As a service desk agent while solving user issues many a times you wished you could have gone deeper to understand root cause, but did not due to lack of time. Many issues like system crashes usually leaves no clues to fix. Most of the times you just close those tickets as there is nothing you could do and user will not face it immediately unless it is a serious issue.

Have you wondered how you could go and understand below problems in depth –

Application and system crashes

Blue screen

Driver or hardware issues

Unexpected machine shutdowns

Unauthorized login attempts

Understand how windows work, how they are restarting services and trying to heal itself

And probably anything happening in the machine.

Well you are already aware but event viewer is a useful tool for these.The Windows Event Viewer shows a log of application and system messages, including errors, information messages, and warnings. It’s a useful tool for troubleshooting all kinds of different Windows problems. Using the event logs in Event Viewer, you can gather information about hardware, software, and system problems, and you can monitor Windows operating system security events.

How to launch it –

Hit Start, type “Event Viewer” into the search box, and then click the result.

Some of the keywords you will keep on seeing –

Event – Any significant occurrence in the system or an application that requires users to be notified or an entry to be added to a log.
Event log service – A service that records events in the System, Security, and Application logs.
Event logging – The process of recording an audit entry in the audit trail whenever certain events occur, such as services starting and stopping, or users logging on, logging off, and accessing resources.
Event Viewer – A component you can use to view and manage event logs, gather information about hardware and software problems, and monitor security events. Event Viewer maintains logs about program, security, and system events.

Events are placed in below categories – 

Application: The Application log contains events logged by applications or programs. For example, a database program might record a file error in the Application log. The program developer decides which events to record. The Application log records events related to Windows system components, such as drivers and built-in interface elements.
System: The System log contains events logged by the Windows operating system components. For example, the failure of a driver or other system component to load during startup is recorded in the System log. The event types logged by system components are predetermined by the Windows operating system. The System log records events related to programs installed on the system.
Security: The Security log can record security events such as valid and invalid logon attempts as well as events related to resource use, such as creating, opening, or deleting files. An administrator can specify what events are recorded in the Security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the Security log. When security logging is enabled (it’s off by default in Windows), this log records events related to security, such as logon attempts and resource access.

To see more details for particular event double click on it –

You can see below details –

Source : The software that logged the event, which can be either an application name, such as Microsoft SQL Server™, or a component of the system or of a large application, such as MSExchangeIS, which is the Microsoft Exchange Information Store service.
Category : A classification of the event by the event source. For example, the security categories include Logon and Logoff, Policy Change, Privilege Use, System Event, Object Access, Detailed Tracking, and Account Management.
Event ID : A unique number for each source to identify the event.
User : The user name for the user who was logged on and working when the event occurred. N/A indicates that the entry did not specify a user.
Computer : The computer name for the computer where the event occurred.
Description : This field provides the actual text of the event, or how the application that logged the event explains what has happened.
Data : Displays binary data generated by the event in hexadecimal (bytes) or DWORDS (words) format. Not all events generate binary data. Programmers and support professionals familiar with source application can interpret this information.

Event Viewer has its own issues also which is prohibiting it to become mainstream endpoint standard troubleshooting tool – 

Typically it takes 10-20 seconds to open – which is a major deterrent for agents to open and analyze at users machine.

Viewing all of them is next to impossible. There is so much content. You can filter them by severity but still it takes ages to sort and filter.

it produces lot of data. And not all of them are useful. 

These issues we feel is not making it a standard troubleshooting mechanism. There is no dearth of systems collecting event logs from systems and storing at servers where it is analyzed – but end point analysis during standard troubleshooting is a way ahead. We tried to solve this problem by creating tools which makes it easy for agents to collect event logs from users machines in a easy way so that a quick analysis can be done. On end user machine run this tool and within seconds it will export all the logs based on parameters you have provided. These parameters could be event type, category or keywords between all or selected date. If you want to get access to this free tool please fill out this form.

Leave a Reply

Your email address will not be published. Required fields are marked *