System logs in Windows record crashes, driver failures, startup problems, and security-relevant activity in a place that survives reboots. Reviewing them helps pinpoint the exact component that failed and the time it happened, which is often faster than guessing from symptoms alone.
The primary tool for viewing logs is Event Viewer, which reads event records written by Windows components and applications. Logs are grouped under Windows Logs (notably System, Application, and Security), and each entry includes a Level, Source, Event ID, and a description that can be correlated with drivers, services, and updates.
Some logs (especially Security) require administrator privileges, and exported log files can contain sensitive identifiers such as usernames, hostnames, and network addresses. Event logs also roll over based on size and retention settings, so older events may have been overwritten on busy systems.
Steps to view system logs on Windows:
- Press Windows + R to open the Run dialog.
- Enter eventvwr.msc in Run and press Enter.
eventvwr.msc
- Expand Windows Logs in the left pane.
- Select a log category such as System, Application, or Security.
System focuses on drivers and services, Application focuses on app-level failures, and Security focuses on audit events (administrator privileges may be required to view all entries).
- Sort the events by Level or Date and Time.
Sorting by Level brings Critical and Error entries to the top for faster triage.
- Double-click an event to open its properties.
- Record the Source and Event ID from the General tab.
Example event details: Log Name: System Source: Kernel-Power Event ID: 41 Level: Critical Description: The system has rebooted without cleanly shutting down first.
- Open the Details tab to view the structured event data.
The Details view is useful for copying the structured fields (often as XML) into tickets or search queries.
- Click Filter Current Log… in the Actions pane.
- Choose the Event level checkboxes and the Logged time range.
- Enter one or more values in <All Event IDs> and click OK.
Multiple IDs can be entered as a comma-separated list (for example 41,1001,6008).
- Select Save All Events As… to export the current log view.
Exported logs can contain sensitive data (usernames, hostnames, IP addresses, file paths), so store and share the file as confidential material.
- Open the saved .evtx file via Action → Open Saved Log… to confirm the expected events are present.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
