Whether you’re a system admin, help desk technician, or just a curious user, Windows Event Viewer is one of the most powerful tools built into the Windows operating system. It allows you to view detailed logs of system events, track down errors, and audit activities that happen behind the scenes.
In this guide, we’ll walk through how to use Event Viewer to:
- Review login attempts
- Investigate software crashes
- Audit user and system actions
- Trace Blue Screen of Death (BSOD) errors
Let’s demystify what’s inside Event Viewer—and what you should be looking for.
What is Windows Event Viewer?
Windows Event Viewer is a Microsoft Management Console (MMC) application that lets you browse and manage logs of system events. These events are grouped into categories like:
- Application Logs: Info and errors from installed programs
- Security Logs: Login attempts, privilege use, audit trails
- System Logs: Driver issues, service failures, kernel messages
- Setup Logs: OS installation and update events
To open it:
Press windows key + R, type eventvwr.msc , and hit Enter.
1. Tracking Login Attempts
Location: Windows Logs > Security
Event IDs to Watch:
- 4624 – Successful login
- 4625 – Failed login
- 4648 – Logon with explicit credentials
- 4634 – Logoff
- 4672 – Special privileges assigned (e.g., admin login)
These events can help you:
- Detect unauthorized login attempts
- Track when users log in and out
- Monitor use of privileged accounts
Example:
If you see a spike in Event ID 4625 (failed login), especially at odd hours, this may indicate a brute force attack or misconfigured service.
2. Investigating Software Crashes
Location: Windows Logs > Application
Event IDs to Watch:
- 1000 – Application error
- 1001 – Application hang or Windows Error Reporting (WER)
- 1026 – .NET Runtime error
Look for the Faulting application name and faulting module to start diagnosing the cause.
Example:
If explorer.exe or outlook.com appears repeatedly in these logs, it may point to corrupt user profiles, bad updates, or incompatible plugins.
3. Using Audit Trails for Security and Compliance
Location: Windows Logs > Security (with auditing enabled via Group Policy)
Event IDs to Watch:
- 4663 – Object access (file/folder read/write)
- 4719 – Audit policy changes
- 4720 – User account creation
- 4726 – User account deletion
Audit logs are useful for:
- Detecting insider threats
- Investigating suspicious file access
- Compliance with data handling policies (e.g., HIPAA, GDPR)
Tip: Use Group Policy Management Console (GPMC) to configure audit policies for file access, privilege use, and directory services.
4. Troubleshooting BSODs (Blue Screen of Death)
BSODs are recorded in both:
- Windows Logs > System
- Applications and Services Logs > Microsoft > Windows > Windows Error Reporting
What to Look For:
- Event ID 41 – Kernel power error (unexpected shutdown)
- Event ID 1001 – Bug check with code
- Event ID 6008 – Improper shutdown
How to Trace the Error:
- Find the BugCheckCode (e.g.,
0x0000003B) - Use tools like WinDbg or BlueScreenView to analyze the memory dump.
- Cross-reference with hardware logs (e.g., disk, driver, RAM) under
Systemlogs to find root causes.
Common BSOD Causes:
- Faulty drivers
- Failing hardware (RAM, storage)
- Malware or rootkits
- Overclocking/BIOS issues
Pro Tips for Navigating Event Viewer
- Use the “Filter Current Log” option to narrow results by Event ID or keyword.
- Set up Custom Views for recurring issues (e.g., failed logins, software crashes).
- Export logs in .evtx format to share or analyze on another system.
- Enable Event Subscriptions for remote monitoring across machines.
Ctrl+Alt+Route 
Leave a comment