Windows & Linux · Windows Event Viewer Guide

Windows Event Viewer Guide

Common event IDs, where to find them, and how they help troubleshoot crashes, logons, updates, GPO, performance, drivers, security, and printing.

View this project on GitHub

1. System Crashes or Unexpected Reboots

  • 6008 – Unexpected shutdown
  • 41 (Kernel-Power) – System rebooted without clean shutdown

Log Location: Windows Logs → System

Other Related Event IDs: 1001 – Bugcheck codes (BSOD details)

6008 – Unexpected Shutdown

Event 6008 example
Event 6008 details

41 (Kernel-Power) – Rebooted without Clean Shutdown

Event 41 Kernel-Power

2. Application Crashes or Freezes

  • 1000 – Application Error
  • 1001 – Windows Error Reporting
  • 1002 – Application Hang

Log Location: Windows Logs → Application

1000 – Application Error

Event 1000 Application Error

1001 – Windows Error Reporting

Event 1001 Windows Error Reporting
Event 1001 additional details

1002 – Application Hang

Event 1002 Application Hang

3. User Account Logon/Logoff Issues

  • 4624 – Successful logon
  • 4625 – Logon failure
  • 4634 – Logoff events

Log Location: Windows Logs → Security

4624 – Successful Logon

Event 4624 Successful Logon

4625 – Logon Failure

Event 4625 Logon Failure

4634 – Logoff Events

Event 4634 Logoff summary
Event 4634 details

4. Windows Update Problems

  • Failure events and error codes indicating update issues.

Log Location: Windows Logs → System; Applications and Services Logs → Microsoft → Windows → WindowsUpdateClient → Operational

Windows Update Logs

Windows Update log view
Windows Update error details
Windows Update codes
Windows Update Client Operational

5. Group Policy (GPO) Issues

  • 7017 – GPO client-side extension errors
  • 1129 – Policy processing issues at startup/logon

Log Location: Applications and Services Logs → Microsoft → Windows → GroupPolicy → Operational

Other Related Event IDs: 1058, 1030 – Problems accessing or applying GPOs

7017 – GPO Client-Side Extension Errors

Event 7017 GPO client-side extension

1129 – Policy Processing Issues

Event 1129 policy processing issue
Event 1129 details

6. Performance Issues (Slow Boot or Login)

  • 100 – Boot Performance (slow boot)
  • 101 – Application Performance (slow app start)
  • 200 – Shutdown Performance (slow shutdown)

Log Location: Applications and Services Logs → Microsoft → Windows → Diagnostics-Performance → Operational

100 – Boot Performance

Event 100 boot performance
Event 100 additional details

101 – Application Performance

Event 101 slow app start
Event 101 additional details

200 – Shutdown Performance

Event 200 slow shutdown

7. Driver Issues or Device Failures

  • 7000, 7001 – Driver/service failed to start
  • 7026 – Driver loading failures

Log Location: Windows Logs → System

7000 – Service Failed to Start

Event 7000 service failed to start

7026 – Driver Loading Failures

Event 7026 driver loading failure
Event 7026 more details

8. Malware or Security Incidents

  • 1116, 1117 – Malware detection (Windows Defender)
  • 4625 – Multiple failed logins (possible brute force)

Log Location: Windows Logs → Security, Application, Windows Defender

1116 – Malware Detected

Event 1116 malware detected
Event 1116 details

1117 – Malware Cleaned/Quarantined

Event 1117 malware cleaned/quarantined
Event 1117 details

4625 – Multiple Failed Login Attempts

Event 4625 multiple failed logons

9. Print Job Failures

  • 307, 372 – Print job failures or issues
  • 7031 – Spooler service errors

Log Location: Applications and Services Logs → Microsoft → Windows → PrintService → Operational

307 – Print Job Failure

Event 307 print job failure
Event 307 more details

7031 – Spooler Service Errors

Event 7031 spooler service error
Event 7031 additional details

Best Practices for Using Event Viewer

  • Filter logs by severity and time
  • Correlate events across multiple logs
  • Export logs for deeper analysis and documentation
← Back to Home