Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

In Windows 2000, XP, and Vista, what is the Event Viewer?

Windows Vista, XP, and 2000 have the built-in capability to alert users about significant occurrences in the system or in an application. Some critical events, such as a full hard drive or an interruption in the power supply, are immediately noted with an on-screen message. These events, along with less critical events not needing immediate attention, are also recorded in the event log for future reading.

Event logging starts automatically each time you start Windows Vista, XP, or 2000. With an event log and an administrative tool called the Event Viewer, you can troubleshoot various hardware and software problems and monitor security events for your computer. You can also archive logs in various file formats.

Event Viewer in Windows 2000 and XP

Windows XP and 2000 have either three or four basic types of logs in which events are recorded:

  • System log: The system log contains events logged by system components. For example, the failure of a driver or other system component (like a service) to load during startup is recorded in the system log. The operating system predetermines the type of events kept in the system log.

  • Security log: The security log can contain valid and invalid login attempts, as well as events related to resource use, such as creating, opening, or deleting files or other objects. For example, if you are using the User Manager to enable login and logout auditing, attempts to log into the system are recorded in the security log. The administrator of the computer chooses what the security log monitors.

  • Application log: The application log contains events logged by applications. For example, a database program might record a file error in the application log. Application developers decide which events to monitor.

  • Internet Explorer log: This application log only appears when Internet Explorer 7 is installed; it stays empty for the majority of users. You can use this log when the Microsoft Application Compatibility Toolkit is installed and enabled. Normal users can ignore this log.

    For administrators and developers, when the Microsoft Application Compatibility Toolkit is installed, the Internet Explorer log becomes a source of necessary information. Internet Explorer 7 contains many security features not included in previous versions, and some content or web applications will not function as they used to. When the toolkit is installed and Application Compatibility Logging is enabled, this log will record events pertinent to content displaying or executing (or failing to do either) in Internet Explorer 7. That way, when a problem occurs, developers or administrators can see exactly which feature of Internet Explorer is blocking the content; this will allow them to either reconfigure the browser or the application, or rewrite the problematic code activating the security feature.

All users can view the system and application logs. The security logs are accessible only to the system administrators.

Note: At Indiana University, the University Information Security Office (UISO) recommends that you normally refrain from running your Windows computer as an administrator. For more, see What is the principle of least privilege?

To access the Event Viewer in Windows XP Classic View or Windows 2000, from the Start menu, select Settings, and then Control Panel. Double-click Administrative Tools, and then select Event Viewer.

Note: If this doesn't match what you see, refer to About navigation settings in Windows.

Event Viewer in Windows Vista

Windows Vista expands the concept of the Event Viewer, segregating logs into "Windows Logs" and "Application and Settings" logs.

You can use Windows Logs to store events from legacy applications and events that apply to the entire system itself. In Vista, they include the three basic types listed in the section above, plus the following two:

  • Setup log: The Setup log contains events related to application setup.

  • ForwardedEvents log: The ForwardedEvents log stores events collected from remote computers.

Applications and Services logs are new in Vista. These logs contain events from single programs or components rather than events that impact the entire system. There are four types of Applications and Services logs:

  • Admin: These logs record issues of concern to people operating the computer. Events recorded here are normally problems directly affecting end users that have well defined solutions.

  • Operational: These logs record events that aren't necessarily problems. Rather, they are simply records of occurrences (e.g., when a peripheral such as a printer is installed).

  • Analytic: Analytic logs are recorded problems that Windows notes, but that most users will not be able to solve easily on their own. They tend to cover specialized issues with Windows, such as debugging information for problems experienced with enabling and using the Encrypted file system, or issues with elements of the user interface missing.

  • Debug: Debug events are records of problems that programmers can use to troubleshoot problems with their programs.

Event Viewer in Windows Vista is also different from previous versions of Windows in that the logged events are saved in XML format. Administrators can therefore construct XML queries against information found in Event Viewer, and then parse the output for display in other applications.

To access the Event Viewer in Vista Classic View, from the Start menu, select Settings, and then Control Panel. Double-click Administrative Tools, and then select Event Viewer.

Note: If this doesn't match what you see, refer to About navigation settings in Windows.

This is document aivi in domain all.
Last modified on May 13, 2009.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.