What is the Windows Event Viewer
The Event Viewer ( Event Viewer ) is one of the tools of administration of Windows and is present on all computers running Windows 8 / 8.1, Windows 7 and Vista Vindows.
Your use of the Windows Event viewer is essential to monitor the overall integrity of the system because it provides detailed information on all events that occur on your computer.
An event is a phenomenon that happens inside the system and is communicated to the outside, or you or other programs, and usually corresponds to a state or a configuration change.
The Windows Event viewer comes to help in the analysis of a problem because it records and displays hardware and software faults of different nature (the failure to initiate a service, a system crash, an inability to install an update, the damage in the structure of the file system, an IP address conflict). The Windows Event Viewer is a tool that manages different types of records, divided into two main categories: Windows Logs and Applications and Services logs.
The Registrar of the Windows Event Viewer
The Windows Logs store events that apply to the entire system. They are divided into the following categories:
The log application contains events related to programs and applications categorized according to their severity:
• Error : Indicates a critical issue.
• Warning : Indicates an event that could cause a problem in the future.
• Information: describes the correct execution of a driver, program or service. Security (called Protection in Windows Vista) In the register Security contains audit events related to attempts to log on to Windows by a user and the use of resources (create, open, delete files ). Installation (named Setup in Windows Vista) in the log Installation contains events related to the installation of applications. System In log system contains events that are logged by system components of Windows. Even in this register events are classified as Error, Warning, or Information. Events forwardedIn Register Events forwarded contains the events collected from remote computers.
“Applications and Services”
The Applications and Services Logs contain records of the running programs and services specific to Windows.
How to start the Windows Event Viewer
To start the Windows Event Viewer on the computer keyboard press the buttons Windows (is the key with the Windows logo) and R simultaneously.
This opens the Run .
In the Open: we type eventvwr and we click on OK .
(If you opens the Account Control user do click Continue .)
This will open the Event Viewer . We zoom the window to full screen.
In the left pane of the event viewer we click on the arrow next to the category of records that we want to analyze.
We click on the register that interests us.
In the middle pane identify the event that we want to analyze.
We click on ‘ event to get the description of the event and its most common properties (visible tab General ), or do we double-click the event to open the dialog box Properties event.
The Event Properties window
In the dialog box Properties event we can select the General tab and the card details.
The tab General contains the following information:
Log Name : indicates the name of the log that has filed the event
Source : indicates the origin of the event. May indicate the name of a program, a system component, or a large program.
Event ID : is a number that uniquely identifies the type of event. For example, the number 6005 is the event ID that will always indicate the start of the Event Log.
Level : Indicates the severity level of the event. In the registry system and registry Application we have the following severity levels (represented by a symbol): • Information : indicates the success of a business, modification of an application, the creation of a resource or a service is started.
• Warning : Indicates an event that could cause a problem in the future if you do not undertake any corrective action.
• Error : Indicates an event that describes a problem that may affect the correct functioning of the system or application that triggered the ‘ event. Error events may include the loss of data or functionality.
• Critical : Indicates an error that does not allow the automatic reset of the system or application that triggered the event.
User : indicates the name of the user connected when it is the event occurred.
Opcode : is a numeric value of 1 byte that identifies the activity or the point within an activity performed by the application when the event occurred. It is used to represent an action or a part of a specific action performed by the software but also to processes based on activity traces, such as Web services in which the activity is a specific request received by the Web service. There are a few defaults, the most common are 1 Start 2 and Stop .
Joined : indicates the date and time at which the event was recorded.
Task Category : is a classification of the event based on the source of the event (mainly used in the register Security ).
Keywords : indicates a category or tag useful to filter or search on the events.
Computer : The name of the computer where the event occurred. It is usually the name of the local computer, but it could be the name of a computer that forwarded the event or the name of the local computer before its name was changed.
Selecting the card details will be displayed more information about the event.
The information is divided into two sections (extendable by clicking the + ): System : contains general information common to every instance of the event, such as some system parameters recorded when ‘instance was published.EventData : contains structured information of the application.
EventID and Version : each event is uniquely identified, based on the combination of the relative EventID (a 2-byte number) and Version (a number of 1 byte). Events of the same event provider that share EventID and Version have an identical structure. Level : is a value that indicates the severity of the event. The default values are as follows: 1 CriticalError 2 3 Warning 4 Information 5 Detailed values are customizable up to a maximum of 255 (higher numbers correspond to more detailed events). Task : identifies a general area of the functionality of the provider events (press, network or user interface) but it can also refer to a subcomponent of the program. It is mainly used for the events of the security check. Keywords : is a mask with 56 flags that can be set by the program to facilitate the grouping of similar events.
How to obtain additional information on events
If we want to obtain additional information to that provided by the Windows Event Viewer, we can visit in EventID.net .
EventID.net provides a database work in progress containing thousands of events with comments or articles provided by the engineers of the site but also by external collaborators.
The search can be done by typing l ‘ Event ID , the ‘ Origin or one or more keywords .
How to create a custom view of the events
Let’s see how to use the Windows Event Viewer to create a custom view of the events.
Custom views allow you to filter events by specifying the rules that are used to determine which log events we see and what we want to keep hidden.
This way we can choose for example, to see only the events with standard error or warning from the registry system, ignoring all others.
To create a custom view we start the Windows Event Viewer
On the menu we click on Action .
We click Create Custom View …
In the dialog box Create custom view we will have the following filters:
Registered : (called Access in Windows Vista): allows you to filter events by day or by the hour in which they occurred.
Event Level : Filter events by severity level.
To register : allows you to filter events based on the log type.
To origin : allows you to filter events by source.
<All Event IDs> : in this box we can enter the ID of the events that we want to see. For example, if we choose an interval ID events from 7000 to 7020 inclusive, we must enter 7000-7020 . If we want the filter to display all events except for some ID, we type IDs exceptions preceded by the sign – . For example, to include all IDs between 7000 and 7020 except for 7002, we type 7000-7020, -7002 .
Task Category : Allows you to filter events based on categories of activities that we choose from the dropdown list .
Keywords : allows you to filter events by keywords we choose from the dropdown list. User : This box can type the name of the user accounts that we wish to see. We can enter multiple users separated by a comma ( , ).
Computer : This box can type the name of the computer you wish to view. We can enter multiple computers separated by a comma ( , ).
I click OK .
This will open the dialog box Save filter in a custom view .
In name we type the name for the custom display that we have created.
We select the folder where you want to store the custom view.
Finally we can decide whether to make the custom view available to all users of the computer or only to users connected to the current account (in this case uncheck the checkbox All users ).
I click OK .
In the left pane we click on the arrow next to the item Custom Views to access the custom view that we created.
Custom views can be exported to a file with the extension .xml. clicking Export custom view … in the menu Actions in the left pane.
How to perform a task in response to a specific event
The Windows Event Viewer provides the ability to configure a task (such as the start of a program) to run automatically each time you record a specific event.
To use this feature we start the event viewer
In the left pane, select the log that contains the event you want to associate with an activity.
We click with the right mouse button on the event and select Associate activity event …
This will open the dialog box Task Wizard base .
We follow the procedure to create a basic activity.