Windows Server
Windows Event Viewer
Use Event Viewer to diagnose errors, crashes, service failures, and security events on Windows Server
Event Viewer is the built-in log management tool in Windows Server. It records system errors, application crashes, security audits, and service events. Knowing how to read it is essential for diagnosing almost any Windows Server issue.
Open Event Viewer
Win + R → eventvwr.msc → EnterOr via PowerShell:
eventvwrOr from Server Manager → Tools → Event Viewer.
Log categories
| Log | What it contains |
|---|---|
| Windows Logs → System | OS events, driver failures, service start/stop, hardware errors |
| Windows Logs → Application | App crashes, .NET errors, database errors, IIS events |
| Windows Logs → Security | Login successes/failures, privilege use, policy changes |
| Windows Logs → Setup | Windows Update and feature installation |
| Applications and Services Logs | Per-application logs (IIS, DNS, DHCP, etc.) |
Event levels
| Level | Icon | Meaning |
|---|---|---|
| Critical | ⚫ | System crash or unrecoverable failure |
| Error | 🔴 | Significant problem that needs attention |
| Warning | 🟡 | Potential problem, not yet critical |
| Information | ℹ️ | Normal operational events |
| Audit Success | ✅ | Successful security operation (Security log) |
| Audit Failure | ❌ | Failed security operation (Security log) |
Common Event IDs
System
| Event ID | Meaning |
|---|---|
41 | System rebooted without clean shutdown (kernel crash) |
1074 | System was restarted or shutdown (shows who and why) |
7034 | A service terminated unexpectedly |
7036 | Service started or stopped |
7040 | Service start type changed |
Security
| Event ID | Meaning |
|---|---|
4624 | Successful login |
4625 | Failed login attempt |
4634 | Logoff |
4648 | Login using explicit credentials (RunAs) |
4720 | User account created |
4726 | User account deleted |
4740 | Account locked out (too many failed logins) |
4776 | Domain authentication attempt |
Application
| Event ID | Meaning |
|---|---|
1000 | Application crash (shows crashed app and module) |
1001 | Windows Error Reporting follow-up |
1026 | .NET runtime error |
Filter events (most useful feature)
Instead of scrolling through thousands of entries, filter by what you need:
- Right-click a log → Filter Current Log
- Set:
- Event level: Error, Critical
- Event ID: e.g.
4625for failed logins - Logged: Last 24 hours, Last 7 days
- Event source: e.g.
Application Error
PowerShell: faster log queries
PowerShell is much faster for searching large logs:
# Last 20 System errors
Get-EventLog -LogName System -EntryType Error -Newest 20 |
Select-Object TimeGenerated, EventID, Source, Message |
Format-Table -AutoSize
# All Critical events from last 24 hours
Get-WinEvent -FilterHashtable @{
LogName = 'System'
Level = 1 # Critical
StartTime = (Get-Date).AddHours(-24)
}
# Find failed logins (Security log)
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4625
StartTime = (Get-Date).AddDays(-7)
} | Select-Object TimeCreated, Message | Format-List
# Find who rebooted the server
Get-EventLog -LogName System -Source "USER32" -EventID 1074 -Newest 10
# Find service crashes
Get-EventLog -LogName System -EventID 7034 -Newest 20 |
Select-Object TimeGenerated, MessageDiagnose a server crash (unexpected reboot)
- Open Windows Logs → System
- Filter for Critical events
- Look for Event ID
41: "The system has rebooted without cleanly shutting down" - Note the timestamp and look at events just before it
Common causes:
- BugCheck code in Event 41: BSOD, note the stop code, then check minidump
- Event 1001 (BugCheck): confirms BSOD, shows the stop code
- Driver-related errors minutes before crash: hardware driver issue
Check minidump files:
Get-ChildItem C:\Windows\Minidump\ | Sort-Object LastWriteTime -Descending | Select-Object -First 5Diagnose a service that won't start
- Open Windows Logs → System
- Filter by Source:
Service Control Manager - Look for Event IDs
7000(failed to start) or7034(unexpected termination) - The message usually includes the error code
Cross-reference with Application log for the service's own error messages.
Find brute force / unauthorized access attempts
# Count failed logins per source IP
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} |
ForEach-Object {
$_.Properties[19].Value # Source IP
} |
Group-Object | Sort-Object Count -Descending | Select-Object -First 20If you see many failures from the same IP → block it in Windows Firewall:
New-NetFirewallRule -DisplayName "Block brute force IP" `
-Direction Inbound -RemoteAddress "1.2.3.4" -Action BlockExport logs for analysis
# Export to CSV
Get-EventLog -LogName Application -Newest 1000 |
Export-Csv C:\Logs\app-events.csv -NoTypeInformation
# Export to EVTX (native Windows format)
wevtutil epl System C:\Logs\system-export.evtx
# Export filtered events
wevtutil qe System /q:"*[System[Level<=2]]" /f:text > C:\Logs\system-errors.txtCreate a custom view (save your filters)
- In Event Viewer, right-click Custom Views → Create Custom View
- Set your filter (e.g., all errors from System + Application)
- Give it a name like "All Errors"
- It appears in the sidebar, click to view anytime
Set up email alerts for critical events
Use Windows Task Scheduler to send an email when a specific event occurs:
- In Event Viewer, find the event you want to alert on
- Right-click it → Attach Task To This Event
- Choose Send an e-mail action
- Configure SMTP settings
Or via PowerShell with a scheduled task triggered on event ID:
$trigger = New-ScheduledTaskTrigger -AtStartup
$action = New-ScheduledTaskAction -Execute "powershell.exe" `
-Argument "-File C:\Scripts\alert.ps1"
Register-ScheduledTask -TaskName "CriticalEventAlert" -Trigger $trigger -Action $action