ARCHIVED: In Windows 7, Vista, and XP, what is the Event Viewer?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Windows 7, Vista, and XP have the built-in capability to alert users about significant occurrences in the system or in an application. Some critical events, such as a full hard drive or an interruption in the power supply, are immediately noted with an on-screen message. These events, along with less critical events not needing immediate attention, are also recorded in the event log for future reading.

Event logging starts automatically each time you start Windows 7, Vista, or XP. With an event log and an administrative tool called the Event Viewer, you can troubleshoot various hardware and software problems and monitor security events for your computer. You can also archive logs in various file formats.

On this page:

Event Viewer in Windows 7 and Vista

Windows 7 and Vista segregate logs into "Windows Logs" and "Application and Services" logs.

Windows Logs

You can use Windows Logs to store events from legacy applications and to store events that apply to the entire system itself. In Windows 7 and Vista, these logs include five basic types:

  • System log: The system log contains events logged by system components. For example, the system log records when a driver or other system component (like a service) fails to load during startup. The operating system predetermines the type of events that are recorded.
  • Security log: The security log can contain valid and invalid login attempts, as well as events related to resource use, such as creating, opening, or deleting files or other objects. For example, if you're using the User Manager for login and logout auditing, the security log records attempts to log into the system. The administrator of the computer chooses what the security log monitors.
  • Application log: The application log contains events logged by applications. For example, a database program might record a file error in the application log. Application developers decide which events to monitor.
  • Setup log: The Setup log contains events related to application setup.
  • ForwardedEvents log: The ForwardedEvents log stores events collected from remote computers.

All users can view the system and application logs, but only system administrators can access the security logs.

Note:
Security of Information Technology Resources (IT-12) requires that you normally refrain from running your Windows computer as an administrator. For more, see About the principle of least privilege.

Application and Services logs

Applications and Services logs are new in Windows 7 and Vista. These logs contain events from single programs or components rather than events that impact the entire system. There are five types of Applications and Services logs:

  • Admin: These logs record problems that directly affect end users and have well-defined solutions.
  • Operational: These logs record events that aren't necessarily problems, but are simply records of occurrences (e.g., when a peripheral such as a printer is installed).
  • Analytic: Analytic logs record problems that Windows notes, but that most users will not be able to solve easily on their own. They tend to record specialized issues with Windows, such as providing debugging information for problems with enabling and using the Encrypted file system, or issues with missing elements of the user interface.
  • Debug: Debug events are records of problems that programmers can use for troubleshooting.
  • Internet Explorer: This application log appears only when Internet Explorer 7 or later is installed; for the majority of users it remains empty and can be ignored.

    However, for administrators and developers who have installed the Microsoft Application Compatibility Toolkit, the Internet Explorer log is necessary. Internet Explorer 7 and later contain many security features not included in previous versions, and some content or web applications will not function as they did previously. With the toolkit installed and Application Compatibility Logging enabled, this log will record events that relate to whether content is displayed or executed in Internet Explorer. Developers or administrators can then diagnose content problems in Internet Explorer. This will allow them to either reconfigure the browser or application, or rewrite problematic code.

In Windows 7 and Vista, events logged in Event Viewer are saved in XML format. Administrators can therefore construct XML queries against information found in Event Viewer, and then parse the output for display in other applications.

To access the Event Viewer in Vista Classic View, from the Control Panel, double-click Administrative Tools, and then select Event Viewer.

Note: If this doesn't match what you see, refer to ARCHIVED: Get around in Windows.

Event Viewer in Windows XP

Windows XP has four basic types of logs in which events are recorded:

  • System log: The system log contains events logged by system components. For example, when a driver or other system component (like a service) fails to load during startup, this is recorded in the system log. The operating system predetermines the type of events kept in the system log.
  • Security log: The security log can contain valid and invalid login attempts, as well as events related to resource use, such as creating, opening, or deleting files or other objects. For example, if you are using the User Manager to enable login and logout auditing, attempts to log into the system are recorded in the security log. The administrator of the computer chooses what the security log monitors.
  • Application log: The application log contains events logged by applications. For example, a database program might record a file error in the application log. Application developers decide which events to monitor.
  • Internet Explorer log: This application log only appears when Internet Explorer 7 is installed; for the majority of users it remains empty and can be ignored.

    However, for administrators and developers who have installed the Microsoft Application Compatibility Toolkit, the Internet Explorer log is necessary. Internet Explorer 7 contains many security features not included in previous versions, and some content or web applications will not function as they did previously. With the toolkit installed and Application Compatibility Logging enabled, this log will record events that relate to whether content is displayed or executed in Internet Explorer 7. Developers or administrators can then diagnose content problems in Internet Explorer. This will allow them to either reconfigure the browser or application, or rewrite problematic code.

All users can view the system and application logs. The security logs are accessible only to the system administrators.

Note:
Security of Information Technology Resources (IT-12) requires that you normally refrain from running your Windows computer as an administrator. For more, see About the principle of least privilege.

To access the Event Viewer in Windows XP Classic View, from the Start menu, select Settings, and then Control Panel. Double-click Administrative Tools, and then select Event Viewer.

Note: If this doesn't match what you see, refer to ARCHIVED: Get around in Windows.

This is document aivi in the Knowledge Base.
Last modified on 2018-01-18 13:07:18.