Christian Forums

This is a sample guest message. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Event Viewer Windows 2000 & Windows XP

Lewis

Member
From PC World



Windows Tips: Spot PC Trouble Early With Windows' Event Viewer
Make sense of Windows' logs; view past chkdsk results; get more event information for free.
Scott Dunn
Friday, March 17, 2006 01:00 AM PST

Every time Windows XP or 2000 starts, it begins keeping a record of events that happen on your system. Not general events like "This user has started Solitaire ten times today," but highly specific details of Windows' startup, your log-in, the services that start and stop in the course of a session, system crashes, and much more. Windows even carries its own tool, called Event Viewer, for perusing that log. This program is handy for diagnosing Windows problems, but it's also useful for learning about what's going on under the operating system's hood. In fact, it's one of the first places you should look for clues if an unexplained problem with your PC crops up.

Get your logs rolling: To start Event Viewer (depending on how your system is configured), select either Start, All Programs (Programs In Windows 2000), Administrative Tools, Event Viewer or Start, Administrative Tools, Event Viewer. If you don't see an Administrative Tools option on either of these menus, right-click the taskbar and choose Properties. In XP, click the Start Menu tab and select Customize next to the type of Start menu that you have (regular XP style or Classic). In either version, click the Advanced tab (if one is present). Check the option in the resulting window that will display the Administrative Tools or System Administrative Tools, and click OK as many times as needed. (Alternatively, you can find this utility in the Administrative Tools folder, which is located in Control Panel.)

Event Viewer's left pane lists separate folders for the three types of events that Windows logs: Application, Security, and System (in Windows 2000 the word Log appears with each type). The System event log can be particularly useful for uncovering problems with hardware devices or with Windows itself. Click a folder to display the events for that type in the right pane (see Figure 1). You can sort the events by type, date, or other column heading, just as you can in Windows Explorer's Details view. The event icons in the right pane indicate their severity: Information, Warning, or Error. When you want more information about a particular event, double-click its entry in the right pane to see its Properties and to read a description of the problem. Regrettably, the description is rarely much help; see "Look elsewhere for answers" below for a more informative event resource.

Most of the logged entries can be ignored. For example, if you click the System icon on the left, the Event column on the right should include an entry numbered '6005' for every time you have started your PC. Each such entry signifies the beginning of the logging service when Windows loads. Similarly, a '6006' entry should appear for each time you shut down your system, indicating that you exited Windows properly and that event logging stopped. If there's no 6006 entry to correspond to a given day's 6005 entry, your computer probably stopped without using Windows' normal shutdown process, which can cause problems.

Ask Microsoft for more info: Some event logs can help you diagnose and solve problems. If the event's Properties dialog box doesn't say enough, scroll to and click the link just below 'Help and Support Center' in the Description box (see Figure 2). You'll be prompted to send Microsoft some information about the event so it can look up the related topic. Click Yes if you consent. For example, I asked Microsoft about an error message telling me that System Restore had encountered a problem when it tried to back up a file. The Help and Support Center explained that, in these cases, System Restore stops creating restore points and stops monitoring changed files until another restore point is established. It also explained that I could get System Restore going again by creating a restore point manually.

Look elsewhere for answers: In many cases, unfortunately, the service reports that no Help topic is available, or the information it gives is too vague to be useful. If Microsoft has no help to offer, try EventID.Net, a site hosted by Altair Technologies that maintains a community collection of comments on many of the system events that Windows logs.

The service uses information that appears in the columns in Event Viewer's right pane: Note the text in the Source column and the number in the Event column. Then browse to EventID.Net, enter the event ID number and source info, and click Search. The site will open a summary of the event. Click the link next to Details to get the skinny from other users who have experience with the same issue (see Figure 3). Or enter the event ID or other unique snippet of text from the event in your favorite search engine to find more information about it.

Check chkdsk: Event Viewer is useful for more than just troubleshooting, however. For example, when Windows scans for and fixes disk errors (right-click the drive icon in Explorer, choose Properties, and click Check Now under the Tools tab), the OS records the results in Event Viewer. You can use the chkdsk /f command to automate your disk scans, as Lincoln Spector related in last July's Answer Line column; scroll to "Scan and defrag your hard drive").

Disk checks often occur after you start your computer but before you log in to Windows. In such cases, though you may be able to see the scan results on screen, you may have no option (and no time) to save or print them. Not to worry: Event Viewer's log has it covered. Click the Application icon in Event Viewer's left pane (Application Log in Windows 2000). To find a particular event more easily, choose View, Filter. Under the Filter tab in the Application Properties dialog box, choose Winlogon in the 'Event source' drop-down menu, and click OK. To see the results in the Events Properties dialog box, locate and double-click the icon corresponding to the date of your error-checking chore (see Figure 4). To save or print the information, click the Copy icon in the top-right corner under the up and down arrows, and then paste it into the word processor or text editor of your choice.

When you're done, reset the filter to show all log entries by choosing View, All Records. If you forget to do this, Event Viewer will switch back to showing all log entries the next time you start it.

Beef up your logs: By default, the information in Windows' event logs gets overwritten after just a week, and the log itself is limited to 512KB. To keep the data around longer, right-click one of the three logs in the left pane and select Properties. Under the General tab, adjust the 'Maximum log size' to something larger--for example, setting it to 2048 KB will quadruple the number of entries the log can hold. You can also adjust the overwrite options listed below this setting to maintain log entries for longer than seven days. If you think your maximum log size is big enough, you needn't specify a number of days to retain entries; simply select Overwrite events as needed to keep adding events to the log until it reaches maximum size and starts deleting entries. When you're finished, click OK.
 
Back
Top