Every time Windows XP or 2000 starts, it keeps a record of events that happen on your system. Not general events like "This user has started Solitaire ten times today," but highly specific details of Windows' startup, your log-in, the services that start and stop in the course of a session, system crashes and much more. Windows even carries its own tool, called Event Viewer, for browsing that log. This program is handy for diagnosing Windows problems, but it's also useful for learning about what's going on under the operating system's hood. In fact, it's one of the fi rst places you should look for clues if an unexplained problem with your PC crops up.
To start Event Viewer open Control Panel and double-click Administrative Tools - Event Viewer (or Start-Run and type eventvwr then hit OK). Event Viewer's left pane lists separate folders for the three types of events that Windows logs: Application, Security, and System. The System event log can be particularly useful for uncovering problems with hardware devices or with Windows itself. Click a folder to display the events for that type in the right pane (see Figure 1). You can sort the events by type, date or other column heading, just as you can in Windows Explorer's Details view.
The event icons in the right pane indicate their severity: Information, Warning or Error. When you want more information about a particular. event, double-click its entry in the right pane to see its Properties and to read a description of the problem. Regrettably, the description is rarely much help, but I'll get to a better solution later.
Most of the logged entries can be ignored. For example, if you click the System icon on the left, the Event column on the right should include an entry numbered "6005" for every time you have started your PC.
Each such entry signifies the beginning of the logging service when Windows loads. Similarly, a "6006" entry should appear for each time you shut down your system, indicating that you exited Windows properly and that event logging stopped. If there's no 6006 entry to correspond to a given day's 6005 entry, your computer probably stopped without using Windows' normal shutdown process, which can cause problems.
Some event logs can help you diagnose and solve problems. If the event's Properties dialogue box doesn't say enough, scroll to and click the link just below "Help and Support Center" in the Description box (see Figure 2). You'll be prompted to send Microsoft some information about the event so it can look up the related topic. Click Yes if you consent. For example, I asked Microsoft about an error message telling me that System Restore had encountered a problem when it tried to back up a file. The Help and Support Center explained that, in these cases, System Restore stops creating restore points and stops monitoring changed files until another restore point is established. It also explained that I could get System Restore going again by creating a restore point manually.
In many cases, unfortunately, the service reports that no Help topic is available, or the information it gives is too vague to be useful. If Microsoft has no help to offer, try Event ID.Net (http://eventid.net), a site hosted by Altair Technologies that maintains a community collection of comments on many of the system events that Windows logs. The service uses information that appears in the columns in Event Viewer's right pane. Note the text in the Source column and the number in the Event column, then browse to http://eventid.net/search.asp, enter the event ID number and source info, and click Search.
The site will open a summary of the event. Click the link next to Details to get the skinny from other users who have experience with the same issue (see Figure 3). Or enter the event ID or other unique snippets of text from the event in your favourite search engine to find more information about it.
Event Viewer is useful for more than just troubleshooting, however. For example, when Windows scans for and fixes disk errors (right-click the drive icon in My Computer, choose Properties and click Check Now under the Tools tab), the OS records the results in Event Viewer.
Disk checks often occur after you start your computer but before you log in to Windows. In such cases, though you may be able to see the scan results on screen, you may have no option (and no time) to save or print them. Not to worry: Event Viewer's log has it covered. Click the Application icon in Event Viewer's left pane. To find a particular event more easily, choose View-Filter. Under the Filter tab in the Application Properties dialogue box, choose Winlogon in the "Event source" drop-down menu, and click OK. To see the results in the Events Properties dialogue box, locate and doubleclick the icon corresponding to the date of your error-checking chore (see Figure 4). To save or print the information, click the Copy icon in the top-right corner under the up and down arrows, and then paste it into the word processor or text editor of your choice. When you're done, reset the filter to show all log entries by choosing View-All Records. If you forget to do this, Event Viewer will switch back to showing all log entries the next time you start it.
Beef up your logs
By default, the information in Windows' event logs gets overwritten after just a week, and the log itself is limited to 512KB. To keep the data around longer, right click one of the three logs in the left pane and select Properties. Under the General tab, adjust the "Maximum log size" to something larger - for example, setting it to 2048KB will quadruple the number of entries the log can hold. You can also adjust the overwrite options listed below this setting to maintain log entries for longer than seven days. If you think your maximum log size is big enough, you needn't specify a number of days to retain entries; simply select "Overwrite events as needed" to keep adding events to the log until it reaches maximum size and starts deleting entries. When you're finished, click OK.