Event Viewer can expedite your system troubleshooting, but the information it provides is often overkill. Here's a look at how to create and save custom views that zero in on the details you need.
In last week's article How to revive a Windows 7 system with a clean install via the Windows 10 Media Creation Tool, I told you how I performed a clean install of Windows 10 on my old ASUS F3 laptop. As I mentioned, I decided to go the clean install route because Windows 7 was acting a bit quirky and I attributed that to a flawed update.
Well soon after I performed the clean install of windows 10, the system displayed a few more quirky behaviors and I became concerned that something might be wrong with some hardware component in the system.
So I dug out Windows 10's Event Viewer and began a troubleshooting expedition. Event Viewer provides a goldmine of information about your system. While this is a great benefit, it can also be a downfall because so much information is logged in Event Viewer that it can be an overwhelming task to find the necessary information to investigate your problem.
Fortunately, Event Viewer has a Filters feature that lets you target just the information that you need during your investigation. The Filter feature can be even more useful when you save your filter using the Create Custom View feature. When you do, you'll save time and effort on future troubleshooting expeditions, because once you create your custom view, you'll be able to use it again.
In this article, I'll show you how to use the Create Custom View feature in Windows 10's Event Viewer.
There are several ways to launch Event Viewer. One of the easiest ways is to click the Start button and begin typing Event Viewer. When Event Viewer appears in the Results pane, just click it to launch the tool. It will open the Overview And Summary panel, shown in Figure A, which displays a list of the most recent events collected from all the logs.
The Overview And Summary panel displays a list of the most recent events.
Creating a custom view
Once you have Event Viewer up and running, you can create a custom view. To begin, pull down the Action menu and select the Create Custom View command. You can also select this command from the Actions pane that appears in the right side of Event Viewer. Either way, you'll see the Create Custom View dialog box, shown in Figure B.
You'll configure your custom view using the settings on the Filter tab.
The Create Custom View dialog box has two tabs: Filter and XML. You'll use the settings on the Filter tab to create your custom view, so we'll focus on that one for now. We'll look at the XML tab in a future article.
The Logged dropdown allows you to specify when the event you are looking for occurred. By default, this is set to Any Time, which means that the view will essentially show you every single occurrence of the event you are looking for. However, you can be much more specific. When you click the dropdown menu, you'll find several options for specifying the number of hours or days, as shown in Figure C. There's even a Custom Range setting that will allow you to pick the exact time period you want.
You can select one of the preset options or specify a custom range.
In the Event Level section, you'll choose the level of the event you are seeking, as shown in Figure D. Now, as you can see in Table A, these levels are essentially classifications of the event's severity. You can narrow your search by specifying a single level or widen your search by selecting multiple levels.
You can choose one or multiple Event levels.
Using the By Log option and the Event Logs dropdown menu allows you to select the individual logs you want to search. When you access the Event Logs dropdown, you'll see a tree view that lets you select any one of the Windows Logs or the Application And Services Logs, as shown in Figure E. Just select any of the check boxes adjacent to the logs you want to investigate.
You can search the standard Windows Logs or the Applications And Services Logs.
As you can see in Table B, Windows Logs contains five logs (Application, Security, System, Setup, and Forwarded Events). The Applications And Services Logs vary and will include separate logs from the programs that run on your computer, plus detailed logs that record events from specific Windows services.
The By Source/Event Sources dropdown menu, shown in Figure F, enables you to narrow your search to specific event sources rather than searching entire logs. An event source is essentially the name of the software component that logs the event. It is often the name of the application or the name of a subcomponent if the application is large. When you make a selection from the By Source/Event Sources dropdown, Event Viewer automatically selects the appropriate item from the By Log/Event Logs dropdown.
An event source is basically the name of the software component that logs the event.
Windows uses event IDs to define the uniquely identifiable events that a system can encounter. By default, the custom view will display all event IDs. However, if you know the event ID you want to search for, you can narrow your search by entering an event ID, as shown in Figure G. If you want to search for multiple event IDs, separate the IDs with commas. If you want to include a range of IDs, separate the first number from the last with a dash (-). If you want to exclude certain event IDs, precede those event IDs with a minus sign.
By default, a custom view will search for all event IDs.
Task categories are defined by the event source—there are no default categories. So the Task category dropdown will be populated only if the selected event source contains task categories.
For example, if you select Microsoft Windows Security Auditing from the By Source/Event Sources dropdown, the Task category will become available, and the dropdown menu will be populated with choices, as shown in Figure H.
Task categories are defined by the event source — there are no default categories.
If you want to further target your search, you can use keywords. However, contrary to the common use of the term, you can't enter your own keywords. In this case, a keyword is a term Microsoft uses to group or classify types of events, and there are a set number of predetermined keywords.
When you access the Keywords dropdown, shown in Figure I, you can select the check box adjacent to any of the keywords you want to use.
Keywords are terms Microsoft uses to classify types of events.
Now, if you have multiple people using the same computer, you can narrow your search down to a specific user by entering the username in the User text box. The Computer(s) text box is designed for use on a system acting as a server, such as sharing folders or printers on a network, as shown in Figure J. In most cases, you can leave these settings at the default values — Any Users and Any Computers.
In most cases you can leave the User and Computer(s) settings at the default values.
Save a custom view
Once you have configured your custom view and clicked OK, you'll see the Save Filter To Custom View dialog box, shown in Figure K. At this point, simply enter a name and click OK.
When you click OK, you'll see the Save Filter To Custom View dialog box.
To use your custom view, select it from the Custom Views tree. The data it found will appear in the main panel, as shown in Figure L.
Once you save your custom view, you can run it anytime by selecting it from the Custom Views branch of the Event Viewer tree.
How do you know what to choose?
Now that you know how to create and use a custom view in Event Viewer, you're probably wondering what to choose when creating your own. Well, the answer is that you have to spend some time investigating events.
At the beginning of the article, I told you that when Event Viewer launches, you'll see the Overview And Summary panel, which displays a list of the most recent events collected from all the logs. When you find an event in the Overview And Summary panel that appears to indicate a problem you've encountered, double-click on it and then access the Event Properties dialog box, shown in Figure M. You'll find all the information you need to fill in the Create Custom View dialog box. You'll just need to supply the date and time.
Using the information in the Event Properties dialog box, you can fill in the Create Custom View dialog box.
What's your take?
Have you used Event Viewer as an aid while on a troubleshooting expedition? Have you used the Create Custom View feature? Share your advice and experiences with fellow TechRepublic members.