MCTS 70-680: Windows 7 Event Viewer

Uploaded by itfreetraining on 08.02.2012

Welcome back to your free Windows 7 training. In this video I will look at the event viewer.
When an event occurs in Windows a record of it is saved in the event log. Using the event
viewer you can read these events which can be vital to solving and troubleshooting problems
in Windows 7.
The event viewer short cut is nested quite far down the start menu or the control panel
in administrative tools. I find it easier to type event from the start box and run it
from here rather than navigate through all the menus.
At the top the event view is a summary of the events. Here you can see how many of each
particular events have happen. At the top is critical events for the last hour, 24 hours
and 7 days.
The summary provides at good way of quickly determing if there have been any problems
on a system. The warning are group from critical down to informational. If I go to the top
and expand I get a list of critical errors. The space here is limited, but if I double
click it I will go into a much better view.
Critical events are problems that a failure has occur by an application or hardware that
could not be recovered from. These kind of errors should be looked in especially if they
are related to hardware.
If I select one of the events I can get some details about the event. In this case the
computer was not rebooted cleanly. This may be the power was unplugged or there is problematic
hardware that is causing the computer to randomly restart.
These events are essentially filtered events to assist with reporting. All the events from
the system come from the logs from under Windows logs. The first log in here is the application
The application log contains events from applications that have been running on this computer. This
includes Microsoft applications and 3rd party applications.
Information events like these ones give you some information. These aren’t consider
a problem. In this case an information event has been generated telling me that Windows
management instrumentation services has been started. Information events like these are
normal and generally nothing to worry about.
The type of error listed in the application log is an error event. These can indicate
a problem with the system. In the case of this error there was a problem with the volume
shadow copy service.
Often you will find the event will tell you something happened but not the cause. One
easy way to trouble shoot the problem is the click on the link at the bottom,”event log
online help”. This will take you to a Microsoft web site with information about the error.
If this does not help, you can attempt to use a search engine to look up the event ID
shown here are even just the description of the event.
In all honestly I could take some time trouble shoot this error, but services do crash from
time to time. What I would first do is here is to search the event log and see if this
event has happened before. If it is a once off it may not be a problem.
The next event type is warning event. These are not critical errors but should be looked
in to. This particular event message is telling me that there was a problem with the registry.
I would guess that an application crashed or did something unexpected. Once again, if
it is once off I would not worry about it.
Warning events can cause be generated of events like an application not being able to connect
to a server. If the network is down this is to be expected. If there is not problem with
the network then a warning message like this needs to be investigated.
The next major log in the event log is the security log. The security log shows security
related events that have happened on the system. The level of events log here is depend on
the level of audting that has been configured on the system.
Keep in mind that if your audit everything on a busy system this logging can slow your
system down.
The next log file is the setup log. This log contains errors related to when applications
were installed. This includes problems with Windows updates that failed to install.
The next set of logs is for system events. This shows events relating to Windows 7 operating
system. Things like services not starting up will appear in here. If the computer crashed
or the power cord was removed an event for that would appear in here.
The last event log is forwarded events. These are events that have been forwarded from anther
computer. This is the topic of the next video so I won’t cover it here.
At the top of the event log is customs views. If you want to see only particular events
you can create a custom view by right clicking custom views and selecting create custom view.
There is quite a lot of filter settings that you can adjust in here. At the top is the
time period you want to filter followed by the types of events. In this I will select
7 days and critical and error events.
Next you can select with log you want to filter by. Either the main logs or a particular application
or services log.
If you want to filter events from all log files, select the option soruce and select
which events you want to filter. In this case I will select .Net related events. You
can also filter by key word. For example if you had a Raid controller and only wanted
to know about RAID events.
Lastly you can filter by users and computers. This is generally quiet usefull when trying
to find security audit information. Finally I get to choose a name for my filter and it
will be saved.
If I select the Windows logs, I can go to the far right and select properties. In here
you can first set where the log files can be stored. Currently it is in the default
location on the current hard disk, however you could also set it to a network location. Even
though some administrators do this, if there is a problem with the networking writing to
this location the events may be lost. In the next video I will cover forwarding copies
of events from on computer to anther, this is a better way of achiving the same result.
At the bottom of the screen you have the size of the log file. This will determine how many
events your log file can hold. When the log is full the next option will determine what
will happen.
By default the events will be over written. The older events will be written over first.
If you need to keep every event generated by the computer you should select the next
option that will archive the log file when it gets full.
The last option will not over write any events when the log file is full. A word of warning
with this settings. If the log file becomes full no new events will be written until the
event log is clear or the settings changed.
At the bottom right hand screen you have the option to clear the log. When you create a
computer that is going to be reimaged, I like to clear all the event logs.
That’s it for the event viewer. All through it does not seem like much, it is often essentail
in the trouble shooting process.
In the next video I will look at event forwarding, the process of send events from one computer
to anther. If you have liked this video, please see are web page or you tube channel for more
free videos. Thanks for watching.