Windows 10 comes with a powerful logging system known as the Event Viewer, which records detailed information about system activities, application behavior, and security events. Understanding how to leverage Windows Event Logs is essential for troubleshooting issues, monitoring system performance, and enhancing security.
Windows 10 primarily maintains three main types of event logs:
- Application Logs – Capture events related to installed applications.
- System Logs – Record system-level events, such as hardware failures or driver issues.
- Security Logs – Track security-related events, including logins, policy changes, and access attempts.
This guide covers how to access, configure, and analyze Windows 10 event logs for better system management and troubleshooting.
Log & Configuration File Locations
Before exploring the details, it’s essential to understand where Windows 10 stores its logs:
| Log Type | Location |
|---|---|
| Application Logs | Windows Event Viewer > Windows Logs > Application |
| System Logs | Windows Event Viewer > Windows Logs > System |
| Security Logs | Windows Event Viewer > Windows Logs > Security |
| Setup Logs | Windows Event Viewer > Windows Logs > Setup |
| Custom Logs | Windows Event Viewer > Applications and Services Logs |
All logs are stored in binary format files in the directory:
C:\Windows\System32\winevt\Logs\
Understanding Windows 10 Application Logs
What Are Application Logs?
Application logs capture events logged by installed software. These logs are useful for:
- Troubleshooting software issues
- Monitoring application behavior
- Identifying application crashes or misconfigurations
Accessing Application Logs
To access application logs:
- Open Event Viewer:
- Press
Win + R, typeeventvwr, and press Enter.
- Press
- Expand Windows Logs.
- Click on Application to view a list of events.
Sample Application Log Entry
Level: Error
Source: Application Error
Event ID: 1000
Task Category: (100)
Message: Faulting application name: chrome.exe, version: 114.0.5735.198, faulting module name: ntdll.dll, exception code: 0xc0000374.
| Field | Description |
|---|---|
| Level | Severity of the event (Information, Warning, Error) |
| Source | The application or service that generated the event |
| Event ID | Numeric code that identifies the event |
| Message | Description of the event |
Understanding Windows 10 System Logs
What Are System Logs?
System logs capture system-related events, such as hardware changes, driver updates, and operating system errors. These logs are critical for:
- Diagnosing system failures
- Troubleshooting hardware and driver issues
- Monitoring system performance
Accessing System Logs
To access system logs:
- Open Event Viewer.
- Expand Windows Logs.
- Click on System to view system events.
Sample System Log Entry
Level: Warning
Source: Microsoft-Windows-Kernel-Power
Event ID: 41
Message: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Explanation: This log entry indicates that the system was shut down improperly, which could point to a power failure or crash.
Understanding Windows 10 Security Logs
What Are Security Logs?
Security logs track security-related events, such as user logins, failed access attempts, and changes to system permissions. These logs are essential for:
- Monitoring unauthorized access
- Auditing user activity
- Detecting security breaches
Accessing Security Logs
To access security logs:
- Open Event Viewer.
- Expand Windows Logs.
- Click on Security to view security events.
Sample Security Log Entry
Level: Information
Source: Microsoft-Windows-Security-Auditing
Event ID: 4624
Task Category: Logon
Message: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-12345$ Account Domain: WORKGROUP
| Field | Description |
|---|---|
| Level | Severity (Information, Success, Failure) |
| Source | Service or application that generated the event |
| Event ID | Unique identifier for the event |
| Task Category | Context of the event (e.g., Logon) |
| Message | Detailed information about the event |
Common Security Event IDs
| Event ID | Description |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon attempt |
| 4672 | Special privileges assigned to a new logon |
| 4688 | A new process has been created |
| 4719 | System audit policy was changed |
Creating Custom Logs
Windows 10 allows you to create custom event logs to monitor specific applications or system behaviors:
- Open Event Viewer and navigate to Applications and Services Logs.
- Right-click and select Create Custom View.
- Define the event sources, levels, and IDs you want to track.
- Save the custom view with a meaningful name.
Configuring Event Log Size and Retention
To prevent event logs from consuming too much disk space, you can adjust their size and retention policies:
- Open Event Viewer.
- Right-click on a log (e.g., Application) and select Properties.
- Adjust the Maximum log size and Overwrite events options.
Best Practice: Set logs to “Overwrite as needed” to avoid filling up disk space.
Using PowerShell to Access Event Logs
PowerShell provides a powerful way to query and filter event logs:
Get a list of available logs:
Get-EventLog -ListView the most recent entries in the System log:
Get-EventLog -LogName System -Newest 10Filter logs by Event ID:
Get-EventLog -LogName Security -InstanceId 4624Mastering Windows 10 Event Logs is essential for effective system administration, troubleshooting, and security monitoring. By leveraging the Event Viewer and PowerShell, you can gain deep insights into your system’s operations, quickly identify issues, and enhance overall security.
Use this guide to optimize your event log management and improve your Windows 10 troubleshooting skills.