Micron
10-04-2006, 11:55 PM
To start Event Viewer, do one of the following:
In Control Panel, choose Performance And Maintenance, Administrative Tools, Event Viewer.
At a command prompt, type eventvwr.msc.
You can also run Event Viewer by right-clicking My Computer and choosing Manage. The Computer Management console that appears includes the Event Viewer snap-in, along with a number of other administrative tools.
Below shows an example of what you might see when you open Event Viewer. The console tree displays the names of the three event logs, allowing you to move from one log to another. The details pane presents a columnar view of the current log.
http://www.experiencewindows.co.uk/images/evnt1.jpg
The Image shows all eight of Event Viewer’s columns. You can use the Add/Remove Columns command on the View menu to hide columns you don’t need or to change the order in which columns appear. By default, events are sorted chronologically, with the most recent at the top. You can change the sort order by clicking column headings.
Note that, while the details pane includes some useful information, it doesn’t provide many details about what events portend or why they occurred. You can get more of that information by inspecting the details for individual events. Here is a column-by-column rundown of what the details pane does display:
Type. As mentioned, events in the System and Application logs are of three types: Information, Warning, and Error. The icon at the left side of the Type column helps you spot the event types in which you’re interested.
Date and Time. The Event Log service records the date and time of each event’s occurrence in Greenwich mean time, and Event Viewer translates those Greenwich mean time values into dates and times appropriate for your own time zone.
Source. The source column reports the application or system component that generated each event.
Category. Some event sources use categories to distinguish different types of events they may report. Many sources do not. As you can see, none of the four sources shown above (W32Time, Windows File Protection, Service Control Manager, and Disk) use categories.
Event. All events are identified by a numerical value. This number is associated with a text description that appears when you view an event’s properties. There’s no systemwide code in use here—each event source’s designer simply decides what numbers to use and records those numbers in a file—and there’s no requirement that each event source use a unique set of numbers. After spending some time in your event logs, however, you might begin to recognize particularevents by their arbitrary numbers. For example, events 6006 and 6009, generated by the Event Log service itself (listed as eventlog in the Source column) occur respectively when the Event Log service is stopped and started. Because the Event Log service is ordinarily never stopped while your computer is running, these events represent system shutdown and restart.
User. The User column records the user account associated with each event. Not all events are associated with a particular user account. Many events, particularly system events, are not generated by a particular user. These events show up as N/A.
Computer. The Computer column records the computer on which the event occurred.
Daylight Saving Time, Remote Computers, and Changes to the System Clock
When you move from standard time into daylight saving time or vice versa, Event Viewer changes the displayed Time (and possibly Date) values for events that have already occurred. For example, if an event occurred at 6 P.M. in standard time, after you move into daylight saving time that event will appear as if it had occurred at 7 P.M. That’s because Event Viewer applies a single offset from Greenwich mean time to all events in its logs and decrements that offset by one hour when you pass from standard into daylight saving time.
If you monitor events on remote computers in other time zones, be aware that Event Viewer always displays those events’ dates and times in your (local) time zone. It records occurrences in Greenwich mean time but applies your time zone’s Greenwich mean time offset for display purposes. Thus, for example, an event occurring at noon in New York will be reported in Los Angeles as having occurred at 9 A.M.
If you change the clock on your system, the times reported in event logs do not change, because your offset from Greenwich mean time has not changed. If you change your time zone, however, Event Viewer applies the new offset and changes the times displayed for all events in the log.
Examining Event Details
To learn more about an event than Event Viewer’s details pane tells you, you need to display individual information for the event. Select the event you’re interested in and do one of the following:
Double-click the event.
Press Enter.
Choose Properties from Event Viewer’s Action menu.
Below shows the properties dialog box for an event in the System log.
http://www.experiencewindows.co.uk/images/evnt2.gif
The summary information in the top third of the properties dialog box is identical to the information that appears in Event Viewer’s columnar details pane. The description in the middle third of the window is the plain-language description of what has occurred. For localization purposes, this information is kept separate from the log (.evt) file. Each event type is mapped to descriptive text that lives elsewhere, in whatever file the application’s or component’s designer chose to use. (The event message file is recorded in the EventMessageFile registry value in HKLM\System \CurrentControlSet\Services\Eventlog\logname \eventsource,where logname is the name of the log—System, for example—and eventsource is the name of the application or component that generates the event in question.)
Some events generate binary data that can be useful to programmers or support technicians who are familiar with the product that generated the event. If binary data is available, it appears in the bottom third of the properties dialog box.
If you want to view details for other events, you can do so without first returning to the details pane: Click the arrow buttons in the upper right corner of the properties dialog box to move to the previous or next event in the list.
Directly below the Next Event button, near the upper right corner of the window, is a handy Copy button, as shown above. Clicking here sends the entire contents of the properties dialog box to the Clipboard, allowing you, for example, to paste the information into an e-mail message and send it to a support technician. (You can also copy some or all of the description text by selecting it in the middle third of the window and pressing Ctrl+C.)
Searching for an Event
The Find command on Event Viewer’s View menu allows you to locate particular items in the current log. The Find dialog box, shown in below, includes a Description box in which you can specify all or a portion of an event’s descriptive text. To locate the most recent event that involved any kind of failure, for example, you would select the first event in the log (assuming you’ve kept the default chronological sort order), choose Find, type fail on the description line, and click Find Next.
http://www.experiencewindows.co.uk/images/evnt3.jpg
Filtering the Log Display
As you can see from a cursory look at your System log, events can pile up quickly, obscuring those of a particular type (such as print jobs) or those that occurred at a particular date and time. To filter a log so that Event Viewer displays only the items you currently care about, right-click the log’s name in the console tree, and choose Properties. Then fill out the Filter tab of the log’s properties dialog box (it looks much like the Find dialog box shown above), and click OK. To restore the unfiltered list, return to this dialog box, and click Restore Defaults.
With the help of the New Log View command on the Action menu, you can switch quickly between filtered and unfiltered views of a log—or between one filtered view and a different filtered view. Simply select the log in which you’re interested, right-click, and then choose New Log View. Event Viewer adds the new view to the console tree. Select the new view and filter to taste. Now you can move between views by navigating the console tree.
Types of Events
Security events are recorded in the Security log, Secevent.evt. Monitoring these events is called auditing , and not covered here, we focus on the other two event logs, Appevent.evt and Sysevent.evt. Appevent.evt and Sysevent.evt record application events and system events, respectively.
Application events are generated by applications, including programs that you install, programs that come with Windows XP, and operating system services. For example, events relating to Microsoft Office, the backup program that comes with Windows XP, and the Windows XP Fax service are all recorded in Appevent.evt.
System events are generated by Windows XP itself and by installed components, such as device drivers. If a driver fails to load when you start a Windows XP session, for example, that event is recorded in the System log.
(If you’re curious about what elements of your system generate events and where those events are recorded, use Registry Editor to open the following registry key: HKLM\System\CurrentControlSet\Services\Eventlog. Then inspect each of the subkeys, Application, Security,and System. Each entity capable of generating an event has a subkey under one of those three keys.)
The System and Application logs recognize three types of events:
Errors. These are events that represent possible loss of data or functionality. Examples of errors include events related to network contention or to a malfunctioning network adapter and loss of functionality caused by a device or service that doesn’t load at startup.
Warnings. These events represent less significant or less immediate problems than errors. Examples of warning events include a nearly full disk, a timeout by the network redirector, and data errors on a backup tape.
Information. These are other events that Windows XP logs. Examples of information events include someone using a printer connected to your computer and a successful dial-up connection to your ISP.
In Control Panel, choose Performance And Maintenance, Administrative Tools, Event Viewer.
At a command prompt, type eventvwr.msc.
You can also run Event Viewer by right-clicking My Computer and choosing Manage. The Computer Management console that appears includes the Event Viewer snap-in, along with a number of other administrative tools.
Below shows an example of what you might see when you open Event Viewer. The console tree displays the names of the three event logs, allowing you to move from one log to another. The details pane presents a columnar view of the current log.
http://www.experiencewindows.co.uk/images/evnt1.jpg
The Image shows all eight of Event Viewer’s columns. You can use the Add/Remove Columns command on the View menu to hide columns you don’t need or to change the order in which columns appear. By default, events are sorted chronologically, with the most recent at the top. You can change the sort order by clicking column headings.
Note that, while the details pane includes some useful information, it doesn’t provide many details about what events portend or why they occurred. You can get more of that information by inspecting the details for individual events. Here is a column-by-column rundown of what the details pane does display:
Type. As mentioned, events in the System and Application logs are of three types: Information, Warning, and Error. The icon at the left side of the Type column helps you spot the event types in which you’re interested.
Date and Time. The Event Log service records the date and time of each event’s occurrence in Greenwich mean time, and Event Viewer translates those Greenwich mean time values into dates and times appropriate for your own time zone.
Source. The source column reports the application or system component that generated each event.
Category. Some event sources use categories to distinguish different types of events they may report. Many sources do not. As you can see, none of the four sources shown above (W32Time, Windows File Protection, Service Control Manager, and Disk) use categories.
Event. All events are identified by a numerical value. This number is associated with a text description that appears when you view an event’s properties. There’s no systemwide code in use here—each event source’s designer simply decides what numbers to use and records those numbers in a file—and there’s no requirement that each event source use a unique set of numbers. After spending some time in your event logs, however, you might begin to recognize particularevents by their arbitrary numbers. For example, events 6006 and 6009, generated by the Event Log service itself (listed as eventlog in the Source column) occur respectively when the Event Log service is stopped and started. Because the Event Log service is ordinarily never stopped while your computer is running, these events represent system shutdown and restart.
User. The User column records the user account associated with each event. Not all events are associated with a particular user account. Many events, particularly system events, are not generated by a particular user. These events show up as N/A.
Computer. The Computer column records the computer on which the event occurred.
Daylight Saving Time, Remote Computers, and Changes to the System Clock
When you move from standard time into daylight saving time or vice versa, Event Viewer changes the displayed Time (and possibly Date) values for events that have already occurred. For example, if an event occurred at 6 P.M. in standard time, after you move into daylight saving time that event will appear as if it had occurred at 7 P.M. That’s because Event Viewer applies a single offset from Greenwich mean time to all events in its logs and decrements that offset by one hour when you pass from standard into daylight saving time.
If you monitor events on remote computers in other time zones, be aware that Event Viewer always displays those events’ dates and times in your (local) time zone. It records occurrences in Greenwich mean time but applies your time zone’s Greenwich mean time offset for display purposes. Thus, for example, an event occurring at noon in New York will be reported in Los Angeles as having occurred at 9 A.M.
If you change the clock on your system, the times reported in event logs do not change, because your offset from Greenwich mean time has not changed. If you change your time zone, however, Event Viewer applies the new offset and changes the times displayed for all events in the log.
Examining Event Details
To learn more about an event than Event Viewer’s details pane tells you, you need to display individual information for the event. Select the event you’re interested in and do one of the following:
Double-click the event.
Press Enter.
Choose Properties from Event Viewer’s Action menu.
Below shows the properties dialog box for an event in the System log.
http://www.experiencewindows.co.uk/images/evnt2.gif
The summary information in the top third of the properties dialog box is identical to the information that appears in Event Viewer’s columnar details pane. The description in the middle third of the window is the plain-language description of what has occurred. For localization purposes, this information is kept separate from the log (.evt) file. Each event type is mapped to descriptive text that lives elsewhere, in whatever file the application’s or component’s designer chose to use. (The event message file is recorded in the EventMessageFile registry value in HKLM\System \CurrentControlSet\Services\Eventlog\logname \eventsource,where logname is the name of the log—System, for example—and eventsource is the name of the application or component that generates the event in question.)
Some events generate binary data that can be useful to programmers or support technicians who are familiar with the product that generated the event. If binary data is available, it appears in the bottom third of the properties dialog box.
If you want to view details for other events, you can do so without first returning to the details pane: Click the arrow buttons in the upper right corner of the properties dialog box to move to the previous or next event in the list.
Directly below the Next Event button, near the upper right corner of the window, is a handy Copy button, as shown above. Clicking here sends the entire contents of the properties dialog box to the Clipboard, allowing you, for example, to paste the information into an e-mail message and send it to a support technician. (You can also copy some or all of the description text by selecting it in the middle third of the window and pressing Ctrl+C.)
Searching for an Event
The Find command on Event Viewer’s View menu allows you to locate particular items in the current log. The Find dialog box, shown in below, includes a Description box in which you can specify all or a portion of an event’s descriptive text. To locate the most recent event that involved any kind of failure, for example, you would select the first event in the log (assuming you’ve kept the default chronological sort order), choose Find, type fail on the description line, and click Find Next.
http://www.experiencewindows.co.uk/images/evnt3.jpg
Filtering the Log Display
As you can see from a cursory look at your System log, events can pile up quickly, obscuring those of a particular type (such as print jobs) or those that occurred at a particular date and time. To filter a log so that Event Viewer displays only the items you currently care about, right-click the log’s name in the console tree, and choose Properties. Then fill out the Filter tab of the log’s properties dialog box (it looks much like the Find dialog box shown above), and click OK. To restore the unfiltered list, return to this dialog box, and click Restore Defaults.
With the help of the New Log View command on the Action menu, you can switch quickly between filtered and unfiltered views of a log—or between one filtered view and a different filtered view. Simply select the log in which you’re interested, right-click, and then choose New Log View. Event Viewer adds the new view to the console tree. Select the new view and filter to taste. Now you can move between views by navigating the console tree.
Types of Events
Security events are recorded in the Security log, Secevent.evt. Monitoring these events is called auditing , and not covered here, we focus on the other two event logs, Appevent.evt and Sysevent.evt. Appevent.evt and Sysevent.evt record application events and system events, respectively.
Application events are generated by applications, including programs that you install, programs that come with Windows XP, and operating system services. For example, events relating to Microsoft Office, the backup program that comes with Windows XP, and the Windows XP Fax service are all recorded in Appevent.evt.
System events are generated by Windows XP itself and by installed components, such as device drivers. If a driver fails to load when you start a Windows XP session, for example, that event is recorded in the System log.
(If you’re curious about what elements of your system generate events and where those events are recorded, use Registry Editor to open the following registry key: HKLM\System\CurrentControlSet\Services\Eventlog. Then inspect each of the subkeys, Application, Security,and System. Each entity capable of generating an event has a subkey under one of those three keys.)
The System and Application logs recognize three types of events:
Errors. These are events that represent possible loss of data or functionality. Examples of errors include events related to network contention or to a malfunctioning network adapter and loss of functionality caused by a device or service that doesn’t load at startup.
Warnings. These events represent less significant or less immediate problems than errors. Examples of warning events include a nearly full disk, a timeout by the network redirector, and data errors on a backup tape.
Information. These are other events that Windows XP logs. Examples of information events include someone using a printer connected to your computer and a successful dial-up connection to your ISP.