# Event Viewer

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Event_Viewer
> Markdown URL: https://mediated.wiki/source/Event_Viewer.md
> Source: https://en.wikipedia.org/wiki/Event_Viewer
> Source revision: 1334096578
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Component of Microsoft's Windows NT operating system

Event Viewer Log Event Viewer in Windows 10 Developer Microsoft Operating system Microsoft Windows Service name Windows Event log (eventlog) Type Utility software

**Event Viewer** is a component of [Microsoft](/source/Microsoft)'s [Windows NT](/source/Windows_NT) [operating system](/source/Operating_system) that lets administrators and users view the [event logs](/source/Computer_data_logging), typically file extensions .evt and .evtx, on a local or remote machine. [Applications](/source/Application_software) and operating-system components can use this centralized log service to report events that have taken place, such as a failure to start a component or to complete an action. In [Windows Vista](/source/Windows_Vista), Microsoft overhauled the event system.[1]

Due to the Event Viewer's routine reporting of minor start-up and processing errors (which do not, in fact, harm or damage the computer), the software is frequently used by [technical support scammers](/source/Technical_support_scam) to trick the victim into thinking that their computer contains critical errors requiring immediate technical support.[2] An example is the "Administrative Events" field under "Custom Views" which can have over a thousand errors or warnings logged over a month's time.

## Overview

Windows NT has featured event logs since its release in 1993.

The Event Viewer uses event IDs to define the uniquely identifiable events that a Windows computer can encounter. For example, when a user's [authentication](/source/Authentication) fails, the system may generate Event ID 672.

[Windows NT 4.0](/source/Windows_NT_4.0) added support for defining "event sources" (i.e. the application which created the event) and performing backups of logs.

[Windows 2000](/source/Windows_2000) added the capability for applications to create their own log sources in addition to the three system-defined "System", "Application", and "Security" log-files. Windows 2000 also replaced NT4's Event Viewer with a [Microsoft Management Console](/source/Microsoft_Management_Console) (MMC) [snap-in](/source/Snap-ins).

[Windows Server 2003](/source/Windows_Server_2003) added the AuthzInstallSecurityEventSource() API calls so that applications could register with the security-event logs, and write security-audit entries.[3]

Versions of Windows based on the Windows NT 6.0 kernel ([Windows Vista](/source/Windows_Vista) and [Windows Server 2008](/source/Windows_Server_2008)) no longer have a 300-megabyte limit to their total size. Prior to NT 6.0, the system opened on-disk files as [memory-mapped files](/source/Memory-mapped_file) in kernel memory space, which used the same memory pools as other kernel components.

Event Viewer log-files with [filename extension](/source/Filename_extension) evtx typically appear in a directory such as C:\Windows\System32\winevt\Logs\

## Command-line interface

eventquery.vbs, eventcreate, eventtriggers Developer Microsoft Release October 25, 2001; 24 years ago (2001-10-25) Operating system Microsoft Windows Type Command License Proprietary commercial software Website docs.microsoft.com/en-us/windows-server/administration/windows-commands/eventcreate

[Windows XP](/source/Windows_XP) introduced a set of three [command-line interface](/source/Command-line_interface) tools, useful to task automation:

- eventquery.vbs – Official script to query, filter and output results based on the event logs.[4] Discontinued after XP.

- eventcreate – a command (continued in Vista and 7) to put custom events in the logs.[5]

- eventtriggers – a command to create event driven tasks.[6] Discontinued after XP, replaced by the "Attach task to this event" feature, that is, from within the list of events, Right-Click on a single event and select from the pop-up menu.

## Windows Vista

Event Viewer consists of a rewritten [event tracing and logging](/source/Tracing_(software)#Event_logging) architecture on Windows Vista.[1] It has been rewritten around a structured [XML](/source/XML) log-format and a designated log type to allow applications to more precisely log events and to help make it easier for support technicians and developers to interpret the events.

The XML representation of the event can be viewed on the *Details* tab in an event's properties. It is also possible to view all potential events, their structures, registered *event publishers* and their configuration using the *wevtutil* utility, even before the events are fired.

There are a large number of different types of event logs including Administrative, Operational, Analytic, and Debug log types. Selecting the *Application Logs* node in the *Scope* pane reveals numerous new subcategorized event logs, including many labeled as diagnostic logs.

Analytic and Debug events which are high frequency are directly saved into a trace file while Admin and Operational events are infrequent enough to allow additional processing without affecting system performance, so they are delivered to the Event Log service.

Events are published asynchronously to reduce the performance impact on the *event publishing* application. Event attributes are also much more detailed and show EventID, Level, Task, Opcode, and Keywords properties.

### Filtering using XPath 1.0

Users can filter event logs by one or more criteria or by a limited [XPath 1.0](/source/XPath_1.0) expression, and custom views can be created for one or more events. Using XPath as the query language allows viewing logs related only to a certain subsystem or an issue with only a certain component, archiving select events and sending traces on the fly to support technicians.

Here are examples of simple custom filters for the new Window Event Log:

Task Filter Select all events in the Security Event Log where the account name involved (TargetUserName) is "JUser" <QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data[@Name="TargetUserName"]="JUser"]]</Select></Query></QueryList> Select all events in the Security Event Log where any Data node of the EventData section is the string "JUser" <QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data="JUser"]]</Select></Query></QueryList> Select all events in the Security Event Log where any Data node of the EventData section is "JUser" or "JDoe" <QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data="JUser" or Data="JDoe"]]</Select></Query></QueryList> Select all events in the Security Event Log where any Data node of the EventData section is "JUser" and the Event ID is "4471" <QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[EventID="4471"]] and *[EventData[Data="JUser"]]</Select></Query></QueryList> Real-world example for a package called Goldmine which has two @Names <QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[Provider[@Name='GoldMine' or @Name='GMService']]]</Select></Query></QueryList>

Caveats:

- There are [limitations](http://msdn.microsoft.com/en-us/library/dd996910%28VS.85%29.aspx#limitations) to Microsoft's implementation of XPath[7]

- Queries using [XPath string functions](/source/XPath_1.0#String_functions) will result in error[8]

### Event subscribers

Major *event subscribers* include the Event Collector service and [Task Scheduler](/source/Task_Scheduler) 2.0. The Event Collector service can automatically forward event logs to other remote systems, running [Windows Vista](/source/Windows_Vista), [Windows Server 2008](/source/Windows_Server_2008) or [Windows Server 2003 R2](/source/Windows_Server_2003#Windows_Server_2003_R2) on a configurable schedule. Event logs can also be remotely viewed from other computers or multiple event logs can be centrally logged and monitored without an agent and managed from a single computer. Events can also be directly associated with tasks, which run in the redesigned [Task Scheduler](/source/Task_Scheduler) and trigger automated actions when particular events take place.

## See also

- [Common Log File System](/source/Common_Log_File_System) (CLFS)

- [List of Microsoft Windows components](/source/List_of_Microsoft_Windows_components)

- [Microsoft Management Console](/source/Microsoft_Management_Console)

- [Technical support scam](/source/Technical_support_scam)

## References

1. ^ [***a***](#cite_ref-Eventlog_1-0) [***b***](#cite_ref-Eventlog_1-1) ["New tools for Event Management in Windows Vista"](http://www.microsoft.com/technet/technetmag/issues/2006/11/EventManagement/). *[TechNet](/source/Microsoft_TechNet)*. [Microsoft](/source/Microsoft). November 2006.

1. **[^](#cite_ref-2)** Anderson, Nate (October 4, 2012). [""I am calling you from Windows": A tech support scammer dials Ars Technica"](https://arstechnica.com/tech-policy/2012/10/i-am-calling-you-from-windows-a-tech-support-scammer-dials-ars-technica/). *Ars Technica*.

1. **[^](#cite_ref-3)** ["AuthzInstallSecurityEventSource Function"](http://msdn2.microsoft.com/en-us/library/Aa376314.aspx). *[MSDN](/source/MSDN)*. [Microsoft](/source/Microsoft). Retrieved October 5, 2007.

1. **[^](#cite_ref-4)** LLC), Tara Meyer (Aquent. ["Eventquery.vbs"](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb490900(v%3dtechnet.10)). *docs.microsoft.com*.

1. **[^](#cite_ref-5)** LLC), Tara Meyer (Aquent. ["Eventcreate"](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb490899(v%3dtechnet.10)). *docs.microsoft.com*.

1. **[^](#cite_ref-6)** LLC), Tara Meyer (Aquent. ["Eventtriggers"](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb490901(v%3dtechnet.10)). *docs.microsoft.com*.

1. **[^](#cite_ref-7)** ["Microsoft's Implementation and Limitations of XPath 1.0 in Windows Event Log"](http://msdn.microsoft.com/en-us/library/dd996910%28VS.85%29.aspx#limitations). *[MSDN](/source/MSDN)*. [Microsoft](/source/Microsoft). Retrieved August 7, 2009.

1. **[^](#cite_ref-8)** ["Powershell script to filter events using an Xpath query"](http://www.open-a-socket.com/index.php/2009/04/). Retrieved September 20, 2011.

## External links

Wikibooks has a book on the topic of: ***[Guide to Windows Commands](https://en.wikibooks.org/wiki/Guide_to_Windows_Commands)***

- Official sources: - [Event Viewer - Inside Show](https://learn.microsoft.com/en-us/shows/inside/event-viewer) on [Microsoft Learn](https://learn.microsoft.com) - [Events and Errors](https://technet.microsoft.com/en-us/library/cc754424.aspx) (Windows Server 2008) on [Microsoft Learn](https://learn.microsoft.com)

v t e Microsoft Windows components APIs Architecture 9x NT Booting process Games Management tools App Installer Command Prompt Control Panel Device Manager DirectX Diagnostic Tool Disk Cleanup Drive Optimizer Driver Verifier Event Viewer IExpress Management Console Netsh Performance Monitor PowerShell Recovery Console Resource Monitor Settings Sysprep System Configuration System File Checker System Information System Policy Editor System Restore Task Manager Windows Backup Windows Error Reporting Windows Ink Windows Installer Windows Update Windows Insider WinRE WMI Apps 3D Viewer Calculator Calendar Camera Character Map City Art Search Clipchamp Clock Company Portal Copilot Edge Fax and Scan Feedback Hub Get Help Magnifier Mail Media Player 2022 Mesh Messaging Mobility Center Money Movies & TV Narrator News Notepad OneDrive OneNote Paint PC Manager People Phone Link Photos Quick Assist Remote Desktop Connection Snipping Tool Sound Recorder Speech Recognition Sticky Notes Store Terminal To Do Weather Whiteboard Windows App Xbox Shell Action Center Aero AutoPlay AutoRun ClearType Explorer Search IFilter Indexing Service Namespace Saved search Special folder Start menu Task View Taskbar Windows Spotlight Windows XP visual styles Services BITS CLFS Error Reporting Multimedia Class Scheduler Service Control Manager Shadow Copy Task Scheduler Wireless Zero Configuration File systems CDFS DFS exFAT FAT IFS NTFS EFS Hard link links Mount Point Reparse point TxF ReFS UDF Server Active Directory Active DRM Services DFS Replication Distributed Transaction Coordinator DNS Domains Folder redirection Group Policy Hyper-V IIS MSMQ Network Access Protection Print Services for UNIX PWS Remote Desktop Services Remote Differential Compression Remote Installation Services Roaming user profiles Server Core SharePoint System Resource Manager Windows Deployment Services Windows Media Services WSUS Architecture Boot Manager Console CSRSS Desktop Window Manager Enhanced Write Filter Graphics Device Interface Hardware Abstraction Layer I/O request packet Imaging Format Kernel Transaction Manager Library files Logical Disk Manager LSASS MinWin NTLDR Ntoskrnl.exe Object Manager Open XML Paper Specification Portable Executable DLL EXE Registry Resource Protection Security Account Manager Server Message Block Shadow Copy SMSS System Idle Process USER WHEA Winlogon WinUSB Security Security and Maintenance AppLocker BitLocker Credential Guard Data Execution Prevention Defender Family features Kernel Patch Protection Mandatory Integrity Control Protected Media Path User Account Control User Interface Privilege Isolation Windows Firewall Compatibility COMMAND.COM Windows Subsystem for Linux WoW64 API Active Scripting JScript VBScript WSH COM ActiveX ActiveX Document COM Structured storage DCOM OLE OLE Automation Transaction Server DirectX Native .NET Universal Windows Platform WinAPI Windows Mixed Reality Windows Runtime WinUSB Games Solitaire Collection Surf Discontinued Games 3D Pinball Chess Titans FreeCell Hearts Hold 'Em InkBall Purble Place Solitaire Spider Solitaire Tinker Apps ActiveMovie Address Book Anytime Upgrade Backup and Restore Cardfile CardSpace CD Player Chat Contacts Cortana Desktop Gadgets Diagnostics DriveSpace DVD Maker Easy Transfer Edge Legacy Fax Food & Drink Groove Music Health & Fitness Help and Support Center HyperTerminal Imaging Internet Explorer Journal Make Compatible Maps Media Center Meeting Space Messaging Messenger Mobile Device Center Movie Maker MSN Dial-Up NetMeeting NTBackup Outlook Express Paint 3D Pay Phone Companion Photo Gallery Photo Viewer Program Manager Skype Sports Start Steps Recorder Sysedit Syskey Tips Travel WinHelp WordPad Write Others Desktop Cleanup Wizard File Protection Games for Windows HPFS Interix Media Control Interface MS-DOS 7 Next-Generation Secure Computing Base POSIX subsystem ScanDisk Video for Windows Virtual DOS machine Windows on Windows Windows Services for UNIX Windows SideShow Windows System Assessment Tool Windows To Go WinFS Spun off to Microsoft Store DVD Player File Manager Hover! Mahjong Minesweeper Category List

v t e Windows command-line programs and shell builtins Ecosystem Interpreters COMMAND.COM Command Prompt PowerShell Recovery Console Terminals Windows Console Windows Terminal File system navigation cd (chdir) dir popd pushd tree File management attrib cacls cipher compact copy del (erase) deltree icacls mkdir (md) mklink move openfiles recover ren (rename) replace rmdir (rd) robocopy takeown xcopy Archiving expand extrac32 extract makecab pax tar Disk management chkdsk convert defrag diskcomp diskcopy diskpart diskraid diskshadow drvspace fdisk format fsutil label manage-bde MSCDEX refsutil subst scandisk sys vol vssadmin Processes at exit kill runas sc schtasks shutdown start taskkill tasklist Registry assoc ftype reg regini regsvr32 User environment chcp cmdkey date graftabl mode path set setver setx time title ver where whoami File contents comp edit edlin fc find findstr print type Scripting choice clip cscript doskey echo for forfiles goto if more pause prompt rem timeout Networking arp bitsadmin curl getmac hostname ipconfig nbtstat net netsh netstat nslookup PathPing ping rpcping route scp setspn sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan tracert winrm winrs Maintenance and care auditpol dism dispdiag driverquery eventcreate eventtriggers gpresult gpupdate logman mofcomp msiexec ntbackup pentnt pnpunattend pnputil REAgentC relog sfc sxstrace systeminfo tpmtool tpmvscmgr tracerpt typeperf w32tm WBAdmin wecutil wevtutil winmgmt winsat wmic Boot management bcdedit bootcfg bootsect fixboot fixmbr Software development break debug exe2bin QBasic wsl Miscellaneous cls dpath help List of DOS commands Environment variables Windows Support Tools

---
Adapted from the Wikipedia article [Event Viewer](https://en.wikipedia.org/wiki/Event_Viewer) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Event_Viewer?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.