In an ideal world, you’d never care about Event Viewer.
In an ideal world, software and hardware would always work, always meet expectations, and there’d never be a need to try to figure out why things are happening the way they are. In even a slightly less ideal world, we’d be able to rely on Event Viewer for clear and consistent information about what your system and all the applications running on it are experiencing.
Sadly, we do not live in an ideal world, or even a world only slightly less than ideal. While Event Viewer can be a source of excellent clues into system failures and behavior, it can also be a frustrating, incomprehensible mess.
And scammers are leveraging that confusing mess to their advantage.
What Event Viewer Does
A window under the hood
Windows has long had a system “event log”. Intended for software engineers and technicians, it’s a repository of information about how your system is running and what’s been happening.
The idea is that Windows, as well as applications running in Windows, write information to the log that can later be used to aid diagnostics, or confirm things are working as they should.
The actual implementation is relatively complex, but at the highest level, a single log entry includes information like:
- The name of the application or Windows component
- Whether the entry is informational, a warning, or an outright error of some sort.
- The time of the entry.
- Additional information pertaining to the entry that might be considered useful.
The event log is implemented as a kind of structured database of information, and is designed to handle multiple programs all trying to log things at the same time.
The event log is also designed for “language independence”. That means that a well-behaved application will log things in such a way that when retrieved, they’ll be displayed in the local language.
Event Viewer is used to display the contents of the event log.
Running Event Viewer
There are several ways to get to Event Viewer. It’s included in every current and not-so-current version of Windows.
In Windows 10, just click the Start button and start typing “event viewer”, and one of the results will, not surprisingly, be Event Viewer. Just click on that.
In all versions of Windows, you can also click on Start and then Run, or type the Windows Key + R, and then type eventvwr and click OK.
Application, Security, System, and possibly more
Depending on your version of Windows and what additional software you may have installed, there may be several logs visible.
The three main Windows logs are:
- Application: Applications running under Windows are supposed to log their events here, unless they’ve created their own Event Viewer log.
- Security: Windows can log a host of security-related events here.
- System: The operating system logs its events here.
If you click on one of the logs on the left side, you’ll see a window that includes several lines of logged information. Each line corresponds to one event logged by the system. If you click on one of the lines, the information contained in that event will be displayed in the pane below.
Event log confusion
Rules? What rules?
Things quickly get disorganized and confusing.
- There are no real rules for what constitutes an error, warning, or informational event.
- There’s no consistency about the meaning of many of the fields associated with each event.
- Many entries are just numbers, meaningless to the casual observer.
- There are no enforced requirements that a component or application use the event log or how much information it should log if it does.
That’s really just the tip of the iceberg. The important take-away so far is that there’s no consistency in what gets logged.
Event log information
Data in the chaos
Looking at the pane containing information about a specific error can sometimes garner useful information.
As just one example, Windows Defender logs successful definition updates. Normally, that’s something you need never see, so burying it in the event log is somewhat reasonable. However, if there’s ever a question, you can come here to see if that’s been happening as it should.
Chaos in the data
Unfortunately, less-than-helpful log entries are also quite common. Frequently, entries are completely indecipherable to normal people, and often even to technical folks who aren’t intimately familiar with the component logging the information.
What’s worse, it’s completely normal for the Event Log to contain errors.
I’ll say that again: it’s completely normal for the Event Viewer to show entries that are marked as “Error”, even on a completely healthy, normal system. I’d go so far as to say that an event log without errors just doesn’t happen.
The bottom line is that applications – often including Windows itself – commonly fail to log things correctly, or even at all.
Like I said, it’s a mess.
Why is it this way?
My gut reaction to this question is to ask in return, “Why ask why?” It is what it is, and there’s nothing you or I can do about it.
Yes, the programming interface to log events is complex. While there are guidelines for use, they’re just that: guidelines, which may or may not be followed. Similarly, writing software that’s easily translated into multiple different languages, as Windows applications are supposed to be, is difficult, and it’s easy to overlook something as obscure as the event log.
Excuses or explanations aside, it is what it is, and as we’ll see in a moment, the event log does have its uses.
What’s most important here is that we understand just how messy it is, and not jump to conclusions when using it to look inside the belly of the Windows beast …
… because scammers love to leverage that confusion.
Scammers leverage confusion
And Event Viewer has it
Event Viewer has become a key component of the so-called “tech support scam”.
You get a phone call from someone who tells you they’re from some important-sounding company or service you use, and that your computer is causing problems. Then they direct you to Event Viewer. They have you look at an event log and show you it has errors in it.
Because it does.
I’ll said it earlier and I’ll say it again:
On a machine that’s working well, Event Viewer will still be full of errors and warnings.
The scammer knows this. The scammer also knows you don’t know this, and will instead believe that Event Viewer is confirming their claim that you need their help to “fix” your machine.
It’s a scam. Your machine is fine. The event log always has errors in it. Hang up on the scammer.
Is Event Viewer any good at all?
There’s data, if you know what to look for
First, remember that the event log isn’t meant for normal people like you and me. It’s meant for the software engineers writing and debugging their software, and the technicians trying to diagnose what’s going on with your machine when it really does have a problem.
Event Viewer is far from perfect, but for people who know what to look for (and more importantly, what to ignore), it contains valuable data.
Curious? Go ahead and browse around in Event Viewer; it doesn’t hurt to look.
Just don’t jump to conclusions, and don’t panic when you see lots of warnings or errors. Every properly functioning Windows computer will have them.
In fact, if you look at Event Viewer while your system is functioning normally, you’ll get a sense of what “normal” looks like in your event log. Then later, when you see items that seem suspicious or out of place, or seem related to the problems you’re having, that might turn out to be information worth paying attention to.