{"id":11,"date":"2026-06-03T09:00:00","date_gmt":"2026-06-03T09:00:00","guid":{"rendered":"http:\/\/backendside.com\/blog\/2026\/06\/03\/windows-event-viewer-guide\/"},"modified":"2026-06-24T05:26:10","modified_gmt":"2026-06-24T05:26:10","slug":"windows-event-viewer-guide","status":"publish","type":"post","link":"https:\/\/backendside.com\/blog\/2026\/06\/03\/windows-event-viewer-guide\/","title":{"rendered":"Windows Event Viewer Complete Guide"},"content":{"rendered":"<p class=\"lead\">Event Viewer is the first place to look when something goes wrong on Windows &mdash; and one of the most underused tools in the box. Most people open it, feel overwhelmed by the noise, and close it again. With a little structure it becomes a precise diagnostic instrument.<\/p>\n<h2>The logs you need to know<\/h2>\n<ul>\n<li><strong>System<\/strong> &mdash; the operating system and drivers: services, hardware, boot and shutdown.<\/li>\n<li><strong>Application<\/strong> &mdash; events from installed programs and their crashes.<\/li>\n<li><strong>Security<\/strong> &mdash; audit events: logons, privilege use, object access.<\/li>\n<li><strong>Setup<\/strong> &mdash; installation and servicing of Windows components.<\/li>\n<li><strong>Forwarded Events<\/strong> &mdash; events collected from other machines.<\/li>\n<\/ul>\n<h2>Severity levels<\/h2>\n<p>Every event carries a level: <strong>Information<\/strong>, <strong>Warning<\/strong>, <strong>Error<\/strong> or <strong>Critical<\/strong> (plus <em>Audit Success<\/em>\/<em>Audit Failure<\/em> in the Security log). When triaging, filter to Error and Critical first &mdash; that removes most of the noise instantly.<\/p>\n<h2>Anatomy of an event<\/h2>\n<p>Each entry tells you the <strong>Source<\/strong> (which component logged it), the <strong>Event ID<\/strong> (a number identifying the specific event type), the <strong>Level<\/strong>, the <strong>user<\/strong> and <strong>timestamp<\/strong>, and a details pane (readable on the General tab, or as raw XML on the Details tab). The Event ID is the key you will search the web and your own notes for.<\/p>\n<h2>Cut through the noise with filters and custom views<\/h2>\n<p>Right-click a log and choose <em>Filter Current Log<\/em> to narrow by level, Event ID, time range or source. When you find a filter you use often, save it as a <em>Custom View<\/em> so it is one click away next time &mdash; for example, &#8220;all Errors and Criticals in the last 24 hours across System and Application.&#8221;<\/p>\n<h2>Useful Event IDs to recognise<\/h2>\n<table style=\"width:100%;border-collapse:collapse;margin:1rem 0;font-size:.9rem;\">\n<thead>\n<tr style=\"background:#f2f1ef;\">\n<th style=\"text-align:left;padding:.6rem .8rem;border:1px solid #e4e2de;\">Event ID<\/th>\n<th style=\"text-align:left;padding:.6rem .8rem;border:1px solid #e4e2de;\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">4624 \/ 4625<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">Successful \/ failed logon (Security)<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">6005 \/ 6006<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">Event log service started \/ stopped (proxy for boot \/ clean shutdown)<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">41<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">Kernel-Power: system rebooted without a clean shutdown<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">7000 \/ 7001<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">A service failed to start \/ depends on a service that failed<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">7045<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">A new service was installed (useful for spotting unwanted software)<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">1000 \/ 1001<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">Application crash \/ Windows Error Reporting entry<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div style=\"border:1px solid #c5d3f8;background:linear-gradient(135deg,#eef2fd 0%,#ffffff 72%);border-radius:14px;padding:1.5rem 1.65rem;margin:2rem 0;\">\n<div style=\"font-size:.7rem;font-weight:700;letter-spacing:.08em;text-transform:uppercase;color:#2d5be3;margin-bottom:.55rem;\">&#128295; BackendSide Tool<\/div>\n<h4 style=\"margin:0 0 .45rem;font-size:1.15rem;color:#1a1916;font-weight:700;\">Process &amp; Port Analyzer &mdash; See What Windows Is Doing<\/h4>\n<p style=\"margin:0 0 1.05rem;color:#3d3c38;font-size:.92rem;line-height:1.65;\">When an event points to a misbehaving process or a suspicious connection, <strong>Process &amp; Port Analyzer<\/strong> shows you the whole picture: running processes, active TCP\/UDP connections, listening ports, a built-in packet sniffer, and your firewall rules &mdash; the perfect companion to Event Viewer for tracking an issue to its source.<\/p>\n<p>  <a href=\"https:\/\/backendside.com\/processandportanalyzer.php\" style=\"display:inline-flex;align-items:center;gap:.4rem;background:#2d5be3;color:#ffffff;font-weight:600;font-size:.85rem;padding:.6rem 1.2rem;border-radius:6px;text-decoration:none;\">Explore Process &amp; Port Analyzer &rarr;<\/a>\n<\/div>\n<h2>Filter at scale from the command line<\/h2>\n<p>For repeatable queries and scripting, PowerShell&#8217;s <code>Get-WinEvent<\/code> is far more powerful than the GUI:<\/p>\n<pre><code># the 20 most recent System errors\nGet-WinEvent -FilterHashtable @{ LogName='System'; Level=2 } -MaxEvents 20\n\n# all failed logons in the last day\nGet-WinEvent -FilterHashtable @{ LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-1) }<\/code><\/pre>\n<p>You can also export any log to an <code>.evtx<\/code> file (right-click &rarr; <em>Save All Events As<\/em>, or <code>wevtutil epl<\/code>) to archive it or analyse it on another machine.<\/p>\n<div style=\"border:1px solid #c5d3f8;background:linear-gradient(135deg,#eef2fd 0%,#ffffff 72%);border-radius:14px;padding:1.5rem 1.65rem;margin:2rem 0;\">\n<div style=\"font-size:.7rem;font-weight:700;letter-spacing:.08em;text-transform:uppercase;color:#2d5be3;margin-bottom:.55rem;\">&#128295; BackendSide Tool<\/div>\n<h4 style=\"margin:0 0 .45rem;font-size:1.15rem;color:#1a1916;font-weight:700;\">DeepDig &mdash; Your Event Logs, Explained in Plain English<\/h4>\n<p style=\"margin:0 0 1.05rem;color:#3d3c38;font-size:.92rem;line-height:1.65;\">Everything in this guide, done for you. <strong>DeepDig<\/strong> reads these same Windows event logs and turns them into plain-English <strong>incidents<\/strong> &mdash; correlating related events, scoring severity, and adding recommended fixes and a MITRE ATT&amp;CK mapping. It also runs a read-only registry security audit and can watch live. Scan this PC or open an exported <code>.evtx<\/code> file &mdash; 100% local, no telemetry.<\/p>\n<p>  <a href=\"https:\/\/backendside.com\/deepdig.php\" style=\"display:inline-flex;align-items:center;gap:.4rem;background:#2d5be3;color:#ffffff;font-weight:600;font-size:.85rem;padding:.6rem 1.2rem;border-radius:6px;text-decoration:none;\">Explore DeepDig &rarr;<\/a>\n<\/div>\n<h2>Make events work for you<\/h2>\n<p>Right-click an event and choose <em>Attach Task To This Event<\/em> to have Windows automatically run a program, or send a notification, whenever that event recurs. It is a simple way to turn a passive log into an active alert.<\/p>\n<h2>Stop waiting for the log<\/h2>\n<p>Event Viewer is reactive &mdash; you go looking after something already happened. For the things that matter most, it pays to watch continuously and be told the moment a threshold is crossed.<\/p>\n<div style=\"border:1px solid #c5d3f8;background:linear-gradient(135deg,#eef2fd 0%,#ffffff 72%);border-radius:14px;padding:1.5rem 1.65rem;margin:2rem 0;\">\n<div style=\"font-size:.7rem;font-weight:700;letter-spacing:.08em;text-transform:uppercase;color:#2d5be3;margin-bottom:.55rem;\">&#128295; BackendSide Tool<\/div>\n<h4 style=\"margin:0 0 .45rem;font-size:1.15rem;color:#1a1916;font-weight:700;\">BackendSideMon &mdash; Real-Time Server Monitoring<\/h4>\n<p style=\"margin:0 0 1.05rem;color:#3d3c38;font-size:.92rem;line-height:1.65;\">Running commands by hand tells you how a server is doing <em>right now<\/em>; <strong>BackendSideMon<\/strong> tells you around the clock. It tracks TCP\/UDP\/ICMP stats, processes and connections through a clean web dashboard, and runs as a service on both Windows and Linux &mdash; so problems surface before your users report them.<\/p>\n<p>  <a href=\"https:\/\/backendside.com\/backendsidemon.php\" style=\"display:inline-flex;align-items:center;gap:.4rem;background:#2d5be3;color:#ffffff;font-weight:600;font-size:.85rem;padding:.6rem 1.2rem;border-radius:6px;text-decoration:none;\">Explore BackendSideMon &rarr;<\/a>\n<\/div>\n<h2>Key takeaways<\/h2>\n<ul>\n<li>Know the core logs: <strong>System<\/strong>, <strong>Application<\/strong>, <strong>Security<\/strong>.<\/li>\n<li>Filter to <strong>Error<\/strong> and <strong>Critical<\/strong> first, then save useful filters as <strong>Custom Views<\/strong>.<\/li>\n<li>Learn to read <strong>Event IDs<\/strong> &mdash; they are the fastest path to a root cause.<\/li>\n<li>Use <strong>Get-WinEvent<\/strong> for scripting and large-scale filtering.<\/li>\n<li><strong>Attach tasks<\/strong> to important events to turn logs into alerts.<\/li>\n<\/ul>\n<p>Once you know where to look, recurring Windows problems become obvious &mdash; and far quicker to fix.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A practical guide to Windows Event Viewer: the core logs, severity levels, reading Event IDs, custom views and filters, Get-WinEvent, and turning events into alerts.<\/p>\n","protected":false},"author":1,"featured_media":26,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-11","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-windows"],"_links":{"self":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts\/11","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/comments?post=11"}],"version-history":[{"count":2,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts\/11\/revisions"}],"predecessor-version":[{"id":28,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts\/11\/revisions\/28"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/media\/26"}],"wp:attachment":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/media?parent=11"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/categories?post=11"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/tags?post=11"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}