Back to Guides

Complete Guide to Checking Window Logs

Updated May 10, 20268 min read

When a Windows machine crashes, refuses to start a service, drops a network connection, or shows signs of suspicious activity, the Windows Event Log is one of the first places to check. It records activity from the operating system, applications, drivers, services, and security controls, which can be viewed in Windows Event Viewer for troubleshooting issues.

This guide explains what the Windows Event Log is, which log categories matter most, where Windows log files are stored, and how to use Event Viewer to access logs, apply filters, and create Custom Views to narrow down the events you actually need.

What is a Windows Event Log?

A Windows Event Log is a standardized record of events created by the Windows operating system, services, drivers, and supported applications. Each event can include details such as the source, time, severity level, user, computer name, and event ID. Windows groups these entries into categories so administrators and users can review errors, warnings, security activity, and system changes without searching through unrelated data.

You will usually check these logs when investigating system failures, application crashes, sign-in activity, permission changes, or unexpected restarts. They are also useful when you need evidence for audits or when you are trying to trace the root cause of instability on a machine.

Understanding Windows Event Log Categories

Windows Event Log separates events by the component or activity that created them. The main categories you will see in Event Viewer are System, Application, Security, Setup, and Forwarded Events.

System Events

System events are related to the core operations of the Windows operating system. They come from components such as drivers, services, hardware, and startup processes. You should check system events when a machine restarts unexpectedly, a device fails to load, a driver crashes, or Windows reports hardware-related problems.

Application Events

Application events are generated by software running on the machine. You should check them when an application crashes, throws repeated warnings, fails during startup, or displays status messages that explain what happened before an error.

Security Events

Security events record activity related to authentication, authorization, policy changes, and access attempts. In this log, you can review successful and failed sign-ins, account activity, access to protected resources, and changes to permissions or security settings.

Setup Events

Setup events contain details about Windows installation, updates, upgrades, and configuration activities. You can review these logs when troubleshooting failed updates, installation errors, or setup-related changes made during Windows servicing.

Forwarded Events

Forwarded Events contains logs collected from multiple Windows computers and sent to a centralized location. This is mainly used in environments where administrators monitor multiple systems from one place instead of opening Event Viewer on each device separately.

How to Open Windows Event Viewer

Event Viewer is the built-in Windows tool for viewing event logs. There are several ways to open it.

Using the Start Menu

  1. Click the Start button or press the Windows key.
  2. Type Event Viewer.
  3. Select Event Viewer from the search results.
Using Start menu to open Event Viewer
Using Start menu to open Event Viewer
Event Viewer main page
Event Viewer main page

Using the Run Dialogue

  1. Press Windows + R to open the Run dialogue.
  2. Type eventvwr.
  3. Press Enter.
Windows Run dialogue used to open Event Viewer
Windows Run dialogue used to open Event Viewer
Windows Event Viewer landing page
Windows Event Viewer landing page

Using Command Prompt

  1. Open Command Prompt.
  2. Type eventvwr.
  3. Press Enter to open Event Viewer.
Open Command Prompt from Start menu
Open Command Prompt from Start menu
Launching Event Viewer from Command Prompt
Launching Event Viewer from Command Prompt

Windows Event Log Location

Windows logs are stored in event log files in the following folder by default:

C:\Windows\System32\winevt\Logs

The files use the .evtx format. Each file maps to a log or event channel, such as Application, Security, or System.

The common log files included are:

  1. Application.evtx - events from applications and programs
  2. Security.evtx - security-related events such as sign-in activity
  3. System.evtx - events related to Windows system components and drivers
Windows Event Viewer logs
Windows Event Viewer logs

You may also find additional .evtx files for other Windows components and services. The older versions of Windows use the .evt file format.

Understanding Event Viewer Entries

Each Event Viewer entry represents one recorded event. The fields in the entry tell you when the event occurred, which component created it, how severe it was, and which user or computer was associated with it.

The key components of an Event Viewer entry are as follows:

  1. Date and Time - when the event occurred
  2. Source - the application, service, or system component that generated the event
  3. Event ID - an identifier for the event type
  4. Level - the severity of the event
  5. User - the user account associated with the event, if available
  6. Computer - the name of the computer where the event was logged
  7. Description - detailed information about the event

Common event levels include:

  • Information - normal operations or successful activity
  • Warning - potential issues that may need attention
  • Error - significant problems that may affect functionality
  • Critical - severe problems that require immediate attention
Severity levels for events
Severity levels for events
System Event logs page
System Event logs page

Filtering and Custom Views in Event Viewer

Event Viewer can contain hundreds or thousands of entries, especially on machines that have been running for a long time. Adding filters lets you narrow the list by time range, severity level, event source, log, or event ID. You can use custom views to save filter settings for reuse during future investigations.

To create a Custom View:

  1. In Event Viewer, right-click Custom Views and select Create Custom View.
Opening Custom Views in Event Viewer
Opening Custom Views in Event Viewer
Create Custom View page in Event Viewer
Create Custom View page in Event Viewer
  1. In the Logged dropdown, choose a time range, or select a custom time range.
  2. Under Event level, choose the levels you want to include, such as Critical, Error, Warning, or Information.
Selecting event levels in Custom View
Selecting event levels in Custom View
  1. Choose how you want to filter events: By log or By source.
Filtering events by log
Filtering events by log
Filtering events by source
Filtering events by source
  1. Save the Custom View with a clear name so you can reuse it later.

You can also export a log or Custom View as an .evtx file. This is useful when you need to archive events and share them with other administrators for further analysis.

Conclusion

Windows Event Log gives you a record of what happened on a machine before, during, and after a problem. Start with the System, Application, and Security logs, then use filters or Custom Views to narrow the results by time, severity, source, or event ID. For deeper log analysis or sharing, you can export the relevant events as an .evtx file.

FAQs

How do I view Windows logs?

Open Event Viewer using one of these methods:

  1. Press Win + R, type eventvwr, and press Enter
  2. Search for Event Viewer from the Start menu
  3. Open Command Prompt and run eventvwr

Where are Windows log files stored?

Windows event log files are typically stored in:

C:\Windows\System32\winevt\Logs

These files use the .evtx format.

How do I audit Windows logs?

To audit Windows logs:

  1. Open Event Viewer
  2. Go to Windows Logs > Security
  3. Review security-related events
  4. Configure audit policies through Local Security Policy or Group Policy if needed

Where are login logs in Windows?

Login-related events are usually recorded in the Security log in Event Viewer. These may include successful and failed sign-in events, depending on your audit policy and environment.

How do I view Windows setup logs?

To view setup-related logs:

  1. Open Event Viewer
  2. Navigate to Applications and Services Logs > Microsoft > Windows > Setup

How do I view application logs in Windows?

To view application logs:

  1. Open Event Viewer
  2. Navigate to Windows Logs > Application

Was this page helpful?

Your response helps us improve this page.

Saurabh Patil
AuthorSaurabh Patil
Tags
WindowsLogging

Keep Reading

Related Articles

Jul 2024

Best Practices for Maintaining Clean and Useful Error Logs

Read article

Feb 2026

Top 6 Windows Server Monitoring Tools and How to Implement

Read article

Sep 2025

Master Java Logging: From System.out.println to Production-Ready Logs

Read article
Docs
IntroductionContributingMigrate from DatadogSigNoz API
OpenTelemetry
What is OpenTelemetryOpenTelemetry Collector GuideOpenTelemetry Demo
Community
Support
Slack
X
Launch Week
Changelog
Dashboard Templates
DevOps Wordle
Newsletter
KubeCon, Atlanta 2025
More
SigNoz vs DatadogSigNoz vs New RelicSigNoz vs GrafanaSigNoz vs Dynatrace
Careers
AboutTermsPrivacySecurity & Compliance
SigNoz Logo
SigNoz
All systems operational
HIPAASOC-2