Microsoft

Configure IT Quick: Let EventID.Net help you decipher Windows Event logs

Learn how to read Windows log files using Event Viewer and then decipher them through EventID.Net.


Windows Event logs are an important part of system diagnosis, but oftentimes it may not be clear what the events mean or where to go for help in fixing the problem. While administrators can search for the meaning of a cryptic log entry via an Internet search engine or Microsoft's Knowledge Base, a much more straightforward approach is to search EventID.Net, a non-Microsoft Web site that contains a searchable database of 1,347 Windows NT/2000 events and what they mean, with advice from other administrators on what to do about them. In this article, I’ll show you how to read Windows log files using Event Viewer and then decipher them through EventID.Net.

How to diagnose an event
The first place to go to diagnose an event on a Windows machine is the Windows Event Viewer, an administrative tool that displays the contents of the Windows Event Log files along with details on each event. In many cases, all you need to know to diagnose a problem will be found here.

To open Event Viewer on my Windows NT machine, I clicked Start | Programs | Administrative Tools (Common) | Event Viewer. (Your machine may be slightly different, depending on your Windows installation. Windows 2000 users can open Event Viewer by clicking Start | Settings | Control Panel | Administrative Tools | Event Viewer. You can check the Help file for the correct path to the Event Viewer on your particular machine.)

Figure A


In the Event Viewer window (see Figure A), I clicked on the Log menu to display a list of event logs available on my machine. Windows NT keeps three event logs, one for System events, a second for Application events, and a third for Security events. In this case, I selected the System event log. (Windows 2000 machines that are configured with Active Directory or DNS include three additional log files, one each for Directory Service, DNS Server, and File Replication Service Events.)

Scrolling down the list, I double-clicked on the warning event generated by the Srv source to display the Event Detail window for that event, as shown in Figure B.

Figure B


It turned out that the details given for this event were self-explanatory and quite sufficient for dealing with the problem. But not all Event Detail information is as straightforward. For example, Figure C shows the Event Detail window displayed after double-clicking on the error event generated from the Source atapi. The details displayed don’t help very much. More information is needed to diagnose and correct this error. Here is where EventID.Net can help.

Figure C


Searching the EventID.Net database
To find more information about an event in the EventID.Net database, you’ll need to know the event ID number listed in the Event column of the Event Viewer window. On the EventID.Net Web site, navigate to the site’s search engine and enter the number, as shown in Figure D. In this case, I entered 9, the Event ID listed for the atapi error event. (Unless the event pertains to more than one source, it’s usually not necessary to enter anything in the optional Source field.)

Figure D


Clicking the Search button displays the search results, as shown in Figure E.

Figure E


The search results list the experience the contributing administrators have had with this event, including causes and possible solutions. Under More Info, you’ll find links to Microsoft Knowledge Base articles pertaining directly to this event. How-to articles from other sources on the Internet may also be listed, as well as links to other search engines that will directly search the Internet for additional information about this event.

From reading the comments of the contributors, along with the references to the Microsoft Knowledge Base, I concluded that the error probably occurred when I attempted to read a CD-R that wasn’t compatible with my three-year-old CD-ROM player. Moreover, I now know that I need to keep track of any further occurrences of this event, because they may be indicative of a much more serious problem.

Keep this link close at hand
With 1,347 event IDs and 248 event sources provided by 445 contributors, and 963 submitted events pending validation, the EventID.Net database could very well become an indispensable addition to a Windows administrator’s toolkit. It's definitely on my Internet browser's Favorites list.

Can't do without it
Is there an IT support Web site or Internet resource that you couldn't get by without? What type of sites do you find the most useful? Post a comment to this article and share your opinions.

 

Editor's Picks