How to open the error log in Windows 7. Event Viewer in Windows Vista

The Windows 7 operating system constantly monitors various noteworthy events that occur in your system. On Microsoft Windows event is any incident in operating system A that is logged or requires notification to users or administrators. This could be a service that doesn't want to start, a device installation, or an application error. Events are logged and stored in the Windows event logs and provide important historical information to help you monitor your system, maintain system security, troubleshoot problems, and perform diagnostics. The information contained in these logs should be reviewed regularly. You should regularly monitor the event logs and configure the operating system to save important system events. In the event that you are an administrator of Windows servers, then you need to monitor the security of their systems, the normal operation of applications and services, and also check the server for errors that can degrade performance. If you are a PC user, you should make sure that you have access to the appropriate logs needed to support your system and troubleshoot errors.

Program Event Viewer is a Microsoft Management Console (MMC) snap-in for viewing and managing event logs. It is an indispensable tool for monitoring system health and troubleshooting. The Windows service that manages event logging is called "The event log". In the event that it is running, Windows writes important data to the logs. With the help of the program Event Viewer you can do the following:

• View events of specific logs;
• Apply event filters and save them for later use as custom views;
• Create event subscriptions and manage them;
• Assign the execution of specific actions to the occurrence of a specific event.

Launching the Event Viewer

Appendix Event Viewer can be opened in the following ways:

Event Logs in Windows 7

In the operating room Windows system 7, just like in Windows Vista, there are two categories of event logs: Windows logs and application and service logs. Windows logs- are used by the operating system to register system-wide events related to the operation of applications, system components, security and startup. BUT application and service logs- are used by applications and services to register events related to their operation. You can use the snap-in to manage event logs Event Viewer or program command line wevtutil which will be discussed in the second part of the article. All log types are described below:

Appendix- stores important events associated with a specific application. For example, Exchange Server stores events related to mail forwarding, including information store events, mailbox events, and running services. The default location is %SystemRoot%\System32\Winevt\Logs\Application.Evtx.

Security- Stores security-related events such as login/logout, privilege usage, and resource access. By default placed in %SystemRoot%\System32\Winevt\Logs\Security.Evtx

Installation- this log records events that occur during the installation and configuration of the operating system and its components. The default location is %SystemRoot%\System32\Winevt\Logs\Setup.Evtx.

System- stores events of the operating system or its components, such as failures to start services or initialize drivers, system-wide messages, and other messages related to the system as a whole. By default placed in %SystemRoot%\System32\Winevt\Logs\System.Evtx

Forwarded events- if event forwarding is configured, this log includes events forwarded from other servers. By default placed in %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.Evtx

Internet Explorer- this log records events that occur when configuring and working with the Internet Explorer browser. By default placed in %SystemRoot%\System32\Winevt\Logs\InternetExplorer.Evtx

Windows PowerShell- Events related to the use of the PowerShell shell are logged in this log. By default located in %SystemRoot%\System32\Winevt\Logs\WindowsPowerShwll.Evtx

Equipment events- if equipment event logging is configured, events generated by devices are written to this log. By default placed in %SystemRoot%\System32\Winevt\Logs\HardwareEvent.Evtx

In Windows 7, the infrastructure that provides event logging is based on the same as in Windows Vista to XML. The data for each event follows an XML schema, allowing you to access the XML code for any event. In addition, you can create XML-based queries to retrieve data from logs. No knowledge of XML is required to use these new features. rigging Event Viewer provides a simple graphical interface for accessing these features.

Event Properties

There are several snap-in event properties Event Viewer which are detailed below:

Source is the program that logged the event. This can be either the name of a program (for example, "Exchange Server") or the name of a system component or a large application (for example, the name of a driver). For example, "Elnkii" means the EtherLink II driver.

Event code is a number that specifies a particular type of event. The first line of the description usually contains the name of the event type. For example, 6005 is the event ID that occurs when the event logging service starts. Accordingly, at the beginning of the description of this event is the line "Event log service started". The event ID and record source name can be used by the software product support team for troubleshooting purposes.

Level is the level of importance of the event. In the system and application logs, events can have the following severity levels:

• Notification- denotes a change in an application or component, such as the occurrence of an information event associated with a successful action, the creation of a resource, or the start of a service.
• A warning- indicates a general warning about a problem that could affect the service or lead to a more serious problem if left unattended;
• Mistake- indicates that a problem has occurred that may affect functions external to the application or component that raised the event;
• Critical error- indicates that a failure has occurred from which the application or component that fired the event cannot recover automatically;
• Success audit- Successful completion of activities that you track through auditing, such as the use of a privilege;
• Failure audit- failure of actions that you track through auditing, such as a login failure.

User- defines the user account on whose behalf this event occurred. Users include specific entities such as Local Service, Network Service, and Anonymous Logon, as well as real user accounts. This name is the client ID if the event was actually raised by the server process, or the main ID if no impersonation is in progress. In some cases, a security log entry contains both identifiers. And also in this field there can be N / A (N / A), if in this situation Account not applicable. Impersonation occurs when the server allows one process to assign the security attributes of another process.

Working code- contains numerical value A that specifies the operation or point within the operation that triggered this event. For example, initialization or closing.

Magazine- the name of the log in which this event was recorded.

Category and tasks- defines the category of the event, sometimes used to further describe a valid action. Each event source has its own categories. For example, the following categories are: Login/Logout, Privilege Use, Policy Change, and Account Management.

Keywords is a set of categories or labels that can be used to filter or search for events. For example: "Network", "Security" or "Resource not found".

A computer- identifies the name of the computer on which the event occurred. This is usually the name of the local computer, but can also be the name of the computer that forwarded the event, or the name of the local computer before it was changed.

date and time- defines the date and time of occurrence of this event in the log.

Process ID- represents the identification number of the process that generated this event. computer program is only a passive set of instructions, while the process is the direct execution of these instructions

Thread ID- represents the identification number of the thread that created this event. A process spawned in an operating system can consist of several threads running "in parallel", that is, without a prescribed order in time. For some tasks, this separation can achieve more efficient use of computer resources.

Processor ID- represents the identification number of the processor that processed the event.

Session ID is the identification number of the session on the terminal server in which the event occurred.

Kernel Time Specifies the time spent executing kernel-mode instructions, in units of CPU time. Kernel mode has unlimited access to system memory and external devices. The kernel of an NT system is called a hybrid kernel or a macrokernel.

Operating time in user mode Specifies the time spent executing user-mode instructions, in units of CPU time. User mode consists of subsystems that pass I/O requests to the appropriate kernel mode driver via the I/O manager.

Processor load is the time spent executing user-mode instructions, in CPU ticks.

Correlation code- defines the action in the process for which the event is used. This code is used to specify simple relationships between events. Correlation is a statistical relationship between two or more random variables(or values ​​that can be considered as such with some acceptable degree of accuracy). At the same time, changes in one or more of these quantities lead to a systematic change in the other or other quantities.

Relative Correlation ID- defines relative action in the process for which the event is used

Working with event logs

Event Viewer

You can see the log in the following screenshot. "Applications", which provides information about events, recent views, and available actions. To view Application log events, follow these steps:

1. In the console tree, select "Windows Logs";
2. Choose a magazine "Applications".

It is advisable to review the event logs more often "Appendix" and "System" and study existing problems and warnings that may portend problems in the future. When a log is selected, the middle window displays the available events, including the date of the event, time and source, event level, and more.

Panel "view area" shows basic event data on the tab "General", and additional specific data on the tab "Details". You can turn this panel on and off by selecting the menu "View" and then the command "view area".

For critical systems, it is recommended to keep logs for the last few months. As a rule, assigning logs such a size that all the information fits in them is inconvenient, as a rule, this problem can be solved in another way. You can export logs to files located in a specified folder. To save the selected log, do the following:

1. In the console tree, select the event log you want to save;
2. Choose a team "Save events as" from the menu "Action" or from the context menu of the log, select the command "Save all events as";
3. In the dialog that appears "Save as" select the folder where the file should be saved. If you want to save the file in a new folder, you can create it directly from this dialog using the context menu or the button "New folder" on the action bar. In field "File type" you need to select the desired file format from the available ones: event files - *.evtx, xml file - *.xml, tab-separated text - *.txt, comma-separated csv - *.csv. In field "File name" "Save". To cancel saving, press the button "Cancel";
4. In the event that the event log is not intended to be viewed on another computer, in the dialog box "Display Details" leave the default option "Do not display details", and if the log is intended to be viewed on another computer, then in the dialog box "Display Details" choose an option "Display information for the following languages» and click on the button "OK".

Clearing the event log

Sometimes it is necessary to clear the full event logs to ensure effective analysis of operating system warnings and critical errors. To clear the selected log, do the following:

1. In the console tree, select the event log you want to clear;
2. Clear the log in one of the following ways:
   • On the menu "Action" select a team "Clear Log";
   • On the selected log, right-click to open the context menu. In the context menu, select the command "Clear Log";
3. Next, you can either clear the log or archive it if this has not been done before:
   • To clear the event log without saving, click the button "Clear";
   • To clear the event log after saving it, click the button "Save and Clean". In the dialog that appears "Save as" select the folder where the file should be saved. If you want to save the file in a new folder, you can create it directly from this dialog using the context menu or the button "New folder" on the action bar. In field "File name" enter a name and click on the button "Save". To cancel saving, press the button "Cancel".

Setting the maximum log size

As mentioned above, event logs are stored as files in the %SystemRoot%\System32\Winevt\Logs\ folder. By default, the maximum size of these files is limited, but you can change it in the following way:

1. Choose a team "Properties" from the menu "Action"
2. In field "Max Log Size (KB)" set the required value using the counter or set manually without using the counter. In this case, the value will be rounded up to the nearest multiple of 64 KB because the size of the log file must be a multiple of 64 KB and cannot be less than 1024 KB.

Events are stored in a log file, which can only grow up to a specified maximum size. After the file reaches the maximum size, the processing of incoming events will be determined by the log retention policy. The following log retention policies are available:

Rewrite events if necessary (old files first)- in this case, new entries continue to be logged after it is full. Each new event replaces the oldest one in the log;

Archive log when full; do not rewrite events- in this case, the log file is automatically archived if necessary. Stale events are not overwritten.

Do not rewrite events (clear log manually)- in this case, the log is cleared manually, not automatically.

To select the desired log retention policy, follow these steps:

1. In the console tree, select the event log for which you want to resize;
2. Choose a team "Properties" from the menu "Action" or from the context menu of the selected journal;
3. On the tab "General", In chapter "Upon reaching the maximum size" select the required parameter and press the button "OK".

Enable analytic and debug logging

Analytic and debug logs are disabled by default. Once activated, they fill up quickly. large quantity events. For this reason, it is desirable to enable these logs for a limited period of time in order to collect the data necessary for troubleshooting, and then disable them again. Logs can be activated as follows:

1. In the console tree, find and select the analytic or debug log you want to activate;
2. Choose a team "Properties" from the menu "Action" or from the context menu of the selected analytic or debug log;
3. On the tab "General" check the box on the options "Enable logging"

Opening and closing a saved log

With the help of equipment Event Viewer you can open and view previously saved logs. You can open multiple saved logs at the same time and access them at any time in the console tree. Magazine opened in Event Viewer, can be closed without deleting the information it contains. To open a saved log, do the following:

1. Choose a team "Open saved log" on the menu "Action" or from the context menu in the console tree;
2. 3. In the dialog box "Open saved log", moving through the directory tree, open the folder containing the desired file. By default, all event log files will be displayed in the dialog box. Also, when opening, you can select the type of files that you want to display in the open dialog. Available file types are: event log files (*.evtx, *.evt, *.etl), as well as event files (*.evtx), legacy event files (*.evt), or trace log files (*.etl). After the desired log file is found, select it by clicking on it with the left mouse button, which will place its name in the line for entering the file name and click on the button "Open".
3. In dialogue "Open saved log", in field "Name" enter a new name to be used for the log in the console tree. It is only used to represent the log in the console tree and the log file name is not changed. You can also use existing name log file. In field "Description" enter a description for the log. It will be displayed in the center pane when the parent log folder is highlighted in the console tree;
4. To create a folder in which the saved log will be located, click the button "Create a folder". In field "Name" enter the name of the folder where the open log will be located, and then click the button "OK". If no parent folder is selected, the new folder will be located in the folder "Saved Logs".
5. To make the open event log inaccessible to other computer users, you can clear the checkbox "All users". If this checkbox remains active, the open log will be available to all users, but administrator rights will be required to remove it from the console tree;
6. To open the magazine, click on the button "OK".

To remove an open log from the event tree, do the following:

1. In the console tree, select the log you want to delete;
2. Choose a team "Delete" from the menu "Action" or from the context menu of the selected journal;
3. In dialogue Event Viewer click on the button "Yes".

Conclusion

This part of the Event Viewer snap-in article introduces the snap-in itself and details the basic operations involved in monitoring and maintaining your system using the Event Viewer. The next part of the article will be designed for experienced Windows users. It will cover tasks with custom views, filtering, grouping/sorting events, and managing subscriptions.

The Windows OS line registers all the main events that occur in the system, followed by their entry in the log. Errors, warnings and just various notifications are recorded. Based on these records, an experienced user can correct the operation of the system and eliminate errors. Let's learn how to open the event log in Windows 7.

The event log is stored in a system tool called Event Viewer. Let's see how using various ways you can go to it.

Method 1: "Control Panel"

One of the most common ways to run the tool described in this article, although far from the easiest and most convenient, is by using "Control Panels".

Method 2: Run Tool

It is much easier to initiate the activation of the described tool using the tool "Run".

The basic disadvantage of this quick and convenient method is the need to keep in mind the window command.

Method 3: Start Menu Search Box

A very similar method of calling the tool we are studying is carried out using the menu search field "Start".

Method 4: "Command line"

Calling the tool via "Command line" rather inconvenient, but such a method exists, and therefore it is also worth a separate mention. First we need to call the window "Command line".

Method 5: Direct start of the eventvwr.exe file

You can use such an "exotic" option for solving the problem as a direct start of the file from "Explorer". However, and this way can be useful in practice, for example, if failures have reached such a scale that other options to run the tool are simply not available. This is extremely rare, but quite possible.

First of all, you need to navigate to the location of the eventvwr.exe file. It is located in the system directory at the following path:

C:\Windows\System32

Method 6: Entering the file path in the address bar

With help "Explorer" we can launch the window we are interested in and faster. In this case, you do not even have to look for eventvwr.exe in the directory "System32". To do this, in the address field "Explorer" you just need to specify the path to this file.

Method 7: Create a shortcut

If you don't want to remember different commands or navigate through sections "Control Panels" consider too inconvenient, but at the same time you often use the magazine, then in this case you can create an icon on "Desktop" or in another place convenient for you. Then run the tool Event Viewer will be carried out as simply as possible and without the need to remember something.

Problems opening the magazine

There are cases when there are problems with opening the magazine in the ways described above. Most often this happens due to the fact that the service responsible for the operation of this tool is deactivated. When trying to run the tool Event Viewer a message will be displayed stating that the event log service is unavailable. Then you need to activate it.

1. First of all, you need to go to "Service Manager". This can be done from the section "Control Panels", which is called "Administration". How to go to it was described in detail when considering Method 1. Once in this section, look for the item "Services". Click on it.

   

   AT "Service Manager" you can go with the tool "Run". Call it by typing Win+R. Type in the input area:

   Click OK.



2. Regardless of whether you made the transition through "Control Panel" or used the command input in the tool field "Run", starts "Service Manager". Look for an element in the list "Windows Event Log". To facilitate the search, you can arrange all the objects in the list in alphabetical order by clicking on the field name "Name". After the desired row is found, take a look at the corresponding value in the column "State". If the service is enabled, then there should be an inscription "Works". If it is empty, it means that the service is deactivated. Also look at the value in the column "Startup Type". In normal condition, there should be an inscription "Automatically". If there is a value "Disabled", it means that the service is not activated at system startup.



3. To fix this, go to the properties of the service by double-clicking on the name paintwork.



4. A window opens. Click on an area "Startup Type".



5. Choose from the dropdown list "Automatically".



6. Click on the captions "Apply" and OK.



7. Returning to "Service Manager", check "Windows Event Log". In the left area of ​​the shell, click on the inscription "Run".



8. The service has been started. Now in the column field corresponding to it "State" value will be displayed "Works", and in the column field "Startup Type" an inscription will appear "Automatically". Now the magazine can be opened in any of the ways that we described above.

There are quite a few options to activate the event log in Windows 7. Of course, the most convenient and popular ways are to go through "Toolbar", activation using the tool "Run" or menu search fields "Start". For easy access to the described function, you can create an icon on "Desktop". Sometimes there are problems starting the window Event Viewer. Then you need to check if the corresponding service is activated.

Windows 7 and Windows 10 constantly monitors the system for any unusual or noteworthy situations, such as a service not running, a device installation, or an application error. All these situations are called events and are logged in several different logs.

For example, the Application log stores events related to the operation of applications, both Windows 7 programs itself and third-party applications, and the System log stores events generated by the Windows 7, 10 system and components such as device drivers and system services.

How to open the windows event log

To open the event log in windows, click on the button Start by typing in the search field event viewer and pressing the key<Enter>. The figure below shows what the snap-in's home page looks like, showing the windows event log, a list of recently viewed nodes, and the various actions available.

Viewing the Windows Event Log

The panel on the right offers three sections: Custom Views, Windows Logs, and Applications and Services Logs.

The Custom Views section lists all of the event types defined in the current system (which are discussed in more detail a little later). If you perform filtering in one of the event logs or create a new event view, the new view is saved in this section.

The Windows Logs section displays several subsections, four of which represent the main logs maintained by the system itself.

The Application and System event logs should be checked regularly for early identification of any existing problems and warnings that some problems may appear in the future. The Safety log is not essential to the daily maintenance procedure. You should look into it only if there are suspicions of a violation of the computer's security, for example, to find out who is logging into the system.

Device driver errors are logged in the System log, but other tools are available in Windows 7 to make it easier to investigate device problems. For example, Device Manager, which appears to display an icon for devices that are having problems and allows you to view a description of those problems by opening the device's property sheets. There is also a utility System Information (Msinfo32.exe), which reflects information about all problems with the equipment in the sections System Information > Hardware Resources > Conflicts and Sharing and System Information > Components > Devices with Problems.

When you select one or another log, a list of all events available in this log appears in the central window, along with information about the date and time when each event occurred, its source, type (Details, Warning or Error), and other similar information. The following are major interface changes and new functionality that have been added to the Windows Event Viewer snap-in.

• In the Viewing Area panel, basic event data is now displayed on the General tab, while additional, more specific data is displayed on the Details tab. This pane can be toggled on and off by selecting View Area from the View menu.
• Event data is now stored in XML format. You can view their schema by selecting the XML Mode radio button on the Details tab inside the Viewport pane.
• The Filter command now allows you to generate queries in XML format.
• Clicking the Create custom view link now allows you to create a new view based on a particular event log, specific event type, event ID, and so on.
• You can now bind tasks to events by first clicking on the event of interest, and then on the Link a task to an event link, and then using the appropriate wizard to create the desired task, which either runs a program or script, or sends an email each time it occurs this event.
• Favorite events can now be saved as an Event File (.elf) file.

The most common areas of activity for which specialized software products have been created. 1s 8 online is regulated accounting, trade and warehouse accounting, management accounting and integrated solutions

The Applications and Services Logs section lists programs, features, and services that support the standard event logging format, which is new in Windows 7. Previously, logs for all items in this section were stored in separate text files that could not be accessed in older versions of the Event Viewer snap-in other than by specifically opening the log file.

This could be a service that doesn't want to start, a device installation, or an application error. Events are logged and stored in the Windows event logs and provide important historical information to help you monitor your system, maintain system security, troubleshoot problems, and perform diagnostics. The information contained in these logs should be reviewed regularly. You should regularly monitor the event logs and configure the operating system to save important system events. In the event that you are a Windows server administrator, then you need to monitor the security of their systems, the normal operation of applications and services, and also check the server for errors that can degrade performance. If you are a PC user, you should make sure that you have access to the appropriate logs needed to support your system and troubleshoot errors.

Event Viewer is a Microsoft Management Console (MMC) snap-in for viewing and managing event logs. It is an indispensable tool for monitoring system health and troubleshooting. The Windows service that manages event logging is called "Event Log". In the event that it is running, Windows writes important data to the logs. With Event Viewer, you can do the following:

View events of specific logs;
Apply event filters and save them for later use as custom views;
Create event subscriptions and manage them;
Assign the execution of specific actions to the occurrence of a specific event.

Launching the Event Viewer

The Event Viewer application can be opened in the following ways:
Click on the "Start" button to open the menu, open the "Control Panel", select "Administrative Tools" from the list of control panel components and select "Event Viewer" from the list of administrative components;
Open the "MMC Management Console". To do this, click on the "Start" button, type mmc in the search field, and then press the "Enter" button. An empty MMC console will open. From the Console menu, select the Add or Remove Snap-in command, or use the Ctrl+M keyboard shortcut. In the "Add/Remove Snap-Ins" dialog, select the "Event Viewer" snap-in and click the "Add" button. Then click on the "Finish" button, and after that - the "OK" button;
Use the key combination WIN + R to open the "Run" dialog. In the "Run" dialog box, in the "Open" field, enter eventvwr.msc and click on the "OK" button; to the taskbar and see this log.

Event Logs in Windows 7

In the Windows 7 operating system, as well as in Windows Vista, there are two categories of event logs: Windows logs and application and service logs. Windows logs - used by the operating system to log system-wide events related to the operation of applications, system components, security, and startup. And application and service logs are used by applications and services to log events related to their operation. You can use the Event Viewer snap-in or the wevtutil command-line tool, which I'll cover in Part 2 of this article, to manage event logs. All log types are described below:
Application - stores important events related to a specific application. For example, Exchange Server stores events related to mail forwarding, including information store events, mailbox events, and running services. The default location is %SystemRoot%\System32\Winevt\Logs\Application.Evtx.

Security- Stores security-related events such as login/logout, privilege usage, and resource access. By default placed in %SystemRoot%\System32\Winevt\Logs\Security.Evtx

Installation- this log records events that occur during the installation and configuration of the operating system and its components. The default location is %SystemRoot%\System32\Winevt\Logs\Setup.Evtx.

System- stores events of the operating system or its components, such as failures to start services or initialize drivers, system-wide messages, and other messages related to the system as a whole. By default placed in %SystemRoot%\System32\Winevt\Logs\System.Evtx

Forwarded events- if event forwarding is configured, this log includes events forwarded from other servers. By default placed in %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.Evtx

Internet Explorer- this log records events that occur when configuring and working with the Internet Explorer browser. By default placed in %SystemRoot%\System32\Winevt\Logs\InternetExplorer.Evtx

Windows PowerShell- Events related to the use of the PowerShell shell are logged in this log. By default located in %SystemRoot%\System32\Winevt\Logs\WindowsPowerShwll.Evtx

Equipment events- if equipment event logging is configured, events generated by devices are written to this log. By default placed in %SystemRoot%\System32\Winevt\Logs\HardwareEvent.Evtx

In Windows 7, the event logging infrastructure is XML-based, as in Windows Vista. The data for each event follows an XML schema, allowing you to access the XML code for any event. In addition, you can create XML-based queries to retrieve data from logs. No knowledge of XML is required to use these new features. The Event Viewer snap-in provides a simple graphical interface for accessing these features.

Event Properties

There are several event properties of the Event Viewer, which are detailed below:
The source is the program that logged the event. This can be either the name of a program (for example, "Exchange Server") or the name of a system or large application component (for example, the name of a driver). For example, "Elnkii" means the EtherLink II driver.

Event code is a number that specifies a particular type of event. The first line of the description usually contains the name of the event type. For example, 6005 is the event ID that occurs when the event logging service starts. Accordingly, at the beginning of the description of this event is the line "Event log service started". The event ID and record source name can be used by the software product support team for troubleshooting purposes.

Level is the level of importance of the event. In the system and application logs, events can have the following severity levels:

Notification- denotes a change in an application or component, such as the occurrence of an information event associated with a successful action, the creation of a resource, or the start of a service.
A warning- indicates a general warning about a problem that could affect the service or lead to a more serious problem if left unattended;
Mistake- indicates that a problem has occurred that may affect functions external to the application or component that raised the event;
Critical error- indicates that a failure has occurred from which the application or component that fired the event cannot recover automatically;
Success audit- Successful completion of activities that you track through auditing, such as the use of a privilege;
Failure audit- failure of actions that you track through auditing, such as a login failure.
User- defines the user account on whose behalf this event occurred. Users include specific entities such as Local Service, Network Service, and Anonymous Logon, as well as real user accounts. This name is the client ID if the event was actually raised by the server process, or the main ID if no impersonation is in progress. In some cases, a security log entry contains both identifiers. And also in this field there can be N / A (N / A) if the account is not applicable in this situation. Impersonation occurs when the server allows one process to assign the security attributes of another process.

Working code- contains a numeric value that specifies the operation or point within the operation that triggered the event. For example, initialization or closing.

Magazine- the name of the log in which this event was recorded.

Category and tasks- defines the category of the event, sometimes used to further describe a valid action. Each event source has its own categories. For example, the following categories are: Login/Logout, Privilege Use, Policy Change, and Account Management.

Keywords is a set of categories or labels that can be used to filter or search for events. For example: "Network", "Security" or "Resource not found".

A computer- identifies the name of the computer on which the event occurred. This is usually the name of the local computer, but can also be the name of the computer that forwarded the event, or the name of the local computer before it was changed.

date and time- defines the date and time of occurrence of this event in the log.

Process ID- represents the identification number of the process that generated this event. A computer program is only a passive set of instructions, while a process is the direct execution of these instructions.

Thread ID- represents the identification number of the thread that created this event. A process spawned in an operating system can consist of several threads running "in parallel", that is, without a prescribed order in time. For some tasks, this separation can achieve more efficient use of computer resources.

Processor ID- represents the identification number of the processor that processed the event.

Session ID is the identification number of the session on the terminal server in which the event occurred.

Kernel Time Specifies the time spent executing kernel-mode instructions, in units of CPU time. Kernel mode has unlimited access to system memory and external devices. The kernel of an NT system is called a hybrid kernel or a macrokernel.

Operating time in user mode Specifies the time spent executing user-mode instructions, in units of CPU time. User mode consists of subsystems that pass I/O requests to the appropriate kernel mode driver via the I/O manager.

Processor load is the time spent executing user-mode instructions, in CPU ticks.

Correlation Code - Identifies the action in the process for which the event is used. This code is used to specify simple relationships between events. Correlation is a statistical relationship between two or more random variables (or variables that can be considered as such with some acceptable degree of accuracy). At the same time, changes in one or more of these quantities lead to a systematic change in the other or other quantities.

Relative Correlation ID- defines the relative action in the process for which the event is used

Working with event logs:

Event Viewer
To view Application log events, follow these steps:
In the console tree, select "Windows Logs";
Select the Apps log.

It is a good idea to review the Application and System event logs frequently and look for existing problems and warnings that may portend problems in the future. When a log is selected, the middle window displays the available events, including the date of the event, time and source, event level, and more.

The Viewport pane shows basic event data on the General tab and additional specific data on the Details tab. You can turn this panel on and off by selecting the View menu and then the Viewport command.

For critical systems, it is recommended to keep logs for the last few months. As a rule, assigning logs such a size that all the information fits in them is inconvenient, as a rule, this problem can be solved in another way. You can export logs to files located in a specified folder. To save the selected log, do the following:

In the console tree, select the event log you want to save;
Select the "Save Events As" command from the "Action" menu or select the "Save All Events As" command from the context menu of the log;
In the "Save as" dialog that appears, select the folder where the file should be saved. If you want to save the file in a new folder, you can create it directly from this dialog using the context menu or the "New folder" button on the action bar. In the "File type" field, select the desired file format from the available ones: event files - *.evtx, xml file - *.xml, tab-separated text - *.txt, comma-separated csv - *.csv. Enter a name in the "File Name" field and click the "Save" button. To cancel saving, click on the "Cancel" button;
If the event log is not intended to be viewed on another computer, leave the default option "Do not display information" in the "Display Details" dialog box, and if the log is intended to be viewed on another computer, then in the "Display Details" dialog box " select the option "Display information for the following languages" and click on the "OK" button.

Clearing the event log

Sometimes it is necessary to clear the full event logs to ensure effective analysis of operating system warnings and critical errors. To clear the selected log, do the following:
In the console tree, select the event log you want to clear;
Clear the log in one of the following ways:
From the Action menu, select Clear Log

On the selected log, right-click to open the context menu. In the context menu, select the "Clear log" command
Next, you can either clear the log or archive it if this has not been done before:
To clear the event log without saving, click on the "Clear" button;
To clear the event log after saving it, click on the "Save and clear" button. In the "Save as" dialog that appears, select the folder where the file should be saved. If you want to save the file in a new folder, you can create it directly from this dialog using the context menu or the "New Folder" button on the action bar. Enter a name in the "File Name" field and click the "Save" button. To cancel saving, click on the "Cancel" button.

Setting the maximum log size

As mentioned above, event logs are stored as files in the %SystemRoot%\System32\Winevt\Logs\ folder. By default, the maximum size of these files is limited, but you can change it in the following way:

Select the "Properties" command from the "Action" menu or from the context menu of the selected log

In the "Maximum log size (KB)" field, set the required value using the counter, or set it manually without using the counter. In this case, the value will be rounded up to the nearest multiple of 64 KB because the size of the log file must be a multiple of 64 KB and cannot be less than 1024 KB.
Events are stored in a log file, which can only grow up to a specified maximum size. After the file reaches the maximum size, the processing of incoming events will be determined by the log retention policy. The following log retention policies are available:
Rewrite events if necessary (old files first) - in this case, new entries continue to be written to the log after it is full. Each new event replaces the oldest one in the log;

Archive log when full; do not rewrite events - in this case, the log file is automatically archived if necessary. Stale events are not overwritten.

Do not rewrite events (clear log manually) - in this case, the log is cleared manually, not automatically.

To select the desired log retention policy, follow these steps:

In the console tree, select the event log for which you want to resize;
Select the "Properties" command from the "Action" menu or from the context menu of the selected log;
On the "General" tab, in the "When the maximum size is reached" section, select the required option and click the "OK" button.
Enable analytic and debug logging

Analytic and debug logs are disabled by default. Once activated, they quickly fill up with a large number of events. For this reason, it is desirable to enable these logs for a limited period of time in order to collect the data necessary for troubleshooting, and then disable them again. Logs can be activated as follows:

In the console tree, find and select the analytic or debug log you want to activate;
Select the "Properties" command from the "Action" menu or from the context menu of the selected analytic or debug log;
On the General tab, check the box next to "Enable logging"

Opening and closing a saved log

You can use the Event Viewer snap-in to open and view previously saved logs. You can open multiple saved logs at the same time and access them at any time in the console tree. A log opened in the Event Viewer can be closed without deleting the information it contains. To open a saved log, do the following:

Select the "Open saved log" command from the "Action" menu or from the context menu in the console tree;
In the Open Saved Log dialog box, navigate through the directory tree to open the folder containing the desired file. By default, all event log files will be displayed in the dialog box. Also, when opening, you can select the type of files that you want to display in the open dialog. Available file types are: event log files (*.evtx, *.evt, *.etl), as well as event files (*.evtx), legacy event files (*.evt), or trace log files (*.etl). After the desired log file is found, select it by clicking on it with the left mouse button, which will place its name in the line for entering the file name and click on the "Open" button

In the Open Saved Log dialog, in the Name field, enter a new name to be used for the log in the console tree. It is only used to represent the log in the console tree and does not change the log file name. You can also use an existing log file name. In the Description field, enter a description for the log. It will be displayed in the center pane when the parent log folder is highlighted in the console tree;
To create a folder in which the saved log will be located, click on the "Create Folder" button. In the Name field, enter a name for the folder that will contain the open log, and then click OK. If no parent folder is selected, the new folder will be located in the Saved Logs folder

To make the open event log inaccessible to other users of the computer, you can uncheck the "All users" box. If this checkbox remains active, the open log will be available to all users, but administrator rights will be required to remove it from the console tree;
To open the log, click on the "OK" button.
To delete an open event tree log, do the following:

In the console tree, select the log you want to delete;
Select the "Delete" command from the "Action" menu or from the context menu of the selected log

In the "Event Viewer" dialog, click the "Yes" button.

Conclusion

This part of the Event Viewer snap-in article introduces the snap-in itself and details the basic operations involved in monitoring and maintaining your system using the Event Viewer.

Instruction

Log in with administrator rights. To do this, your current user must be a member of the "Administrators" group, or obtain the appropriate authority by delegation. If the computer is attached to , this procedure can be done by members of the Domain Admins group. In this case, to ensure security, use the "Run as" command.

Go to the main menu to delete events from the log, to do this, click on the "Start" button, select the "Control Panel" command, double-click on the "Administrative Tools" icon. In this window, select the "Event Viewer" icon and double-click on it, or press the Enter button.

Open the Event Viewer window. In the tree of this console, select the log you want to clear. Go to the "Action" menu, select the "Clear all events" option. To save the log before clearing it, click the Yes button. If the log is stored in a file, it cannot be cleared in this way. To clear the log, you must delete the file in which it is stored.

Delete entries in the Windows 7 operating system. To do this, go to the main menu and select "Control Panel", then select the "Administration" option from the panel components. Next, select the "Event Viewer" administrative command.

Next, open the "MMC Management Console", to do this, click on the "Start" button, enter Mmc in the search field, press Enter. From the Console menu, select the Add or Remove Snap-in option, or press Crtl+M. In the dialog box, select "Event Viewer", Click "Add", then "Finish" and "OK".

Click Start, Run, type Eventvwr.msc. Next, go to the "Action" menu, the command "Clear Log". To save after cleanup, select Save and Cleanup. Enter a file name and click the "Save" button.

Related videos

Each browser has a function of fixing visited websites. The address of the opened page is written to a special file - magazine, and is saved. This feature can be changed or disabled.

Instruction

To clear magazine in Enternet Explorer, you need to open the "Tools" menu item. Select "Internet Options". The dialog box will open on the General tab. At the bottom is the "Journal" section. Click the "Clear" button. To completely disable the feature magazine a, set the value in the item "How many days to store links" to "0". Click the OK button.

In the Opera browser, click on the "Opera" icon in the upper left corner. Select Settings, then General Settings. In the window that opens, select the "Advanced" tab. On the left you will see a list of items. Select "History". In the "Remember visited addresses for history and autocomplete" section, in the "Remember addresses" item, there is the number of remembered web addresses. You can set the value to "0". Under this item is the line "Remember the contents of visited pages." If you need to disable the feature magazine and uncheck this box. Next, click the "Clear" button, then "OK".

AT Mozilla Firefox select the top menu "Tools", then the item "Settings". In the Settings dialog box, click the Privacy tab. In the "History" section, in the first paragraph "Remember the addresses of web pages visited in the last ... days" set the value to "0". Uncheck this item, it will become inactive. Also, if you do not want the data entered in the search bar to be saved, uncheck the box “Remember data entered in forms and the search panel”. Click the OK button.

In browser Google Chrome click on the wrench icon in the top right corner. Select "Tools" - "Clear browsing data". In the window " Clear data"Select the time for which you want to clear magazine(from the last hour to the total time of visits). Check the box "Clear" and click the "Clear browsing data" button.

The Windows 7 operating system has special service allowing monitoring of all events in the computer system. View application events" is a Microsoft Management Console (MMC) snap-in for viewing and managing magazines events.

You will need

• Windows 7.

Instruction

Press the "Start" button to bring up the main menu and go to the "control panel".

Select "Administration" from the list of components and select "View events».

Return to the main menu and enter the value mmc in the search bar field to call the "MMC Management Console".

Confirm the execution of the command by pressing the Enter button.

Select the "Add or Remove Snap-in" command from the menu that opens the empty "MMC Management Console".

Specify the snap-in "View events in the Add/Remove Snap-Ins dialog box and click the Add button.

Confirm the execution of the command by pressing the "Finish" button.

Press the OK button to confirm your choice.

Select the desired magazine events to save it.

Specify a folder to save the selected file in the Save As dialog box. Select the desired file saving format in the File Type field and enter a name for the saved file in the File Name field.

Return to the "Action" menu to carry out the operation of clearing log data.

Specify the "Clear log" command.

Call the context menu by right-clicking on the line of the selected log and select "Clear log".

Click the "Clear" button to clear the log without saving.
Click the "Save and Clear" button to archive the data and then delete the log entries. In this case, specify a folder to save the log data in the Save As dialog box and enter a name in the File Name field.

note

Use the keyboard shortcut Microsoft Icon+K to open the Run dialog box, enter eventvwr.msc in the Open box, and then click OK to open the Event Viewer application.

Helpful advice

The main uses of the Event Viewer are: viewing events in selected logs, applying event filters, creating event subscriptions, and assigning specific actions to be taken when a particular event occurs.

Sources:

• asusfans.ru
• where to find the event log

Quite often, users of operating systems use " magazine events". This application allows you to track crashes, errors and malfunctions in the system. This tool can be used to perform diagnostic health checks, but in some cases it is not needed, so it has to be removed as an extra component.

You will need

• Working with the Event Viewer applet.

Instruction

About existence magazine a events in the Windows operating system, not all users know. We can say that you need to study the system in depth to get to this component. It's pretty easy to find though if you're on Windows 7 or Windows Vista. Open the Start menu, activate the search bar and enter the command "View events". Select the first line in the search results and click on it.

You will see the Viewer applet. events". This component is also called the Preview snap-in. events". Before removing " magazine events”, it must first be opened or created (in some cases, the option to work magazine but disabled). To open magazine and click the top menu "Action", from the drop-down list of menus, select the item "Open saved magazine».

In the opened window "Open saved magazine» find the file « magazine a events". Use the File Explorer sidebar to quickly find the file you need. It is worth noting that by default the system offers to open several extensions, of which not each corresponds magazine y. In the dialog box you will see files of the following formats - evtx, evt and etl. evtx extension - files events, extension evt - obsolete files events etl extension - files magazine and traces.

After selecting the desired file, click the "Open" button in the lower right corner of the dialog box. To delete a recently opened magazine events, you need to go to your magazine y. Click on the triangle icon next to the Saved magazine s" on the left side of the window, then "Folder with saved magazine ami". Inside this folder will be all magazine s that were created by the system.

Select magazine events, which has a floppy disk icon next to it. Right click on the selected item. Select "Delete" from the context menu. In the window that opens, as a confirmation of the deletion operation, click the "Yes" button.

Every web browser keeps a history of users' browsing on the Internet. Perhaps you would prefer to keep this matter confidential. In this case, you need to clear magazine visits.

Instruction

If you are using IE7, from the Tools menu, select the Remove magazine" and click "Delete History" in the "History" section. In this window, you can delete cookies, temporary internet files and other data created while visiting various websites.

For the cleaning magazine and in IE8, launch the browser from the Start menu and go to the Security tab. Select the command "Remove magazine... ". If you want to save cookies and data from certain websites, check the box "Keep data from selected websites". Check the boxes for the data you want to delete HDD, and click Remove.

To clear magazine visits to Mozilla Firefox above version 3, use the "Clear Recent History" command from the "Tools" menu. In the "Clear" window, click on the arrow and select the time interval that requires cleaning from the drop-down list magazine a. Expand the "Details" list by clicking on the arrow and check the box for the data you want to delete. Click "Clear Now".