How to view and analyze logs with Windows Event Viewer

If you’ve got weird issues going on with your PC like missing desktop icons, failed updates, or even security concerns, it can be difficult to know how to start diagnosing the problem. There are so many tools and features in Windows that help you run a PC diagnostics report, but you don’t always need to spend hours figuring out each one and troubleshooting a dozen possibilities to work out the problem. Sometimes all you need is an error code attached to a particular failure event and a quick Google search.

That’s why Windows Event Viewer is one of the best starting points because it gives you a breakdown of all the things that happened to your PC, including errors and critical failures. Here’s everything you need to know about accessing, filtering, and analyzing the logs in Windows Event Viewer.

What to know before opening Windows Event Viewer

Windows Event Viewer is a built-in utility in Microsoft Windows that allows users and IT professionals to view, manage, and analyze log data generated by the operating system and applications. These logs are essential for diagnosing errors, monitoring security activities, troubleshooting system crashes, and verifying successful installations or updates.

Windows Event Viewer generates five core log categories that each serve distinct diagnostic and auditing purposes:

Application: Captures events from installed software (e.g., Microsoft Office, SQL Server). Useful for debugging crashes or feature failures.

Security: Records login attempts, access control, and audit policies. Essential for compliance and forensic analysis.

System: Logs OS-level events like driver failures, service startups, and hardware issues.

Setup: Tracks installation and update processes, including Windows upgrades and feature deployments.

Forwarded Events: Aggregates logs from remote systems via event subscriptions. Ideal for centralized monitoring.

Accessing Security and portions of the System logs requires administrative privileges since they contain sensitive information like authentication records, privilege escalations, and kernel-level events that could expose vulnerabilities if misused.

IMPORTANT: Event Viewer logs performance-related events that have already happened. This means it can’t give you real-time performance monitoring or detailed metrics like current CPU utilization. It’s up to you to analyze the logs and draw conclusions; there’s no cause-and-effect explanation beyond what happened at that specific moment, such as an app failing to start or a service crashing.

» Don’t miss our guides to enabling Windows automatic updates and disabling Windows updates

How to access Windows Event Viewer logs

The process of opening Windows Event Viewer and viewing logs has barely changed since Windows XP until Windows 11. Just follow these steps:

1. Press Windows + R to open the run dialog, then type eventvwr.msc and hit Enter

2. Alternatively, search for “event viewer” in the Windows search box and open it that way

3. In Event Viewer, you can access specific logs from the 5 categories by expanding “Windows Logs” in the left pane, then clicking the specific log type you want to search through

4. From here, click “Filter Current Log” from the right panel, then adjust what’s displayed by changing the time events were logged or by threat level. In order of danger, the threat levels mean:

• Critical: Indicates a severe problem that might cause system instability or failure. Requires immediate attention.
  
• Error: A significant problem occurred, possibly leading to loss of data or functionality. Not critical but should be investigated.
  
• Warning: An issue that doesn’t immediately affect functionality but could indicate potential future problems or an abnormal condition (e.g., low disk space).
  
• Information: Successful operations or general system activities. Most events fall into this category and are usually not a concern.
  
• Verbose: Highly detailed diagnostic information, typically used by developers or IT professionals for deep troubleshooting.

5. Analyze the logs to find critical events, errors, or warnings. You can also shift between the “General” tab and “Details” tab to see an overview of key information or a detailed breakdown that you can use for complex troubleshooting

Key things to look for include:

• Source: The application, service, or component that generated the event (e.g., disk, Service Control Manager, application error, Windows update). This helps pinpoint where the problem originated.
  
• Event ID: A unique numerical identifier for the event. This ID is incredibly valuable as it can be used in search engines to find Microsoft documentation, forums, or community solutions related to that specific error.
  
• Task category: Provides additional context about the event within its source (e.g., shutdown, log on/log off).
  

The “general” tab offers a simple explanation of the event that occurred with these key points highlighted, while the “details” tab provides more technical information, often in XML format, which can be useful for advanced users or when troubleshooting with support.

How long does Event Viewer retain logs?

By default, Windows Event Viewer retains logs based on maximum file size and not duration. For example, the default size for the System or Application logs is often set to 20MB, which may only store 2–5 days of activity depending on system load. Once full, older entries are overwritten unless archiving is enabled.

This might be fine for single endpoints and users, but more complicated networks or machines under heavy workloads might need longer retention or even permanent storage. Here’s how you can adjust:

Directly in Event Viewer

1. Right-click the log you want to modify > Properties

2. Adjust the maximum log size in the properties to a value you think is reasonable. It’s set to about 20 MB by default

3. Alternatively, you can also adjust the system to archive the logs when full instead of overwriting them, or disable overwriting events completely

Keep in mind that disabling overwriting completely means logs will accumulate, continuously consuming more storage space. Be sure to clear them out every once in a while to stop your systems from getting clogged.

With PowerShell

PowerShell provides IT professionals with a powerful way to modify log retention settings across single systems or entire fleets. This is particularly valuable for MSPs managing multiple client environments who need consistent logging standards.

Follow these steps:

1. Open PowerShell as an Administrator

2. View the current configuration of a log by pasting this PowerShell command: Get-WinEvent -ListLog System | Select-Object LogName, MaximumSizeInBytes, LogMode

This returns key information including:

• LogName: The log category (System, Application, Security, etc.).
• MaximumSizeInBytes: Current size limit.
• LogMode: Retention behavior (Circular, AutoBackup, Retain).

3. Increase the maximum size of a specific log. For example, to increase the size of System logs, use this command: wevtutil sl System /ms:104857600

Note: Log sizes must be specified in bytes and should be multiples of 64KB (65536 bytes) for optimal PC performance.

If you want to, change the retention modes with these commands:

• Overwrite as needed: wevtutil sl System /rt:false /ab:false
• Archive log when full: wevtutil sl Security /rt:false /ab:true
• Don’t overwrite (requires manual cleaning): wevtutil sl Security /rt:true

The real benefit from PowerShell scripts comes from the ability to deploy them to all endpoints remotely across entire enterprise IT infrastructures. RMM platforms like Atera allow users to manage log retention policies at scale without touching individual machines.

Instead of manually configuring Event Viewer settings on each workstation, IT teams can push standardized PowerShell scripts to hundreds or thousands of endpoints simultaneously, ensuring consistent logging policies across the organization.

» Learn more: How to run PowerShell commands on a remote computer

How to analyze Windows Event Viewer logs

Now that you know how to find and view the logs, here’s what to look out for and what it means for each log type.

Application logs (software issues)

Application logs capture events from installed software, making them essential for diagnosing crashes, failed updates, and service interruptions. When users report software problems, Application logs are typically your first stop.

Common issues include:

• Crashes in applications like Outlook, SQL Server, or Adobe Reader
• Failed software installations or updates
• .NET runtime errors and service failures
• Application hangs or unresponsive behavior
• Database connection failures
• Third-party service errors

System logs (OS and hardware problems)

System logs record operating system-level events, including driver failures, service startups, hardware issues, and kernel-level problems. These logs are critical when diagnosing boot issues, unexpected shutdowns, or hardware malfunctions.

Common issues include:

• Driver crashes and compatibility issues
• Disk I/O errors and storage failures
• Unexpected shutdowns or reboots
• Service startup failures (Windows Update, DHCP, DNS)
• Hardware errors (memory, disk controllers, network adapters)
• Time synchronization problems

» Here are our picks for the best hardware monitoring tools

Security logs (threat detection and compliance)

Security logs record authentication events, privilege usage, and audit policy enforcement. These logs are essential for detecting unauthorized access, brute-force attacks, and compliance monitoring.

Common issues include:

• Failed login attempts (potential brute-force attacks)
• Successful logins from unusual locations or times
• Privilege escalation events
• Account lockouts
• Changes to user accounts or security groups
• Access to sensitive files or registry keys
• Audit policy changes

» Double check those strange login attempts with Windows Activity History

Setup logs (installation and updates)

Setup logs track Windows installations, updates, and component configurations. These logs are invaluable when diagnosing failed Windows upgrades, driver installations, or system provisioning issues.

Common issues include:

• Windows feature update failures (e.g., Windows 10 to 11 upgrades)
• Cumulative update installation errors
• Driver installation conflicts
• System component registration failures
• Sysprep operation issues

» Struggling with the registry? Here are the most common registry editor challenges & our solutions

Forwarded Events (centralized monitoring)

Forwarded Events aggregate logs from multiple remote systems into a centralized collector, enabling unified visibility across distributed environments. This log category only contains entries when Windows Event Forwarding (WEF) is configured.

Common issues include:

• Security incidents across multiple endpoints
• System-wide service failures
• Compliance violations requiring audit trails
• Correlated attack patterns spanning multiple machines
• Fleet-wide configuration drift

Unlike other log categories, Forwarded Events don’t have unique Event IDs–. Instead, they contain copies of events from source systems (Application, System, Security). The value lies in centralized correlation.

Transform Windows troubleshooting into proactive prevention

Mastering Windows Event Viewer means understanding log categories, critical Event IDs, and retention policies. It gives IT professionals the diagnostic foundation needed for effective troubleshooting. But at scale, manual log analysis becomes a bottleneck that prevents IT teams from focusing on strategic initiatives.

Atera transforms Event Viewer troubleshooting by enabling IT teams to deploy PowerShell scripts remotely across their entire fleet. Through Atera’s RMM platform, you can push log retention commands to hundreds of endpoints simultaneously, monitor system health, and respond to issues faster. For IT professionals and MSPs managing Windows environments across multiple clients, this centralized approach to remote management transforms reactive troubleshooting into systematic fleet-wide operations.

» Try Atera for free