- Windows Event Viewer is one of the most underrated tools that can help you diagnose and troubleshoot your Windows computer.
- Windows Event Viewer is a journal where actions are logged by the operating system.
- Learn how to use the Event Viewer logs to troubleshoot and fix software and hardware problems in Windows.
A lot of computer problems don’t result in an obvious error message that you can quickly research in your favorite search engine. If your PC is misbehaving without giving you hints about what’s going on it’s really difficult to troubleshoot and fix the root cause of the problem.
It’s time to dig deeper. There’s no better utility than Windows Event Viewer that I can think of. Let’s get started.
- 1 What is Windows Event Viewer?
- 2 The Type of Information Stored in Windows Event Logs
- 3 How to Open Windows Event Viewer
- 4 How to Use the Event Viewer Logs
- 4.1 How to Navigate the Window Event Viewer Interface
- 4.2 How to Search the Event Viewer Logs
- 4.3 How to Filter the Current Log in Event Viewer
- 4.4 How to Create a Custom View in Windows Event Viewer
- 4.5 How to Clear Event Viewer Log History
- 4.6 How to Export Windows Event Viewer Logs to a File
- 4.7 How to View Logs from an EVTX Event Viewer Log File
- 5 Critical and Error Level Logs in Event Viewer are Not Always Bad
What is Windows Event Viewer?
Most Windows services and programs will periodically add various bits of information to the Windows log. Think of it like a journal. The event log can be easily accessed, filtered, and read using the Windows Event Viewer system utility.
Event Viewer comes preinstalled with Windows and can easily be used by a non-technical person. Windows Event Viewer is a very powerful tool for troubleshooting Windows systems.
The Type of Information Stored in Windows Event Logs
Windows Event Viewer doesn’t include only critical error logs, but also other types of information added by (1) installed applications, (2) security services, or the (3) system itself.
Event logs have various event levels of importance associated with them, depending on the log content and the event that triggered that event:
Each event log includes info about its source, the app, program, or service that initiated the event, the user and computer associated with the event, an event ID, keywords for easy filtering, an event timestamp, and a text description of what actually happened.
The event description may be human-readable, but by no means, don’t expect a eureka moment after reading it. Googling the contents will still be the best option for a successful fix of your problem.
How to Open Windows Event Viewer
Let’s see some of the quickest ways to open the Windows Event Viewer utility:
This is how I launch most things in Windows: I search for them in the Start Menu.
- Click on the Start menu or press the Win key.
- Type Event viewer to search for the small utility.
- Click on the first result to open.
Another quick method involves the hidden menu behind the Start menu button. It’s not a mystery that most things in Windows can be right-clicked to reveal a contextual menu, but the WinX menu is a pretty new addition so most folks don’t know about it.
- Right-click on the Start menu button or press the Win + X keyboard shortcut, hence the WinX menu.
- Select with left-click the Event Viewer entry.
Open Event Viewer with a Run Command
If you’re used to the Run dialog box then here’s what you have to do to open Even Viewer with a Run command.
- Press the Win + R keyboard shortcut that opens the Run dialog menu.
- Type eventvwr, then press Enter to open Windows Event Viewer.
Open Windows Event Viewer from CMD (Command Prompt)
The same command works with the Command Prompt, PowerShell, and Windows Terminal:
- Open the Start menu with the Win key.
- Search for either Command Prompt, PowerShell, or Windows Terminal and open the first result.
- In the command line interface type eventvwr, followed by Enter to execute the command that will open the Windows Event Viewer.
How to Use the Event Viewer Logs
Now that we’ve seen what Event Viewer is and what it does, let’s discuss the program interface and how you can use it to your advantage. Don’t worry, because it’s pretty intuitive.
Each time you open the app you’ll see something like this: a summary of the logged events in the center column, a navigation tree on the left, and a set of actions on the right.
You’ll use the (1) left-side menu to navigate to a category of events. By default these are grouped into four categories:
- Custom views – events filtered by you based on specific criteria. You’ll see later in the article how to add your custom views to the already present Administrative Events custom view.
- Windows Logs – entries added by Windows, grouped in Application, Security, Setup, System, and Forwarded Events.
- Application and Service Logs – logs from various installed programs.
- Subscriptions – if you’ve configured your PC to collect events from other computers here’s where the logs show up.
- Saved logs – this section will only show up after you’ve imported a log file exported with Event Viewer on the same machine or on another Windows PC.
After you navigate to a section in the left-side menu, the middle column will refresh and show (2) a list of events sorted by Date and Time and (3) details for the currently selected event from the list before.
The right panel includes actions that are already available if you right-click on an event folder of event entry.
Double-clicking on an event will open its details in a separate popup with two tabs: General and Details.
How to Search the Event Viewer Logs
I have over 20.000 events logged in only 7 days. As you can imagine, it can be difficult to look for a specific event if you can’t search or filter the list of events.
Fortunately, that’s easy to do in Windows Event Viewer after you’ve selected a category of events from the left side tree.
Let’s try to look for memory related events in the Windows Logs > System section, just for fun.
1. Right-click on the current event folder and select Find… to open the search dialog.
2. A very simple Find dialog window will show up with a text field. Write down your search term and press Find Next.
3. If no events are found for your search query you’ll see this message. It will remind you that the log search goes from the currently selected event in the list to the last element in the list, sorted by date and time. So, if you wish to search the entire list always select the first event before clicking on Find next.
4. If an event is found with your search term matching any of its contents the event will be highlighted automatically and its details will show up in the bottom part of the middle column.
If this is not what you were looking for click on Find next to look for the next matching event. There’s no way to know beforehand how may results your search returns since there’s no counter.
How to Filter the Current Log in Event Viewer
Another powerful feature is the ability to apply a filter to every event category. This filter will reset automatically after you close the Event Viewer app, as a precautionary measure.
1. Select the desired event category from the left-side menu.
2. Right-click on the folder name and select the Filter Current Log… option.
3. A popup window will show up. Here you can:
- Apply a time range for the event filter, ranging from the last hour to the last 30 days plus the option for a custom range.
- Select an event level, based on importance.
- Select an event source.
- Select a specific Event ID or range of IDs.
- Select keywords
- Select the users linked to the event.
- Select the computer linked to the event.
4. To reset the filter either close the Event Viewer or right-click the folder again and select the Clear filter option.
How to Create a Custom View in Windows Event Viewer
A more permanent solution is to create custom views. These will show up in the Custom Views folder even after the Windows Event Viewer app is restarted.
1. Right-click on the Custom Views folder and select the Create Custom View… option.
2. This looks a lot like the event filter window because it’s almost identical. The only new option is the ability to select an even log category.
After you’ve selected all required filters click OK.
3. If you select too many options you’ll see a warning. On a decently powerful computer, you won’t have any performance issues. Maybe the Event Viewer will show down on older PCs. Click Yes to proceed or no to tweak settings again and reduce the strain on your system resources.
4. Give the View a Name and Description and, optionally, create a new folder under Custom Views, if you plan on creating a lot of views and you want to organize them nicely.
How to Clear Event Viewer Log History
I’ve never had to clear the Event Viewer log on any of my PCs, but in case you feel like this will solve anything there’s a quick way to delete logs from any event category.
1. Select the desired event log folder from the left side tree menu.
2. Right-click on the folder name and select the Clear Log… option.
3. You will be presented with the option to export the logs to an EVTX extension file in a folder of your choosing using the, you’ve guessed right, EVTX format. The export is followed by a cleanup of the Event Viewer log, or you can choose to simply Clear everything.
The event list can be then easily imported to the Event Viewer on the same PC or on another computer by using the actions column on the right side of the interface or the event list contextual menu.
How to Export Windows Event Viewer Logs to a File
It’s interesting that you can export Event Viewer events to a file that you can open on the same PC where it was saved or on another computer. This way you can send the file to someone else for troubleshooting purposes, for example, if you feel like you’re can’t figure out what’s going on.
Windows Event Viewer exports logs in EVTX extension format. Here’s how it’s done:
1. Select the desired event folder from the left-side menu.
2. Right-click and on the folder end select the Save All Events As… option.
3. Select a file name and a place to store the exported logs.
4. A warning window will appear, asking you to select display information for multiple languages. This way if you try to view the file on a computer with different installed Windows languages there won’t be any display issues.
In my case, I could only choose between the two languages I have already installed on my machine: English and Romanian.
The export is almost instantaneous, even for thousands of events.
How to View Logs from an EVTX Event Viewer Log File
Now, what if you want to view the log file? While researching this article I tried to look for an Import button. Thankfully the procedure is way easier:
1. Open File Explorer by pressing Win + E.
2. Navigate to the folder where you saved the Event Viewer export file.
3. Double-click on the file with the EVTX extension.
4. Event Viewer will start automatically and a new folder will appear, called Saved Logs. Inside you’ll find a subfolder with the same name as the export filename, minus the extension.
You can browse the folder just like the other default ones.
These imported events are kept even after you’ve closed the Event Viewer. If you don’t need them anymore, all you have to do is right-click on any imported subfolder and select the Delete option.
Critical and Error Level Logs in Event Viewer are Not Always Bad
There’s an unwritten rule that if your Windows machine works properly there’s no need to worry about the Event Viewer. Even if you see Critical and Error level events there’s a good chance you don’t need to panic.
I find that the Event Viewer comes in handy when my PC crashes or an app refuses to work and doesn’t show any error message I can use for troubleshooting purposes.
That’s when I dig into the Event Viewer logs trying to identify the root cause of the problems. Try it and you’d be surprised by how many times the Event Viewer can save you from hours of pulling your hair because you don’t know what is happening.
At the same time, don’t expect wonders. It’s possible the problem runs deeper than the Event Viewer logs can show. Anyway, this is just another tool at your disposal that you can use to fix your Windows computer.