Windows计算机的引擎盖下有很多东西。使用事件查看器(Event Viewer),可以跟踪 Windows 进程(track Windows processes),帮助您在没有明显原因的情况下诊断令人讨厌的问题。
但是,由于其过时的 UI 和糟糕的布局,事件查看器使用起来可能会令人困惑。(Event Viewer)这是有关导航事件查看器(Event Viewer)以解决任何Windows问题的指南。
事件查看器(Event Viewer)入门
Windows 操作系统在运行时“(Windows Operating System “)记录”每个重要活动。事件查看器(Event Viewer)只是一个应用程序,可帮助您在一个地方访问和阅读这些日志,而不是在(read these logs)Windows 资源管理器(Windows Explorer)中手动打开每个文本文件。
- 通过在开始菜单(Start Menu)中搜索应用程序来打开事件查看器(Event Viewer)。
- 打开应用程序后立即将其最大化,因为您需要全屏视图才能查看所有可用信息。
了解界面
事件查看器(Event Viewer)并不完全具有直观的界面。这个工具一开始可能会有点混乱,所以让我们一个一个地回顾所有元素。
左窗格
在运行Event Viewer时,您会注意到窗口分为三个窗格。左侧在文件夹视图中对事件进行分类,让您可以快速导航到特定类型的事件日志。
有四种主要类型的日志:
- 自定义(Custom)视图:顾名思义,自定义视图类别允许您创建自定义日志选择,而不是坚持使用标准类别。(Custom)例如,默认的管理事件视图从所有管理日志中收集严重(Critical)、错误(Error)和警告事件。
- Windows日志:此文件夹包含有关Windows系统服务的所有日志。除非您想详细了解操作系统的运行方式,否则它并不是特别有用。
- 应用程序和服务(Services)日志:这些日志由各种服务生成,从非关键Windows服务到第三方应用程序。您无需浏览此列表,因为任何错误和警告都已收集在“管理事件”视图中。
- 订阅:默认情况下此类别不可用,并且在大多数情况下是不必要的。它的唯一用途是从远程计算机收集事件,使其成为一种高级系统管理工具。
中间窗格
这是实际列出日志的位置。默认情况下,它显示事件的概述(Overview)和摘要(Summary),而不是任何特定类别。
第一部分(可能也是最重要的部分)是行政事件摘要(Summary)。它列出了过去一周的重要系统事件,让您快速了解系统的运行状况。这些事件还按每小时、每天和每周的时间范围进行分类。
本节中有五种事件类型:
- 严重:此类别中会出现任何重大系统问题。在正常运行的计算机中,此类别应为空,但如果您发现此类事件,请注意它。
- 错误:任何功能正常的计算机都有错误。仅仅因为此类别中列出的事件并不意味着一定有问题。仅当每天频繁出现相同的错误时才会出现问题。
- 警告:当某些事情还没有真正出错时会生成警告,但可能表明可能存在问题。这包括磁盘空间不足或驱动程序配置不正确等情况。
- 信息:这是完全无害的,因为它记录了计算机上的所有成功操作。来源通常是系统服务,尽管安全应用程序也经常出现。
- 审核成功(Audit Success):只要身份验证尝试成功,就会生成此类事件。这包括登录和其他安全措施,因此不要惊慌地在每个时间范围内找到多个实例。
- 审核失败:顾名思义,此事件类型包括失败的身份验证尝试。这是查看是否有人尝试通过网络连接或直接登录访问您的 PC 的好方法。
右窗格
窗口的右侧面板包含您可以对选定项目执行的所有操作。操作会根据您是选择文件夹还是事件而改变。
您可以创建自定义视图(Custom View)、查看日志属性(Properties)或保存(Save)选定事件以便稍后查看它们,以及其他操作。
如何阅读事件日志
打开视图并浏览事件日志很简单,但是您如何理解所有这些信息呢?这是一个细分。
当您选择一个事件时,常规(General)选项卡会打开,显示错误的简短摘要,然后是一堆信息字段:
- 日志名称:事件所属的日志的名称。主要用于识别发生事件
的Windows服务。(Windows)
- 来源:通常与日志名称相同,因为它列出了事件的源应用程序。
- 事件 ID:每个事件都有一个唯一的事件 ID。此 ID 有助于从具有相似性质的其他事件中识别特定事件,即使它们是从同一进程生成的。
- 级别:这是决定事件优先级的标签。您已经在管理视图中看到了(Administrative View)Error和Critical等标签,并且该字段是它们的来源。
- 用户(User):生成事件的用户帐户。(User)用于诊断多用户系统中的问题。
- OP Code:该字段应该在事件触发之前识别相关流程的活动,但实际上几乎总是默认为Info。
- 记录:事件的时间戳,包括日期。
- 任务类别(Task Category):另一个字段应该提供有关原始进程的附加信息,但大部分都留空。
- 计算机(Computer):创建事件的 PC 的名称。当您使用单个系统时无用,但在处理从网络计算机转发的事件时至关重要。
这似乎需要吸收很多信息,但您不需要通读所有字段。最重要的字段是Level和Source。
使用Level,您可以判断事件的严重程度(关键(Critical)事件是最重要的),并且Source会通知您原始应用程序或组件。这使您可以找到并终止有问题的进程(kill the problematic process)。
如何使用事件查看器(Event Viewer)解决 Windows 问题(Troubleshoot Windows Problems)?
当您遭受突然的系统崩溃时,您的第一站应该是事件查看器(Event Viewer)。运行管理视图(Administrative View)并检查任何严重事件。
由于致命的系统崩溃总是会产生严重事件,这有助于您快速将错误进程归零并开始寻找修复程序(zero down on the errant process and start looking for a fix)。根据所涉及的Windows组件,修复可能与更新驱动程序或从命令提示符运行(Command Prompt)SFC一样简单。
对于较小的问题,您可能还必须处理错误(Error)事件。如果您知道哪个应用程序或功能行为不端,这会有所帮助,因为即使是健康的系统也会产生一些错误。
How to Use Event Viewer to Troubleshoot Windows Problems
There is a lot going under thе hood of a Windows computer. Using the Event Viewer, it’ѕ possible to track Windows processes, helping you diagnose pesky problems without an obvious cause.
The Event Viewer can be confusing to use, however, owing to its outdated UI and poor layout. Here is a guide on navigating the Event Viewer to troubleshoot any Windows issues.
Getting Started With the Event Viewer
The Windows Operating System “logs” every significant activity while it runs. The Event Viewer is just an app that helps you access and read these logs in one place, rather than manually opening each text file in Windows Explorer.
- Open Event Viewer by searching for the app in the Start Menu.
- Maximize the app as soon as it opens, because you need the full-screen view to see all the information available.
Understanding the Interface
Event Viewer doesn’t exactly have an intuitive interface. The tool can be a bit confusing at first, so let’s go over all the elements one by one.
Left Pane
On running Event Viewer, you will notice that the window is divided into three panes. The left side categorizes the events in a folder view, letting you quickly navigate to a particular type of event logs.
There are four main types of logs:
- Custom Views: The Custom views category, as the name suggests, lets you create custom log selections instead of sticking with the standard categories. For example, the default Administrative Events view collects the Critical, Error, and Warning events from all administrative logs.
- Windows Logs: This folder includes all logs concerning Windows system services. It’s not particularly useful unless you want a detailed look at how the OS is operating.
- Applications and Services Logs: These logs are generated by all kinds of services, from non-critical Windows services to third-party applications. You don’t need to trawl through this list as any errors and warnings are already collected in the Administrative Events view.
- Subscriptions: This category is not available by default, and is unnecessary in most cases. Its only use is to collect events from remote computers, making it an advanced system administration tool.
Middle Pane
This is where the logs are actually listed. By default, it displays an Overview and Summary of events, rather than any specific category.
The first section (and probably the most important) is the Summary of Administrative Events. It lists crucial system events in the past week, giving you a quick glimpse of the system’s health. The events are also classified by their timeframes on an hourly, daily, and weekly basis.
There are five event types in this section:
- Critical: Any major system issues crop up in this category. In a properly functioning computer this category should be empty, but if you spot an event of this type, pay attention to it.
- Error: There are errors in any functional computer. Just because there are events listed in this category does not mean something is necessarily wrong. It is a problem only if the same error shows up frequently on a daily basis.
- Warning: Warnings are generated when something hasn’t really gone wrong yet, but might indicate a possible issue. This includes things like low disk space, or improperly configured drivers.
- Information: This one is completely harmless, as it notes all successful operations on the computer. The source is usually system services, though security applications often show up as well.
- Audit Success: This type of event is generated whenever an authentication attempt is successful. This includes logins and other security measures, so don’t be alarmed to find multiple instances in every timeframe.
- Audit Failure: As the name suggests, this event type includes failed authentication attempts. This is a good way to see if anyone has tried gaining access to your PC, either through a network connection or a direct login.
Right Pane
The right panel of the window contains all actions you can take for a selected item. The actions change based on whether you have a folder selected or an event.
You can Create a Custom View, view the Properties of a log, or Save Selected Events to view them later, among other actions.
How to Read Event Logs
Opening a view and going through the event logs is simple enough, but how do you make sense of all that information? Here’s a breakdown.
When you select an event, the General tab opens up, displaying a short summary of the error followed by a bunch of information fields:
- Log Name: The name of the log the event belongs to. Mostly useful to identify the Windows service under which the event occurred.
- Source: Usually the same as the log name, as it lists the source application of the event.
- Event ID: Each event has a unique event ID. This ID helps identify a specific event from other events of a similar nature, even when they are generated from the same process.
- Level: This is the tag that decides the priority level of the event. You have already seen tags like Error and Critical in the Administrative View, and this field is where they are taken from.
- User: The User account that generated the event. Useful in diagnosing problems in multi-user systems.
- OP Code: This field is supposed to identify the activity of the process in question before the event was triggered, but in practice almost always defaults to Info.
- Logged: The timestamp of the event, including the date as well.
- Task Category: Another field supposed to provide additional information about the originating process, though mostly left empty.
- Computer: The name of the PC that created the event. Useless when you are working with a single system, but crucial when dealing with events forwarded from a network computer.
That may seem like a lot of information to take in, but you don’t need to read through all the fields. The most important fields are Level and Source.
With Level, you can tell how serious the event is (with Critical events being most important) and Source informs you of the originating app or component. This lets you find and kill the problematic process.
How to Troubleshoot Windows Problems With the Event Viewer?
When you suffer a sudden system crash, your first stop should be the Event Viewer. Run the Administrative View and check for any Critical events.
As fatal system crashes always generate a critical event, this helps you quickly zero down on the errant process and start looking for a fix. Depending on the Windows component involved, the fix might be as simple as updating drivers or running SFC from the Command Prompt.
For smaller issues, you may have to go through the Error events as well. It helps if you know which app or feature is misbehaving, as even a healthy system generates some errors.
