In today’s edition of Geek School, we’re going to teach you how to use the Event Viewer to fix problems on your PC and understand what’s going on under the hood.


  1. Using Task Scheduler to Run Processes Later
  2. Using the Event Viewer to Troubleshoot Issues
  3. Understanding Hard Drive Partitioning with Disk Management
  4. Learn to Use Registry Editor Like a Pro
  5. Monitoring Your PC with Resource Monitor and Task Manager
  6. Understanding the Advanced System Properties Panel
  7. Understanding and Managing Windows Services
  8. Using the Group Policy Editor to Customize Your PC
  9. Understanding Windows Administration Tools

The biggest problem with the Event Viewer is that it can be confusing — there are a lot of warnings, errors, and informational messages, and without knowing what it all means, you may assume (incorrectly) that your computer is corrupted or infected. when there is nothing really wrong.

In fact, tech support scammers are using the Event Viewer as part of their sales tactic to convince confused users that their computer is infected with viruses. They take you through filtering for critical errors only, and then they’re surprised that all you see are critical errors.

Learning how to use and understand the Event Viewer is an essential skill for figuring out what’s going on with the PC and troubleshooting.

Understanding the interface

When you first open the Event Viewer, you’ll notice that it uses a three-pane configuration like many other administrative tools on Windows, although in this case there are actually quite a few useful tools on the right side.

The left pane displays a folder view where you can find all the different event logs, as well as views that can be configured for events from multiple logs at the same time. For example, the Administrative Events view in recent versions of Windows displays all Error, Warning, and Critical events, whether they originate from the Application log or the Syslog.

The middle pane displays a list of events, and when you click on them, the preview pane shows details — or you can double-click on any of them to open it in a separate window, which can be handy when browsing. a large set of events and want to find all the important things before you start searching the web.

The right pane gives you quick access to actions like creating custom views, filtering, or even creating scheduled tasks based on a specific event.


Of course, the events themselves are what we’re trying to see, and their usefulness can range from really specific and obvious things that you can fix easily, to very vague messages that don’t make any sense and you can’t find any information in google. The usual fields on the display contain:

  • Journal name While older versions of Windows used to write everything to the Application or System log, more recent releases have dozens or hundreds of different logs to choose from. Each component of Windows will most likely have its own log.
  • Source is the name of the software that generates the event log. Of course, the name is usually not the same as the filename, but it is a representation of which component did it.
  • Event ID — the most important event identifier can be a little confusing. If you were to Google for «event id 122» which you see in the following screenshot, you would not get very useful information unless you also provided «Source» or the application name. This is because each application can define its own unique event IDs.
  • Level — it tells you how serious the event is. The information simply tells you that something has changed, or a component has started, or something has completed. The warning tells you that something might go wrong, but it’s not that big of a deal. The error tells you that something happened that shouldn’t have happened, but it’s not always the end of the world. Critical, on the other hand, means that something, somewhere, is broken, and the component that raised the event has probably crashed.
  • User — This field indicates whether a system component or your user account was running the process that caused the error. This can be useful when browsing things.
  • OpCode — This field theoretically tells you what activity the application or component was performing when the event was fired. In practice, however, it almost always says «information» and is rather useless.
  • A computer — on your home computer, this is usually just the name of your PC, but in the IT world, you can actually forward events from one computer or server to another computer. You can also connect the Event Viewer to another PC or server.
  • Task Category — This field is not always used, but it ends up being an information field that tells you a little more information about the event.
  • Keywords — This field is not normally used and usually contains useless information.

Generally, you should try to search by the general description, or by the event ID and source, or a combination of these.

Just remember that the event ID is unique for each application. So there are a lot of matches and you can’t just search for «Event ID 122» because you will end up with a lot of nonsense.

Important note: there will always be errors and warnings in the event log, and you can’t fix them all. The most important thing is to use the Event Viewer to fix problems you already have instead of trying to find problems you don’t already know about.

And yes, you will need to use your Google skills to research events you don’t know about. There is no simple magic solution.


The only thing you could immediately do when you see this dialog box is click on the «More Information» link… the problem is that it doesn’t do you any good at the moment. You just ended up on an error page on the Microsoft website.


The scary thing is that 8464 people rated the page not found as helpful.

Remapping web event search to actual work

For some reason, the «More Info: Event Log Online Help» link just didn’t work for us, but luckily there’s a great registry hack that can be used to fix the problem.

What we’re going to do is just change the redirect URL in the registry to point to Google… other than the way arguments are passed, we’ll need to point it to an intermediate page that will parse the arguments and form the correct search URL Google.

For this article, we hosted the page on our own server and you can use it. If you do not wish to use our server, a single line of PHP code is provided at the end of this section.

To make this change, go to the following registry key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\EventViewer

Find the MicrosoftRedirectionURL value on the right side, and then change its default value to and paste this value instead:


As soon as you do this by clicking on the link in the Event Properties window, you will immediately be redirected to Google with the relevant data already included (event id, log name and «application» which usually means «Microsoft Windows») . ,


How it works? It’s pretty simple — the event viewer adds a set of parameters as query string arguments to the URL we put in the registry. The script then extracts those arguments and forwards them to Google, passing the arguments as search terms.

Using a simple PHP script, this is what we came up with to handle the redirect.

header(‘Location: ID’.$_GET [‘EvtID’]. «. $_GET [‘EvtSrc’]. «. $_GET [‘ProdName’] );

You can host the same thing on your own server if you like, or you can use the one that is on our server. You decide.

Beware of internet sites with «Solutions» for event id «Problems»

There are a lot of websites out there that automatically generate pages for every event id and then fill them with nonsense. It would be good, except for many of these events, there are not many other good results.

These sites will then offer to solve this problem if you simply download a piece of free analysis software. In all cases, this will be advertising, and the «software solution» is a scam.

There is NO software package that can solve all event log problems.

Using Filters and Custom Views

Instead of browsing through millions of folders of custom event logs and trying to find everything you’re looking for, you can create your own view that displays only the events you want to see.

For the best results, you only need to filter for the specific things you want to see — such as Critical, Error, and Warning — and then select the event logs you want to view in that view. Don’t choose too many because it just won’t work.


Once you’ve chosen what you want in a view, you’ll be prompted to name the custom view, and then you can use it to view only the events you’ve filtered for. This is an incredibly great way to deal with massive logs full of meaningless informational events.


Perhaps even easier, of course, is to simply use the built-in Administrative Events view, which displays important messages from each of the major logs.

View the Windows Diagnostic Performance Log

There are many interesting logs to look at as you troubleshoot, but one of the most interesting can be found by browsing the folders in the following location:


This results in an event log that shows everything that Windows logs internally to test performance — if your computer boots slower than normal, Windows usually has a log entry for it and often lists the component that caused Windows to boot slower.


It’s worth noting that just because a message shows an error doesn’t mean it’s the end of the world, unless it appears all the time. Then you can think about it.

Correcting this error earlier


Are you interested in the event in the screenshot earlier in the article? If you get «Access to drivers in Windows Update has been blocked by policy» error, the solution is really simple. Open the control panel, search for «driver» and select «Change device installation options».


In the following screenshot, you will notice that this particular computer is not configured to automatically download device drivers from Windows Update. To fix the issue and have more messages show up in the Event Viewer, all you need to do is toggle the switch to «Yes, do this automatically.»


Nice and simple. Problem solved, warning message fixed.

Attaching tasks to events

If you paid attention in the last Geek School lesson, you may remember that you can create a task scheduler trigger by event ID — and you can do the same by going in the other direction. Right click on any task and you can easily attach a scheduled task to run when an event occurs.


Other features you may need

The Event Viewer has several other features that you might be interested in. For most people, it’s important to just skim through the list and know what to look for.

Subscriptions, found in the left menu, is a feature widely used in a corporate environment to forward events from one server to another so that you can manage them all in one place. This requires that the Windows Event Collector and Windows Remote Management services are running. For home users, you should not contact him except for the purpose of learning on your test system.


If you right-click on the items on the left side, you’ll see a ton of actions (the same ones you would normally find in the right pane).


You can save all events in the log for viewing later or on another PC, you can copy the view or export it as an XML file for import on another PC.

Похожие записи