This chapter covers Windows Event Viewer, a critical tool for monitoring, troubleshooting, and auditing Windows systems. For the CompTIA A+ 220-1102 exam, Event Viewer appears in Domain 1.0 (Operating Systems), Objective 1.2 — 'Given a scenario, use the appropriate Microsoft Windows 10/11 troubleshooting and diagnostic tools.' Approximately 5-10% of exam questions may involve Event Viewer, either directly or as part of a broader troubleshooting scenario. Mastering Event Viewer will help you identify system failures, security breaches, and application errors efficiently.
Jump to a section
Think of Windows Event Viewer as the black box flight recorder on a commercial airliner. The black box continuously records every instrument reading, pilot action, and system alert — not just crashes, but routine data like altitude, speed, and engine temperature. When an incident occurs, investigators don't guess; they pull the black box, filter by time and severity, and trace the exact sequence of events leading to the failure. Similarly, Event Viewer logs every system, security, and application event — from a successful login to a disk driver error. Just as a black box has multiple channels (cockpit voice, flight data, maintenance logs), Event Viewer has separate logs: Application, Security, Setup, System, and Forwarded Events. Each event entry is like a timestamped data point with an ID, source, and description. A technician troubleshooting a crash doesn't rely on memory; they open Event Viewer, filter by the crash time, look for critical or error events (level 1 or 2), and correlate them to find the root cause. Without this log, diagnosing problems would be like investigating a plane crash without the black box — guesswork and speculation.
What is Event Viewer?
Event Viewer is a Microsoft Management Console (MMC) snap-in that displays logs of system, security, and application events. It is available in all modern Windows editions (Windows 10/11, Server 2016/2019/2022). Its primary purpose is to provide a centralized repository of diagnostic information that administrators and support technicians can use to monitor system health, troubleshoot problems, and audit security events.
How Event Viewer Works Internally
Windows generates events through various system components, services, and applications. When an event occurs, the source (e.g., a driver, service, or application) calls the Windows Event Logging API, which writes the event data to a log file. The log files are stored in %SystemRoot%\System32\winevt\Logs as .evtx files. Each log file is a binary file that uses a structured XML schema to store event data. The Event Viewer reads these files and presents them in a human-readable format.
Events are classified by log name, event source, event ID, level, user, and other fields. The logging service runs as EventLog (svchost.exe) and is set to start automatically. It can handle high volumes of events without significant performance impact because it writes asynchronously.
Key Components of Event Viewer
- Logs: The five default logs are: - Application: Events logged by applications or programs (e.g., database errors, application crashes). - Security: Events related to security, such as logon attempts, resource access, and policy changes. Requires audit policy configuration. - Setup: Events related to Windows installation and updates. - System: Events logged by Windows system components (e.g., driver failures, disk errors). - Forwarded Events: Events collected from remote computers via Windows Event Forwarding.
- Event Properties: Each event contains: - Level: Severity classification: Critical (1), Error (2), Warning (3), Information (4), Verbose (5). - Date and Time: Timestamp of when the event occurred. - Source: The software or component that logged the event (e.g., "Service Control Manager", "Disk"). - Event ID: A unique numeric identifier for the event type (e.g., 1001 for Windows Error Reporting). - Task Category: Subcategory of the event source (e.g., "Logon" for security events). - User: The user account under which the event occurred. - Computer: The computer name where the event occurred.
Custom Views: Filters that save specific queries, such as "Administrative Events" which shows only Critical, Error, and Warning events from all logs.
Subscriptions: Used in Windows Event Forwarding to collect events from remote computers.
Default Log Sizes and Retention
Each log file has a default maximum size and retention policy: - Application, Security, Setup, System: Default max size is 20 MB (Windows 10/11) or 20 MB (Server). - Forwarded Events: Default max size is 20 MB. - Retention: By default, when the log reaches its maximum size, new events overwrite the oldest events (circular logging). You can change this to "Archive the log when full" or "Do not overwrite events (clear logs manually)".
To check or modify log properties: Right-click a log → Properties. You can set the maximum log size (from 1 MB to 2 TB theoretically, but practical limits depend on disk space) and choose the retention method.
How to Open Event Viewer
GUI: Press Win+R, type eventvwr.msc, press Enter.
Command Line: eventvwr (opens GUI) or wevtutil (command-line tool for managing logs).
PowerShell: Get-WinEvent cmdlet.
Using Event Viewer for Troubleshooting
When troubleshooting a problem, the typical workflow is:
Identify the timeframe: Determine when the issue started or occurred.
Filter logs: Use the "Filter Current Log" action to specify event level (e.g., Critical, Error), event ID, source, or time range.
Look for patterns: Multiple related errors around the same time often point to a root cause.
Examine event details: Double-click an event to see the full description, which often includes error codes, file paths, and suggested actions.
Search for known solutions: Use the event ID and description to search online or in knowledge bases.
Common Event IDs for 220-1102
41: Kernel-Power — System rebooted without clean shutdown (often due to power loss or crash).
1001: Windows Error Reporting — Application crash or hang.
6005: EventLog — The Event log service was started (indicates system boot).
6006: EventLog — The Event log service was stopped (indicates shutdown).
6008: EventLog — Previous system shutdown was unexpected (system crashed).
7000: Service Control Manager — A service failed to start due to an error.
7001: Service Control Manager — A service failed to start because another service it depends on failed.
7031: Service Control Manager — A service terminated unexpectedly.
1000: Application Error — Faulting application name and module.
1002: Application Hang — Application stopped responding.
Security Log Events
Security auditing must be enabled via Group Policy or Local Security Policy. Common security event IDs:
4624: An account was successfully logged on.
4625: An account failed to log on.
4634: An account was logged off.
4648: A logon was attempted using explicit credentials.
4672: Special privileges assigned to new logon (e.g., administrator).
4720: A user account was created.
4732: A member was added to a security-enabled local group.
4740: A user account was locked out.
Performance Considerations
Logging too many events (e.g., verbose logging for all audit categories) can consume disk space and CPU. Best practices:
Set an appropriate maximum log size based on available disk space.
Archive logs regularly if needed for compliance.
Use custom views to focus on critical events.
For high-volume servers, consider using Windows Event Forwarding to centralize logs.
Integration with Other Tools
Task Scheduler: You can create tasks that trigger on specific events (e.g., send an email when event ID 1001 occurs).
Performance Monitor: Can correlate performance counters with events.
PowerShell: Get-WinEvent allows advanced filtering and automation.
Reliability Monitor: Presents a timeline of system events, including application failures, Windows failures, and other issues; data comes from Event Viewer.
Command-Line Tools
wevtutil — Enumerate logs (enumlogs), export logs (epl), clear logs (cl), query events (qe).
Example: wevtutil qe Application /c:10 /rd:true /f:text — Shows the 10 most recent Application events.
PowerShell: Get-WinEvent -LogName System -MaxEvents 10 | Format-List.
Step-by-Step Troubleshooting Example
User reports Blue Screen of Death (BSOD) at 2:00 PM.
Open Event Viewer → Windows Logs → System.
Click "Filter Current Log" → Check 'Critical' and 'Error' → Set time range 1:50 PM to 2:10 PM.
Look for event ID 41 (Kernel-Power) or 1001 (Windows Error Reporting).
Double-click the event: Description may include bug check code (e.g., 0x0000001e) and parameters.
Use the bug check code to research the cause (e.g., faulty driver, hardware issue).
Best Practices for the Exam
Know the default logs and their purposes.
Remember that Security logs require auditing to be enabled.
Be able to filter events by level, time, and event ID.
Recognize common event IDs like 41, 6005, 6006, 6008, 1001.
Understand that Event Viewer is the first place to look after a crash or failure.
Know how to clear logs and change log properties.
Open Event Viewer
Press Win+R, type `eventvwr.msc`, and press Enter. Alternatively, search for 'Event Viewer' in the Start menu. This launches the MMC snap-in. The console tree on the left shows the five default logs under 'Windows Logs' and additional logs under 'Applications and Services Logs'. You can also open Event Viewer from the command line by typing `eventvwr`.
Identify the Problem Log
Determine which log is most relevant to your issue. For system crashes, driver failures, or hardware problems, use the System log. For application crashes, use the Application log. For security issues like failed logins, use the Security log. If unsure, start with the 'Administrative Events' custom view, which aggregates Critical, Error, and Warning events from all logs.
Filter Events by Time and Level
Right-click the log (e.g., System) and select 'Filter Current Log'. In the dialog, set the time range to cover the incident timeframe. Check the levels you need: Critical (1) and Error (2) are most important for failures. Optionally, enter specific Event IDs if known. Click OK. The view now shows only matching events, making it easier to spot the root cause.
Analyze Event Details
Double-click an event to open its properties. Read the 'General' tab for a description. Look for error codes, file paths, or module names. For example, a BSOD event (ID 1001) includes the bug check code and parameters. The 'Details' tab shows the raw XML, which can be useful for advanced analysis. Note the Event ID and source for further research.
Correlate and Resolve
Multiple events around the same time may indicate a cascade. For example, a disk error (Event ID 7) may be followed by a service failure (Event ID 7000) because the service couldn't read a file. Use the event descriptions to determine the root cause. Search online or in vendor knowledge bases using the Event ID and error code. Apply the fix (e.g., update driver, replace hardware, reinstall application).
Enterprise Scenario 1: Troubleshooting a Server Crash
A file server crashes every few days at random times. The IT admin opens Event Viewer on the server and filters the System log for Critical and Error events during the crash times. They find event ID 41 (Kernel-Power) indicating unexpected shutdown, and event ID 1001 from Windows Error Reporting with a bug check code 0x000000d1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL). The description points to a third-party backup driver. The admin updates the driver and the crashes stop. In production, Event Viewer is often the first tool used for crash analysis because it captures the last moments before failure.
Enterprise Scenario 2: Security Audit of Failed Logins
A company suspects a brute-force attack on a domain controller. The security team enables advanced audit policy for logon events. They open Event Viewer on the DC, navigate to Security log, and filter for event ID 4625 (failed logon). They see hundreds of failed attempts from a single IP address within minutes. They use the 'Network Information' field in the event to identify the source IP and block it at the firewall. In larger environments, logs are forwarded to a SIEM system, but Event Viewer provides immediate visibility.
Scenario 3: Application Performance Issue
A line-of-business application crashes intermittently. The support team opens Event Viewer on the user's workstation, looks at the Application log, and finds event ID 1000 (Application Error) with the faulting module name 'myapp.dll' and exception code 0xc0000005 (access violation). They correlate this with a recent update to the application. They roll back the update and the issue resolves. Event Viewer is critical for identifying application-level faults that don't generate a BSOD.
Common Pitfalls in Production
Log size too small: If the log reaches its max size, older events are overwritten. During a major incident, critical events may be lost. Always set an appropriate max size (e.g., 100 MB) and consider archiving.
Security auditing disabled: By default, Security log only records events if audit policies are configured. Many administrators forget to enable auditing, leaving no trail for security incidents.
Ignoring Warning events: Warnings (level 3) often precede errors. For example, a disk warning (Event ID 7) indicating bad sectors can predict a future crash.
Not using custom views: In a large environment, manually scrolling through logs is inefficient. Custom views that filter for specific event IDs or sources save time.
Performance at Scale
On a busy domain controller, the Security log can generate thousands of events per minute. To avoid performance degradation, use Windows Event Forwarding to send events to a central collector, and set maximum log sizes appropriately. On client machines, the default 20 MB is usually sufficient for troubleshooting, but for compliance, increase the size or archive logs regularly.
What the 220-1102 Exam Tests
Objective 1.2: 'Given a scenario, use the appropriate Microsoft Windows 10/11 troubleshooting and diagnostic tools.' Event Viewer is one of the key tools listed. The exam expects you to:
Know how to open Event Viewer (eventvwr.msc).
Identify the five default logs: Application, Security, Setup, System, Forwarded Events.
Understand event levels: Critical (1), Error (2), Warning (3), Information (4), Verbose (5).
Recognize common event IDs: 41 (Kernel-Power), 1001 (Windows Error Reporting), 6005 (service start), 6006 (service stop), 6008 (unexpected shutdown), 7000/7001 (service failures).
Use filtering to isolate events by time, level, and event ID.
Explain that Security logs require audit policy configuration.
Common Wrong Answers and Why Candidates Choose Them
'Event Viewer is used to view hardware information' — Candidates confuse Event Viewer with Device Manager. Event Viewer shows logs, not hardware details.
'Security logs are enabled by default' — Many think security auditing is on by default, but it's not. You must configure audit policies via Local Security Policy or Group Policy.
'Clearing logs deletes the log file' — Clearing logs empties the log but does not delete the .evtx file. The log continues to collect new events.
'Event Viewer can only be opened from Control Panel' — The correct way is eventvwr.msc from Run or command line. Control Panel does not have a direct link.
Specific Numbers and Terms That Appear on the Exam
Default log size: 20 MB (for each of the five default logs).
Event levels: Critical (1), Error (2), Warning (3), Information (4), Verbose (5).
Event IDs: 41, 1001, 6005, 6006, 6008, 7000, 7001.
Log file location: %SystemRoot%\System32\winevt\Logs.
Command to open: eventvwr.msc.
PowerShell cmdlet: Get-WinEvent.
Edge Cases the Exam Loves to Test
What happens when a log reaches its maximum size? By default, new events overwrite the oldest events. You can change this to archive or prevent overwriting.
Can you view events from a remote computer? Yes, via 'Connect to Another Computer' in Event Viewer (requires permissions) or through Windows Event Forwarding.
Event ID 6008 indicates what? An unexpected shutdown (system crashed or lost power).
Which log contains events about driver failures? System log.
How to Eliminate Wrong Answers
If a question asks about troubleshooting a crash, look for options that involve Event Viewer, not Task Manager or Performance Monitor.
If the question mentions security events, remember that Security log requires auditing; if auditing is not mentioned, consider that log may be empty.
For questions about log size, the default is 20 MB; any answer stating 10 MB or 100 MB is wrong.
When asked about filtering, the correct answer will include filtering by level, time, or event ID, not by user name or computer name (though you can filter by those too, but level/time are most common).
Event Viewer is found under eventvwr.msc or by searching 'Event Viewer' in Start.
The five default logs are Application, Security, Setup, System, and Forwarded Events.
Event levels: Critical (1), Error (2), Warning (3), Information (4), Verbose (5).
Common event IDs: 41 (Kernel-Power), 1001 (Windows Error Reporting), 6005 (service start), 6006 (service stop), 6008 (unexpected shutdown), 7000 (service fail to start), 7001 (service dependency fail).
Security log requires audit policy configuration to record events.
Default log size is 20 MB; when full, oldest events are overwritten.
Log files are stored in %SystemRoot%\System32\winevt\Logs as .evtx files.
Use 'Filter Current Log' to narrow events by level, time, and event ID.
Event Viewer can connect to remote computers for centralized monitoring.
Reliability Monitor provides a user-friendly timeline derived from Event Viewer data.
These come up on the exam all the time. Here's how to tell them apart.
Event Viewer
Provides detailed raw logs with event IDs, sources, and descriptions.
Can filter by level, time, event ID, and source.
Contains five default logs (Application, Security, Setup, System, Forwarded Events).
Requires manual analysis of individual events.
Best for deep technical troubleshooting.
Reliability Monitor
Presents a graphical timeline of system stability.
Shows only failures and warnings in a summarized view.
Aggregates data from Event Viewer into a single timeline.
Easier for non-technical users to understand.
Best for a quick overview of system reliability.
Mistake
Event Viewer shows all events that occur on the system in real time.
Correct
Event Viewer refreshes periodically; it does not show events in real time. You must click 'Refresh' or set a custom refresh interval (default is 1 minute).
Mistake
Security log is enabled by default and records all logon attempts.
Correct
The Security log only records events if audit policies are configured via Local Security Policy or Group Policy. By default, auditing is minimal (e.g., account logon events are not audited).
Mistake
Clearing a log deletes the .evtx file permanently.
Correct
Clearing a log empties the events but does not delete the file. The log file remains and new events are written to it.
Mistake
Event Viewer can only be used on the local computer.
Correct
Event Viewer can connect to remote computers using 'Connect to Another Computer' or via Windows Event Forwarding, provided appropriate permissions and firewall rules are configured.
Mistake
Event ID 41 always indicates a hardware failure.
Correct
Event ID 41 (Kernel-Power) means the system rebooted without a clean shutdown. This can be caused by hardware failure, driver issues, power loss, or even a user pressing the reset button. It is not definitive proof of hardware failure.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Press Win+R, type `eventvwr.msc`, and press Enter. You can also search for 'Event Viewer' in the Start menu. The command `eventvwr` from a command prompt also works. There is no direct link in Control Panel.
Event Viewer provides detailed logs with event IDs, sources, and descriptions, divided into five default logs. Reliability Monitor presents a graphical timeline of system events, summarizing failures and warnings. Reliability Monitor gets its data from Event Viewer but presents it in a more user-friendly format. Use Event Viewer for deep troubleshooting and Reliability Monitor for a quick health overview.
In Event Viewer, right-click 'Event Viewer (Local)' in the console tree and select 'Connect to Another Computer'. Enter the computer name. You need administrative permissions on the remote computer and the Remote Event Log Management firewall rule must be enabled. Alternatively, use Windows Event Forwarding to collect events centrally.
Event ID 41 (source: Kernel-Power) indicates that the system rebooted without a clean shutdown. This typically happens after a crash, power loss, or hard reset. It does not specify the cause but is a clue that something went wrong. Look for preceding error events to find the root cause.
Right-click the log (e.g., System) and select 'Clear Log...'. You will be prompted to save the log before clearing. Clearing removes all events from that log, but the .evtx file remains. You can also clear logs using the command `wevtutil cl System`.
The Security log only records events if audit policies are configured. By default, auditing is minimal. To enable logging, open Local Security Policy (secpol.msc) → Local Policies → Audit Policy, and enable the desired categories (e.g., Audit logon events). Changes take effect immediately.
Yes. Right-click a log and select 'Save All Events As...' to save as .evtx (for later viewing in Event Viewer), .xml, .txt, or .csv. You can also use `wevtutil epl System C:\backup.evtx` to export from command line.
You've just covered Windows Event Viewer — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?