Event Viewer for Humans: Finding Answers in Windows Logs
Event Viewer has a public-relations problem: open it cold and you're staring at tens of thousands of entries, a third of them red, on a perfectly healthy machine. So people close it and never learn that almost every Windows mystery — the overnight reboot, the service that died, the login that failed — is answered in there, usually by one of about a dozen event IDs. This is the guide to those dozen, and to filtering past everything else.
01 — Orientation: The Four Logs That Matter
Open it with eventvwr.msc. Under Windows Logs:
- System — the OS and drivers: boots, shutdowns, service failures, disk warnings. Your first stop for crashes and hardware.
- Application — programs: app crashes and hangs, plus chatty status from anything installed.
- Security — logons, logoffs, privilege use. The audit trail; first stop for "who got in / who tried."
- Setup — Windows updates and feature installs.
The sprawling Applications and Services Logs tree underneath holds per-component logs — you visit it on purpose (e.g., TerminalServices-RemoteConnectionManager when chasing the RDP issues from my RDP checklist) rather than browsing it.
And the calibration rule that makes the whole tool usable: errors are normal. Healthy machines log errors constantly — timing hiccups at boot, the infamous DCOM 10016 permission grumbles (genuinely ignorable, by Microsoft's own guidance). An event matters when it correlates with your symptom in time, or repeats in a pattern. You are not cleaning the log to zero; you are answering a question.
💡 Plain English: Event Viewer is a flight recorder, not a warning light. You don't read it daily — you read it after something happened, starting from the timestamp of the something.
02 — The Event IDs Worth Memorizing
| Log | ID | What it tells you |
|---|---|---|
| System | 41 (Kernel-Power) | Machine lost power without shutting down — crash, hard hang, power cut, or held power button |
| System | 6008 | "Previous shutdown was unexpected" — the companion to 41 |
| System | 1074 | Who/what initiated a shutdown or restart — names the process and user. THE answer to "why did my PC reboot overnight" (spoiler: usually Windows Update) |
| System | 1001 (BugCheck) | A blue screen happened; includes the stop code and dump path — the bridge into my BSOD guide |
| System | 7031 / 7034 | A service crashed (7034) or crashed and was restarted (7031) |
| System | 7 / 153 (disk) | Bad block / I/O retry on a disk — take these seriously: back up and SMART-check |
| Application | 1000 / 1002 | An app crashed (1000) or hung (1002), with the faulting module — the clue whether the app or a DLL it loaded is guilty |
| Security | 4624 / 4625 | Successful / failed logon — with account, source, and a logon type code |
| Security | 4740 | Account locked out |
| Security | 1102 | The audit log was cleared — on a machine only you administer, a red flag worth understanding |
Two decoding notes that pay rent: in 4624/4625, Logon Type 2 = at the keyboard, 3 = over the network (shares), 10 = Remote Desktop — so a stream of failed type-3/type-10 logons from an address you don't recognize is an unambiguous story. And 4625's Status/Sub Status codes distinguish "bad password" (0xC000006A) from "no such user" (0xC0000064) — useful when deciding if it's a typo or a probe.
03 — Filtering: From Haystack to Handful
Never scroll. Two techniques replace it:
- Filter Current Log (right panel): set the time window around your incident ("Last hour", or a custom range), tick Critical/Error/Warning, and — most powerfully — type event IDs directly:
41,1074,6008turns the System log into a clean shutdown history. - Custom Views persist a filter as a permanent virtual log. The one I put on every machine I manage — call it "Why did it die": Windows Logs → System, IDs
41,1074,6008,1001,7031,7034. Every unexpected restart, bluescreen, and service death, one click, forever.
For repeated or scripted questions, PowerShell beats the GUI:
# Last 10 shutdown/crash events with messages
Get-WinEvent -FilterHashtable @{LogName='System'; Id=41,1074,6008,1001} -MaxEvents 10 |
Format-List TimeCreated, Id, Message
# Failed logons in the last 24 hours (run as Administrator)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625;
StartTime=(Get-Date).AddDays(-1)} | Measure-Object04 — Worked Example: "My PC Restarted Overnight"
The most common Event Viewer question, solved in ninety seconds:
- System log → Filter → last 24 hours → IDs
41,1074,6008. - 1074 present? Read it — it names the initiator. "The process C:\WINDOWS\...\MusNotification.exe has initiated the restart... Reason: Operating System: Upgrade" = Windows Update did it, case closed (and Settings → Windows Update → Advanced → Active hours is your remedy).
- 41/6008 with no 1074? Nothing asked to restart — the machine lost power or crashed. Check for a 1001 BugCheck at the same timestamp: present means bluescreen (dump analysis time), absent means hard hang or power: think thermals, PSU, or someone's foot near the cable.
That branching — orderly (1074) vs. disorderly (41 alone) — answers the question definitively in a way no amount of guessing does.
05 — Reading an Entry Like It's Evidence
Each event's General tab is the human sentence; the Details tab (XML view) is the full record — extra fields like exact paths, SIDs, and addresses live there. Three habits:
- Search the Source + ID together ("Service Control Manager 7034 Spooler") — context changes meaning, and Microsoft's documentation plus a decade of forum archaeology is indexed exactly this way.
- Correlate across logs by timestamp. An Application 1000 crash at 14:32:07 and a System disk 153 at 14:32:05 are one story, not two.
- Pair with Reliability Monitor (type
reliabilityin Start) — it's Event Viewer's greatest hits on a timeline, ideal for spotting when trouble started and what was installed that week; then come back here for the detail.
06 — What Not to Do
[Personal note placeholder: a mystery you solved with one of these IDs — 1074 naming a culprit is always a satisfying story.]
- Don't chase every red entry to zero — that's not a state Windows occupies.
- Don't pay anyone who calls "proving" your PC is infected by showing you Event Viewer errors — that's a stock tech-support scam script precisely because every machine has scary-looking logs.
- Don't clear logs to "fix" things — it fixes nothing and burns your evidence (and writes a 1102).
🔒 Bottom line: four logs, a dozen IDs, and the Filter dialog turn Event Viewer from intimidating wallpaper into the machine's sworn testimony. Build the "why did it die" custom view today, and the next unexplained reboot takes ninety seconds to explain — with the culprit named in writing.