нужно, вы можете вручную отредактировать данный запрос.

Для экспорта списка событий в CSV файл нужно использовать командлет Export-CSV:

$Events= Get-WinEvent -FilterXML $xmlQuery
$events| Export-CSV "C:psFilterSYSEvents.csv" -NoTypeInformation -Encoding UTF8

Получить логи Event Viewer с удаленных компьютеров

Для получения события с удаленного компьютер достаточно указать его имя в параметре -ComputerName:

$computer='msk-dc01'
Get-WinEvent -ComputerName $computer -FilterHashtable @{LogName="System"; StartTime=(get-date).AddHours(-24)} |   select Message,Id,TimeCreated

Можно опросить сразу несколько серверов/компьютеров и поискать на них определенные события. Список серверов можно получить из текстового файла:

$servers = Get-Content -Path C:psservers.txt

Или из Active Directory:

$servers = (Get-ADComputer -Filter 'operatingsystem -like "*Windows server*" -and enabled -eq "true"').Name
foreach ($server in $servers) {
Get-WinEvent -ComputerName $server -MaxEvents 5 -FilterHashtable @{
LogName = 'System'; ID= 1234
} | Select-Object -Property ID, MachineName
}

Здесь есть другой пример для поиска событий блокировки учетной записи пользователя на всех контроллерах домена:

$Username = 'a.ivanov'
Get-ADDomainController -fi * | select -exp hostname | % {
$GweParams = @{
‘Computername’ = $_
‘LogName’ = ‘Security’
‘FilterXPath’ = "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$Username']]"
}
$Events = Get-WinEvent @GweParams
$Events | foreach {$_.Computer + " " +$_.Properties[1].value + ' ' + $_.TimeCreated}
}

Logs are constantly recording what is going on on your computer. They can
provide help in tracking what happens with your machine or with troubleshooting.
Logs are kept about both actions by a person or by a running process.

In Windows, logs that are saved contain information about applications and the
operating system itself. Moreover, these logs are structured and human-readable.
For viewing the logs, Windows uses its Windows Event Viewer. This
application displays the event logs and allows the user to search, filter,
export, and analyze background info. In this article, you will learn how to use
the features provided with this program. In addition, this article will also
explore the Event Viewer’s interface and features. Finally, you will also learn
about other application that has their own event viewer built-in, and we will
talk about creating your own repeating tasks.

Prerequisites

• Windows 10 installed
• Administration privileges

Step 1 — Accessing Event Viewer

Event viewer is a standard component and can be accessed in several ways. The
easiest way is to type event viewer to the start menu. If you prefer using
command prompt, you can access it by running the eventvwr command.

Event viewer is also accessible through the control panels. Open the control
panels and list them all by viewing them like small or large icons. After that,
select the Administrative Tools and find Event Viewer in the folder.

The application is user-friendly and provides an intuitive interface. The main
screen is divided into three column sections:

• Navigation page
• Detail page
• Action page

You can also create your own section. We will explain how to do that later in
the tutorial.

Step 2 — Understanding Navigation Page

The navigation page, which is by default positioned on the very left, provides
you with an option to choose the event log to view. Five categories can be found
under Windows logs:

• System — Logs created by the operating system
• Application— Logged by an application hosted locally
• Setup — Logs created in the process of installing or changing the Windows
  installation
• Security — Logs related to logins, privileges, and other similar events
• Forwarded Events — Events forwarded by other computers

There is also a category for Applications and Services Logs, which contains
logs of the individual applications and Hardware Events. Logs from PowerShell
and other command lines will also be stored there.

Step 3 — Viewing Log Details On Detail Page

When in the default tab, this page displays the Overview and Summary. Select
some item from the previously mentioned navigation page to see more details.
There are several log levels:

• Information — Successful action
• Warning — Occurring of an event that might bring problems
• Error — Occurring of a significant problem
• Critical — Severe problem occurred

You can also see Audit successes and failures, which are associated with
security events.

Events are listed chronologically, starting with the latest event on the very
top. You can furthermore click on the columns to edit the order and groupings.

You can click on the event to view more detailed information:

You can learn more about an event by double-clicking it:

Here you can see the name of the log, source, and other information about the
log.

The following popup window also has two tabs, General and Details. The
first tab shows more information about the error as described above. The second
tab shows the raw event data. You can switch between Friendly View and XML
View.

Step 4 — Using Actions Page

The last page located by default on the right side is the Actions page,
which provides you quick access to the features available to you at the moment.
This page is divided into two parts, the first containing actions available for
the selected Navigation page. The second contains actions available to the
selected event itself.

Various options are available:

Filtering Current Log

Allows you to set criteria for events to be displayed on the Details page.

Clearing Log Events

You can choose this option if the list becomes too large. This will delete all
events stored in the current log. You can check the total number of events by
going to the top directory in the navigation page:

Exporting Log Events

You can click on the Save All Events Asor Save All Events in Custom View As
to export all of the selected events into the special event file with the
.EVTX extension.

Step 5 — Creating Custom Views

Event Viewer gives you the option to create a custom view. To do so, select the
Custom Views folder on the Navigation page and click Create Custom View
on the Actions page. You can, for example, create a custom view for all Windows
Azure events with log level error that occurred in the last 12 hours:

After saving, your new view will now show in the Navigation tab.

You can also export your Custom View. Select it in the Navigation Page and find
an option called Export Custom View on the Actions Page. Enter the name for
the new .XML file you are about to create, and it is done.

You can import the custom view to any other Event Viewer by selecting the option
Import Custom View.

Navigating Summary View

The summary view is the first thing you will come in contact with when opening
the Event Viewer. It is at the top of the Navigation panel.

It includes:

• Overview
• Summary of Administrative Events — displays data and totals related to the
  Event Viewer for the past week.
• Recently Viewed Nodes — history of the viewed nodes filtered
  chronologically while the most recent is at the top. You can double-click on
  the node to open the location.
• Log Summary — this section displays all of the major properties in each
  log file. Double-click to get more details like the events for the viewed log.

Step 6 — Finding Other Application Logs

There are other logs with their event logging:

• DNS Manager
• IIS Access
• Task Scheduler History
• Failover Cluster Manager
• Windows Component Service

DNS Manager

If you run Windows Server that is provisioned as a DNS server, the DNS manager
is available. This manager has its list of events. From there, the DNS manager’s
event viewer works in a similar fashion as the one packed with Windows.

IIS Access

The Internet Information Services logs include info about requested URIs and
statuses. These logs are written in the location specified in the IIS Manager.
By default, the location is:

%SystemDrive%\inetpub\logs\LogFiles

Task Scheduler Library

Task scheduler schedules many sorts of background tasks and applications. The
Task Scheduler Library is associated with it, and you can view it directly from
the application:

From the summary view, you can see the overview, task status, and active tasks.
In the task status, you can view all tasks started in some period.
Double-clicking on the task will give you more information.

In the section underneath, you can see all the active tasks that are currently
enabled and have not expired. Then, by double-clicking on the summary info about
the task, which includes the task name, next run time, triggers, and location,
you can again view more information.

Using this feature, you can display details about every single task and modify
it accordingly. The action page also slightly changes, and a new section for the
selected item is viewed. You can run, end, disable, delete or export information
about the task at your will.

From the action panel, you can also create your own task by selecting the option
Create Basic Task... or adding an existing one with Import Task... After
clicking the first opinion, you are presented with a task creator wizard to add
name, description, triggers, action, and finish statement to your custom task.

Failover Cluster Manager

This is a practical built-in application when running your Windows Server. This
service allows servers to work as a cluster. When one server’s hardware fails,
it is automatically detected and replaced by the other server. All network is
then re-routed to the working instance.

This application also has its local Event Viewer. Using this event viewer, you
can discover more in the events of your clusters failing or not working as
expected.

Windows Component Service

Another application is Windows Component Service Manager. It enables us to
configure DCOM applications on Windows. You can view its logs by clicking on the
local Event Viewer:

Conclusion

Windows and applications installed or associated with the operating system keep
records of various events. Understanding and finding these events can help you
if you are a system administrator, running your Windows server, or even just a
regular user.

Now you should know how to explore and use different methods to use these logs
to your advantage. In addition, you now know how to use the task scheduler and
create your own repeating tasks using it.

Is this article up to date?