In today’s edition of Geek School, we’re going to teach you how to use the Event Viewer to fix problems on your PC and understand what’s going on under the hood.
The biggest problem with the Event Viewer is that it can be confusing — there are a lot of warnings, errors, and informational messages, and without knowing what it all means, you may assume (incorrectly) that your computer is corrupted or infected. when there is nothing really wrong.
In fact, tech support scammers are using the Event Viewer as part of their sales tactic to convince confused users that their computer is infected with viruses. They take you through filtering for critical errors only, and then they’re surprised that all you see are critical errors.
Learning how to use and understand the Event Viewer is an essential skill for figuring out what’s going on with the PC and troubleshooting.
Understanding the interface
When you first open the Event Viewer, you’ll notice that it uses a three-pane configuration like many other administrative tools on Windows, although in this case there are actually quite a few useful tools on the right side.
The left pane displays a folder view where you can find all the different event logs, as well as views that can be configured for events from multiple logs at the same time. For example, the Administrative Events view in recent versions of Windows displays all Error, Warning, and Critical events, whether they originate from the Application log or the Syslog.
The middle pane displays a list of events, and when you click on them, the preview pane shows details — or you can double-click on any of them to open it in a separate window, which can be handy when browsing. a large set of events and want to find all the important things before you start searching the web.
The right pane gives you quick access to actions like creating custom views, filtering, or even creating scheduled tasks based on a specific event.
Of course, the events themselves are what we’re trying to see, and their usefulness can range from really specific and obvious things that you can fix easily, to very vague messages that don’t make any sense and you can’t find any information in google. The usual fields on the display contain:
- Journal name While older versions of Windows used to write everything to the Application or System log, more recent releases have dozens or hundreds of different logs to choose from. Each component of Windows will most likely have its own log.
- Source is the name of the software that generates the event log. Of course, the name is usually not the same as the filename, but it is a representation of which component did it.
- Event ID — the most important event identifier can be a little confusing. If you were to Google for «event id 122» which you see in the following screenshot, you would not get very useful information unless you also provided «Source» or the application name. This is because each application can define its own unique event IDs.
- Level — it tells you how serious the event is. The information simply tells you that something has changed, or a component has started, or something has completed. The warning tells you that something might go wrong, but it’s not that big of a deal. The error tells you that something happened that shouldn’t have happened, but it’s not always the end of the world. Critical, on the other hand, means that something, somewhere, is broken, and the component that raised the event has probably crashed.
- User — This field indicates whether a system component or your user account was running the process that caused the error. This can be useful when browsing things.
- OpCode — This field theoretically tells you what activity the application or component was performing when the event was fired. In practice, however, it almost always says «information» and is rather useless.
- A computer — on your home computer, this is usually just the name of your PC, but in the IT world, you can actually forward events from one computer or server to another computer. You can also connect the Event Viewer to another PC or server.
- Task Category — This field is not always used, but it ends up being an information field that tells you a little more information about the event.
- Keywords — This field is not normally used and usually contains useless information.
Generally, you should try to search by the general description, or by the event ID and source, or a combination of these.
Just remember that the event ID is unique for each application. So there are a lot of matches and you can’t just search for «Event ID 122» because you will end up with a lot of nonsense.
Important note: there will always be errors and warnings in the event log, and you can’t fix them all. The most important thing is to use the Event Viewer to fix problems you already have instead of trying to find problems you don’t already know about.
And yes, you will need to use your Google skills to research events you don’t know about. There is no simple magic solution.
The only thing you could immediately do when you see this dialog box is click on the «More Information» link… the problem is that it doesn’t do you any good at the moment. You just ended up on an error page on the Microsoft website.
The scary thing is that 8464 people rated the page not found as helpful.
Remapping web event search to actual work
For some reason, the «More Info: Event Log Online Help» link just didn’t work for us, but luckily there’s a great registry hack that can be used to fix the problem.
What we’re going to do is just change the redirect URL in the registry to point to Google… other than the way arguments are passed, we’ll need to point it to an intermediate page that will parse the arguments and form the correct search URL Google.
For this article, we hosted the page on our own server and you can use it. If you do not wish to use our server, a single line of PHP code is provided at the end of this section.
To make this change, go to the following registry key:
Find the MicrosoftRedirectionURL value on the right side, and then change its default value to http://go.microsoft.com/fwlink/events.asp and paste this value instead:
As soon as you do this by clicking on the link in the Event Properties window, you will immediately be redirected to Google with the relevant data already included (event id, log name and «application» which usually means «Microsoft Windows») . ,
How it works? It’s pretty simple — the event viewer adds a set of parameters as query string arguments to the URL we put in the registry. The script then extracts those arguments and forwards them to Google, passing the arguments as search terms.
Using a simple PHP script, this is what we came up with to handle the redirect.
header(‘Location: http://google.com/search?q=Event ID’.$_GET [‘EvtID’]. «. $_GET [‘EvtSrc’]. «. $_GET [‘ProdName’] );
You can host the same thing on your own server if you like, or you can use the one that is on our server. You decide.
Beware of internet sites with «Solutions» for event id «Problems»
There are a lot of websites out there that automatically generate pages for every event id and then fill them with nonsense. It would be good, except for many of these events, there are not many other good results.
These sites will then offer to solve this problem if you simply download a piece of free analysis software. In all cases, this will be advertising, and the «software solution» is a scam.
There is NO software package that can solve all event log problems.
Using Filters and Custom Views
Instead of browsing through millions of folders of custom event logs and trying to find everything you’re looking for, you can create your own view that displays only the events you want to see.
For the best results, you only need to filter for the specific things you want to see — such as Critical, Error, and Warning — and then select the event logs you want to view in that view. Don’t choose too many because it just won’t work.