Windows 8 Event Viewer

Microsoft Windows 8 Event Viewer

The Windows 8 Event Viewer provides a marvellous interface to investigate critical and error messages in the logs. 

You can examine not only the System and Application logs, but also Hardware Events and records of activity from IE and other programs.

Windows 8 – Event Viewer Topics

• Finding the Windows 8 Event Viewer
• New Features in the Windows 8 Event Viewer
• Strategies for the Window 8 Event Viewer
• Specific Tasks for New Event Viewer
• Windows 8 Security Event Log

 ♦

Finding the Windows 8 Event Viewer

I like to press Winkey +w, because this launches the Search box, and crucially, the focus is on Settings (rather than Apps).

Now type: "ev" you should see ‘View event logs’.

New Features in the Windows 8 Event Viewer

The biggest change Microsoft made to the Event Viewer came between XP and Vista with the introduction of the three pane interface.  Windows 7, and now Windows 8 have merely refined the interface and extended the range of logs that you can interrogate.

Observe the 3 panes: Log List | Event Viewer | Actions

Strategies for the Window 8 Event Viewer

If you just want a quick ‘Health Check’ then start with the central ‘Overview and Summary’ pane, I suggest you work your way through the Critical messages followed by the Error messages.  As the title indicates this is where you will find a list of important events collected from all the computer’s logs, the benefit is that you can work your way through the red dots quickly.

Alternatively, you could focus on the left pane and drill-down through a particular Windows log such as Windows Logs –> Application.  If you want to view the logs on another computer than there is a link on the ‘Actions’ pane.

Additional Event Logs

In amongst the traditional Application, Security and System, are two extra logs, Setup and Forwarded Events.  As you add new programs so the Setup log records events relating to the installation, which can be invaluable in troubleshooting what went wrong. 

The ‘Forwarded Events’ log is used to collect events on other computers, you can specify the details via the Subscriptions menu. (See bottom left of above screenshot).

Guy Recommends:  SolarWinds’ Log & Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Application and Service Logs

The Windows 8 Event Viewer displays yet more logs, in fact there is a whole new world under ‘Application and Service Logs’.

In this section each application or service can have up to four sub-categories of logs.

Admin: Printers give more than their share of problems, make sure you look in the corresponding Admin log if your printer is not working properly.

Operational:Like the Admin logs, the operational logs are also useful for discovering what happened to faulty print devices, for example, why has a printer disappeared from the network.  See more on troubleshooting your Windows 8 printer problem.

Analytical: To turn on the Analytical (and the Debug) log, focus on the right hand pane, Actions menu, from there click on the word ‘View’ and a tick the box: Show Analytical and Debug Logs.  (See screen shots to the right.)

Debug:  This log is designed for experienced troubleshooters and developers who are trying to debug a particular problem.  Logging in itself causes a load on the processor consequently these intensive logs are disabled by default.  Another reason is that ordinary users maybe confused rather than helped by their output.

Specific New Event Viewer Tasks

My aim in this section is to give you specific examples of what you can achieve with the Windows 8 Event Viewer.

1) Save crucial event filters as custom views that you can reuse
I recommend that you create views of events across multiple logs, for example create a Custom View of all events containing ‘Event Sources: Disk’ in either the System or the Application log.

Custom views for events reinforces techniques you may have learnt in the Windows Explorer Searches, both create virtual folders of just the filtered information that you need.  Incidentally, both use XML to organize their data.

2) Schedule a task to run in response to an event – Integration with Scheduler
a) In the console tree, navigate to the log that contains the event you want to associate with a task.
b) Right-click the event and select Attach Task to This Event.
c) Perform each step presented by the Create Basic Task Wizard.

3) Create and manage event Subscriptions
Firstly, before you create any subscriptions start the Windows Event Collection Service.

The top level tasks are:
a) Configure the computers to collect and forward events.  (See WecUtil and WinRm below)
b) Create a new Subscription and specify the query to collect the events.  (Event Viewer, left window pane, last item.)

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM) v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

WecUtil and WinRm

Our mission is to enable event Subscription on at least two machines.  On both computers launch a cmd prompt, remember to request elevated, Administrator privileges.  Therefore, before you start, right-click cmd and select, Run as Administrator from the short-cut menu.  At the command prompt type:

Note: if you get an Access denied message, see elevated privileges above.

On the computer which is collecting the events also type at the command prompt:

Get Into Good Habits

In my opinion, the biggest problem with previous Windows event viewers is that when the computer did not do what they want, people, including me, forgot to search the logs for clues.  The bottom line was that XP’s event viewer was not sufficiently eye-catching, interesting or useful to hold a troubleshooter’s attention.  Windows 8 rectifies this fault by developing the event viewer into a console, where it’s easy and enjoyable to discover what is, or is not, going on under the covers of your machine.

As a bonus, by regularly visiting the Event View, you will be alert to problems before they become critical.  For example; disk bad sectors may start in harmless areas, with vigilance, you could take action before critical boot sectors are affected.

Caution:  Don’t be tempted to turn off the Event Viewer, my friend ‘Mad’ Mick was trying to speed up one of his gaming machines by disabling the Windows Event log service.  He swears that the blue screen of death that occured half an hour later was just a coincidence.  I beg to differ.

SolarWinds Firewall Browser

Here is an utility where you can review firewall settings such as access control lists (ACL), or troubleshoot problems with network address translation (NAT).

Other reasons to download this SolarWinds Firewall Browser include managing requests to change your firewall settings, testing firewall rules before you go live, and querying settings with the browser’s powerful search options.

Guy recommends that you download a copy of the SolarWinds free Firewall Browser.

An Alternative to the Event Viewer: PowerShell Get-WinEvent

Here is a simple PowerShell script to enumerate the event logs:

Learning Points

Note 1:  -ListLog *.  This displays a mind-boggling list of logs and not just log entries! Remember, there is a separate parameter called -LogName.

Note 2:  PowerShell helps me to learn more about the Event Viewer, and in turn,  interrogating these logs is a great vehicle to learn more about PowerShell.

PowerShell EventVwr Example

Note 3:  Plan B try a sister cmdlet:
Help Get-EventLog

• See more Get-WinEvent Examples
• How to clean the logs Clear-Eventlog
• See more on Windows 8 Security Log
• See SolarWinds Event Manager

Summary of Windows 8 Event Viewer

The Windows 8 Event Viewer provides 3 panes for you to examine a whole host of logs.  In addition to the System and Application logs, you can see Hardware Events and records of activity from specific installed programs.

Microsoft Windows 8 Configuration Topics

• Windows 8 Run Command  • Windows 8 Virtual Keyboard  • Windows 8 Lock Screen  • Engineers Tookit

• Windows 8 Sound Problems  • Windows 8 Security Event Log  • Windows 8 Experience Index

• Windows 8 Config   • Windows 8 Homegroup  • Windows 8 Event Viewer  • Windows 8 Task Scheduler