Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What is Event Viewer, and Why Does It Have So Many Errors?

In an ideal world, you’d never care about Event Viewer.

In an ideal world, software and hardware would always work, always meet expectations, and there’d never be a need to try to figure out why things are happening the way they are. In even a slightly less ideal world, we’d be able to rely on Event Viewer for clear and consistent information about what your system and all the applications running on it are experiencing.

Sadly, we do not live in an ideal world, or even a world only slightly less than ideal. While Event Viewer can be a source of excellent clues into system failures and behavior, it can also be a frustrating, incomprehensible mess.

And scammers are leveraging that confusing mess to their advantage.

Become a Patron of Ask Leo! and go ad-free!

What Event Viewer Does

A window under the hood

Windows has long had a system “event log”. Intended for software engineers and technicians, it’s a repository of information about how your system is running and what’s been happening.

The idea is that Windows, as well as applications running in Windows, write information to the log that can later be used to aid diagnostics, or confirm things are working as they should.

The actual implementation is relatively complex, but at the highest level, a single log entry includes information like:

  • The name of the application or Windows component
  • Whether the entry is informational, a warning, or an outright error of some sort.
  • The time of the entry.
  • Additional information pertaining to the entry that might be considered useful.

The event log is implemented as a kind of structured database of information, and is designed to handle multiple programs all trying to log things at the same time.

The event log is also designed for “language independence”. That means that a well-behaved application will log things in such a way that when retrieved, they’ll be displayed in the local language.

Event Viewer is used to display the contents of the event log.

Running Event Viewer

eventvwr.exe

There are several ways to get to Event Viewer. It’s included in every current and not-so-current version of Windows.

In Windows 10, just click the Start button and start typing “event viewer”, and one of the results will, not surprisingly, be Event Viewer. Just click on that.

Event Viewer via Start Menu

In all versions of Windows, you can also click on Start and then Run, or type the Windows Key + R, and then type eventvwr and click OK.

Event logs

Application, Security, System, and possibly more

Depending on your version of Windows and what additional software you may have installed, there may be several logs visible.

The Event Viewer

The three main Windows logs are:

  • Application: Applications running under Windows are supposed to log their events here, unless they’ve created their own Event Viewer log.
  • Security: Windows can log a host of security-related events here.
  • System: The operating system logs its events here.

If you click on one of the logs on the left side, you’ll see a window that includes several lines of logged information. Each line corresponds to one event logged by the system. If you click on one of the lines, the information contained in that event will be displayed in the pane below.

Event log confusion

Rules? What rules?

Things quickly get disorganized and confusing.

  • There are no real rules for what constitutes an error, warning, or informational event.
  • There’s no consistency about the meaning of many of the fields associated with each event.
  • Many entries are just numbers, meaningless to the casual observer.
  • There are no enforced requirements that a component or application use the event log or how much information it should log if it does.

That’s really just the tip of the iceberg. The important take-away so far is that there’s no consistency in what gets logged.

Event log information

Data in the chaos

Looking at the pane containing information about a specific error can sometimes garner useful information.

As just one example, Windows Defender logs successful definition updates. Normally, that’s something you need never see, so burying it in the event log is somewhat reasonable. However, if there’s ever a question, you can come here to see if that’s been happening as it should.

Windows Defender Event

Chaos in the data

Unfortunately, less-than-helpful log entries are also quite common. Frequently, entries are completely indecipherable to normal people, and often even to technical folks who aren’t intimately familiar with the component logging the information.

What’s worse, it’s completely normal for the Event Log to contain errors.

Errors in the Event Log

I’ll say that again: it’s completely normal for the Event Viewer to show entries that are marked as “Error”, even on a completely healthy, normal system. I’d go so far as to say that an event log without errors just doesn’t happen.

The bottom line is that applications – often including Windows itself – commonly fail to log things correctly, or even at all.

Like I said, it’s a mess.

Why is it this way?

My gut reaction to this question is to ask in return, “Why ask why?” It is what it is, and there’s nothing you or I can do about it.

Yes, the programming interface to log events is complex. While there are guidelines for use, they’re just that: guidelines, which may or may not be followed. Similarly, writing software that’s easily translated into multiple different languages, as Windows applications are supposed to be, is difficult, and it’s easy to overlook something as obscure as the event log.

Excuses or explanations aside, it is what it is, and as we’ll see in a moment, the event log does have its uses.

What’s most important here is that we understand just how messy it is, and not jump to conclusions when using it to look inside the belly of the Windows beast …

… because scammers love to leverage that confusion.

Scammers leverage confusion

And Event Viewer has it

Event Viewer has become a key component of the so-called “tech support scam”.

You get a phone call from someone who tells you they’re from some important-sounding company or service you use, and that your computer is causing problems. Then they direct you to Event Viewer. They have you look at an event log and show you it has errors in it.

Because it does.

I’ll said it earlier and I’ll say it again:

On a machine that’s working well, Event Viewer will still be full of errors and warnings.

The scammer knows this. The scammer also knows you don’t know this, and will instead believe that Event Viewer is confirming their claim that you need their help to “fix” your machine.

It’s a scam. Your machine is fine. The event log always has errors in it. Hang up on the scammer.

Is Event Viewer any good at all?

There’s data, if you know what to look for

First, remember that the event log isn’t meant for normal people like you and me. It’s meant for the software engineers writing and debugging their software, and the technicians trying to diagnose what’s going on with your machine when it really does have a problem.

Event Viewer is far from perfect, but for people who know what to look for (and more importantly, what to ignore), it contains valuable data.

Curious? Go ahead and browse around in Event Viewer; it doesn’t hurt to look.

Just don’t jump to conclusions, and don’t panic when you see lots of warnings or errors. Every properly functioning Windows computer will have them.

In fact, if you look at Event Viewer while your system is functioning normally, you’ll get a sense of what “normal” looks like in your event log. Then later, when you see items that seem suspicious or out of place, or seem related to the problems you’re having, that might turn out to be information worth paying attention to.

Podcast audio

Play

More for Patrons of Ask Leo!

Silver-level patrons have access to this related video from The Ask Leo! Video Library.

What is the Event Viewer?   What is the Event Viewer?

32 comments on “What is Event Viewer, and Why Does It Have So Many Errors?”

  1. It’s not just Windows; other operating systems generate error logs that can give angina to a regular user looking at them. I was surprised by how many errors were reported on the error log of a Linux Mint system I was experimenting with a few years ago. It was a system that in all appearances was working quite well.

  2. The Windows Reliability History is more practical. The Event logs are detailed but the Windows “Reliability history” provides a useful overview. The Reliability history lists critical events, warnings, and successful software updates and installations, including Definition Updates for Windows Defender and updates to Windows 10 apps. It can be viewed by Days or Weeks. It also seems to include information from the useful Custom Views > Administrative Events log.

    To start the Reliability history:
    [1] Click the Windows 7 or 10 Start button and type Reliability, then click on View Reliability history
    [2a] Right click the Windows 10 Start button > Control Panel > Security and Maintenance > Maintenance > View Reliability history
    [2b] Right click the Windows 7 Start button > Control Panel > Action Centre > Maintenance > View Reliability history

    • Unfortunately it’s kind of useless also. If you click on an error, just like in the Event Viewer, it will 9/10 say no solution found.

  3. Thank you for this article. I’m really glad to have this information about the Event Viewer. I’ve long assumed these were all pretty serious issues, so have worked with mine over the years, researching every warning and error, and have managed to eliminate most of them over time. This is one type of reason I’m holding onto XP, my system is now stable, I’ve read all of the numerous books and manuals, and things are finally predictable. I did however purchase a Chromebook laptop and it is such a total and complete breeze that I use it for everyday now. Thank you again for these informative articles.

  4. So after reading the above article I have a understanding of event viewer. How is a snap-in event viewer different and what is the purpose of this if computers already have one? Thank-you

  5. I use the Event Viewer to see the elapsed time of the last Microsoft Security Essentials (MSE) scan. I view “Windows Logs – System” and do a Find (Ctl-F) for 1001. That is the ID of the event created when a Microsoft Antimalware (MSE) scan finishes. It tells when the scan finished and the elapsed time. btw – Find for 1001 also finds entries for other events not related to Antimalware, e.g., 10016, 7036 and 6005, which you can ignore.
    This works for me on Vista but it could be different on other releases.

  6. Slightly off topic, I had a “Tech Scam” call yesterday. Previous calls like this have asked me view Event Viewer. Yesterday I was asked to open the Command prompt and enter the following (without the quotation marks) “assoc”. This brought up a long text list of what looked like file extensions. By this time the caller had worked out that I wasn’t falling for anything and asked why I was wasting his time!!! and hung up.
    So I never got what he was going to claim what this list demonstrated.

    • Interesting. In the help menu for “assoc”, it says if you type just that command and an extension, it will “delete the association for the file extension”. So, I’m guessing, if you were to put “jpg” after it, then any icon of a Jpeg image file that you are used to seeing will now have a generic icon. Furthermore, double-clicking it would show a message that no program is associated to that file type. For most computer users, this would be very confusing and they might think something is indeed wrong with their computer. It appears the scammer is trying to get the user to break an extension (and they wouldn’t even know they did that) and then, for a small fee, help them to fix it. Just a guess.

  7. One thing I’ve always done with a new computer is change the logging level of the Application and System logs. By default the size limit and time limits are very small, usually old files are deleted after a mere 7 days in some installations! I change it to only delete after the log size exceeds 150 MB. This way, many, many months and sometimes years of logs are available because as Leo points out, you don’t know if the error you’re seeing from today is bad or normal. With years of logs, you can quickly determine if it has always been present.

  8. Oh what fun. I didn’t have anything planned this evening, just Linda and I watching a Hallmark Christmas move. “And up on the roof top, there rose such a clatter, some dude from India called and began such a chatter.”
    They told me I had a virus in my computer. Oh, what fun. I tried to keep them on line for longer than 20 minutes. NEW RECORD! I kept him on the line for 30 minutes! Poor guy! He thought I couldn’t type. But meanwhile I Pinged the URL that he was wanting me to go to and I told him that I will contact the IT manager of the server in Houston, TX and have them put a denial of service on them.
    He first had me open eventvwr which is a standard test to see what events have happended. You will always find errors in this display. Ignore it. That is just to make you think you have a problem. They want you to type in an address like But instead I typed something else. DONT EVER DOWNLOAD THIS! They will set it up to have access to your PC and then YOU are STUPID. They then have your computer.
    Let me know if you can play dumb and keep them on the line for more than 30 minutes! Don’t mess with tech. USA tech that is.

  9. I was contacted by a scammer usinf the event viewer as bait. trying to sell me Norton Security at three times the price and also trying to persuade me to let them delete the logs on Event viewer. Do these logs have to be deleted???

  10. Hello!

    Thanks for the nice article. It clarifies more details and behavior of the Event Viewer, which never took my attention so much before.
    But after recent update from WIN10 to WIN10 Creators Update it’s Event Viewer started to pop up windows every few minuets.
    Machine works fine, no troubles at all, but Event Viewer windows are popping up endlessly. My feeling is that it happens every time when
    new event coming to the log. Is there any trigger in WIN10 which allow to tune behavior of the Event Viewer in response to system events?
    I still guess solution can be simple… but couldn’t find enough information.

    I’ve also re-newed on 29 April old discussion with similar problem, which I could find. After more then two weeks going in checks round
    and round we have no results so far, more and more people are joining discussion with the same problem. Original topic is here:
    https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings/event-viewer-keep-popping-up-automatically/dfc80738-b3a5-4791-a7a7-1cedbdc79824

    Please let me know if you might have some ideas how to solve this problem.
    Regards, Andrey

  11. Thank you for the information on event viewer. I received a phone call today from a scammer who got me to open event viewer which showed about 17,000 errors. The spammer descibed himself as head of security at my ISP and offered to fix the errors. I asked him for his name and he side-stepped the question. I had to hang up on him 3 times before I got rid of him. I have never opened event viewer before and am suprised that I did not see any prior warnings of this particular scam.

  12. This is so weird, I ran Windows XP for over 8 years, guess what, If I had errors in the event viewer it was very few.
    Now it seems that I have at least 30 red error codes per day, all I have to do is start the computer and wait 5 minutes.
    The yellow I have always had.
    I went to the store and looked at 14 computers, Brand New, they had errors already and they have not even been sold yet.
    I understand the fact that between all the third party programs and the internet things will happen but why so many per day.
    In my old system I got maybe 3 errors a week, now 30 a day, what’s up with that.
    Can anybody give a real reason, I have run dozens of programs that claim they can fix them but the bottom-line, they can’t
    I even paid for a full cleanup, performance, integrity check that was $189.00 out the window.
    I am tempted to try the Microsoft azure program that is $139.00, they claim they will check integrity of third party programs.
    Can anybody help.
    The computer itself, seems to be running good, Norton’s reports no issues, the SFC in windows claim no integrity issues.
    the hard drive according to the report is 16% above average in speed and of course my processor is a 3.5gig with 8000 mb. of memory

    • Please read the article you commented on. The data you are seeing in the event viewer is not really useful unless you are having a problem with your computer. And then it really needs a trained tech to sort it out. It’s completely normal for the Event Viewer to show entries that are marked as “Error”, even on a completely healthy, normal system. Your best bet is to just leave it alone. Don’t look at the Event Viewer every day. It’s not giving you any useful information.

    • The fact that you found errors in new computers in a shop should prove to you that Leo was right. The listings in event viewer are so often wrong in what they show, and that those error are no indication of a problem. I doubt if the Azure program would reduce the number of errors in the Event Log. In fact, I wouldn’t be surprised if it produced error log entries itself 🙂

      One example of something which might (purely hypothetical) produce an error entry. A program tries to run but is blocked by another process. A log entry of that is written. A few milliseconds later, it’s no longer blocked. As for why so many a day now when before there were so few error entries: later versions of Windows are that many time more complex than earlier versions.

  13. In light of all the phone calls from India, you’d think that by now Microsoft would get the idea to start the Event Viewer up with a pop-up which warned people of the scam and that Event Viewer errors are nothing to worry about. It would prevent a lot of people from being ripped off.

  14. ASk,Leo.
    Thank You So Much-for giving time and sharing your knowledge technically on computer.more power and god bless.

    P)s,thanks free tutiorial-from the philippines.

  15. My Event Viewer > Windows Logs > System list is full or MEIx64 warnings that are issued every 15 seconds. So far I haven’t been able to isolate and correct whatever is causing these warnings. However, my main question is whether frequent warning (or error) messages such as these consume a significant amount of system resources. Of course, at the very least, they do fill the list with a lot of repetitive garbage that might make it hard to find a real problem should one exist.

    • As the article says,

      Unfortunately, less-than-helpful log entries are also quite common. Frequently, entries are completely indecipherable to normal people, and often even to technical folks who aren’t intimately familiar with the component logging the information.

      What’s worse, it’s completely normal for the Event Log to contain errors.

      As for consuming resources, the Event Log is an relatively small text file. Mine is only about 154 MB.

  16. I got the scam phone call yesterday.Luckily, before I gave him access I put him on hold and took a look to see if it was a scam. He called back 3 times to get me back on the hook. After reading this I understand the errors, I have a ridiculous number of them just since I signed up for internet in Feb this year . None recorded before that ?
    He did point out when he had me open the systems file that many of my systems have stopped running and told me that was a result of the errors. Can I fix this with a download or should I have my laptop cleaned and updated by a professional? Happy to spend the money if necessary, not if I can do it on my own.

    thanks for writing this article !!

    • If your computer is running without any obvious problems, I wouldn’t pay any attention to Event Viewer errors or errors opening files you wouldn’t otherwise open. Read the article you are commenting on.

  17. Thank you fothis information …. i just got a call from unknown person and he telling me to fix my system. he was saying your machine is in serious problem after i followed him till opening the custom logs in event viewer. then i though it loks limek scam becasue he is not from telstra and how he know there is viruses in my machine … then I HANG UP THE SCAMMER. he called me three times after i hang up his call.

    Then i read this article and i got … it was fake call.

    Thanks again
    Singh

  18. DCOM error ID 10016 noted in ‘event viewer:
    CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
    APPID {9BA05972-F6A8-11CF-A442-00A0C90A8F39}

    Because this is noted in EVENT VIEWER as an WARNING – I felt compelled to chase it for an solution – to discover it was a waste of time BECAUSE:

    The word WARNING should have been programmed to an computers user choice as an INFORMATION notice

    in that since I CHOSE to use Internet Explorer 11 64bit WITHOUT addons – the system, I guess, saw this as an error or problem therefore generated the event 10016. In other words YOU/I did not give PERMISSION for IE to activate WITH addons.

    If I chose to use IE11 WITH addons – event id 10016 – NEVER appears.

    Sadly many are being given routines – to change permissions in the registry to prevent the choice of running IE11 without addons – BECAUSE the problem is NOT UNDERSTOOD !!! Or how the computer works.

    • NEVER waste time tracing down issues in Event Viewer. As the article states it’s chock-full of false positives and meaningless (to the layman) information.

  19. Lately when booting up my laptop with Windows 7, it pops up a message that Windows could not connect to the System Event Notification Service, preventing standard users from logging on, but as an Administrative user I can look at the System Event Log to see why the service didn’t respond. The Taskbar and Start Menu look like an older version (NT? Win 95/98?). If I log out and log back in, the Taskbar and Start Menu look like the regular Windows 7 version.

    I’ve been in the Event Viewer looking for this log and see what the problem may be. Indeed there are many Errors and Warnings. I just don’t know how to narrow it down. One of the errors that shows up frequently has to do something with the power, which doesn’t surprise me since the battery is on its last life and needs replacing. But I’m not sure that would be the cause of the error.

    In a lot of ways, I could care less, except the old look, look very odd and I hate having to log out and log in again. Should I keep trying to figure this out, or just abandon the Event Viewer.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.