我们的一些读者问自己“事件查看器到底是什么,我为什么要使用它?” ("What on Earth is the Event Viewer, and why would I want to work with it?" )Windows 会在您启动它后立即开始跟踪它正在执行的操作,并持续保存日志文件,这些日志文件可以在出现问题时提供大量信息,即使一切都很好。事件查看器(Event Viewer)为您提供了一种查看这些日志的简单方法。在本教程中,我们将查看Windows日志,以及事件查看器(Event Viewer)提供的有关您的系统正在发生的事情的信息:
什么是事件查看器管理单元(Event Viewer snap-in)及其显示的事件?
在技术术语中,微软(Microsoft)将应用安装、安全管理(security management)操作和系统设置操作等事情称为“事件”。事件查看器(Event Viewer)是一个内置的Windows 应用程序(Windows application),通过允许您访问有关程序、安全和系统事件的日志,您可以检查计算机上发生的事件。使用事件查看器(Event Viewer)中的信息,您可以对Windows 计算机(Windows computer)进行故障排除并查看是否存在任何硬件或软件问题(hardware or software problems)。Microsoft还将事件查看器(Event Viewer)称为“Microsoft 管理控制台管理单元”("Microsoft Management Console Snap-In,")您以前可能遇到过的术语。我们不确定微软(Microsoft)为什么选择将其称为“管理单元”,但程序员的思维方式与他们的软件用户不同。
总而言之,微软称其为使用管理单元查看事件(viewing events with a snap-in),而我们其他人称其为使用事件查看器查看日志(looking at logs with Event Viewer)。Windows 中的事件查看器(Event Viewer)记录了五种主要类型的事件:
- 应用程序(Application):显示与您计算机上安装的软件相关的事件
- 安全(Security):包含与您的计算机安全相关的事件
- Setup:指域控事件,家庭(something home)用户不使用,企业使用
- 系统:(System:)显示与Windows 系统(Windows system)文件事件相关的事件
- 转发的事件(Forwarded Events)是来自网络中其他计算机的事件,它们被转发到您的计算机。
每个事件类别中的每个事件都可以具有以下级别之一:
- 错误:(Error:)表示可能存在数据丢失或某些程序无法正常运行,或设备驱动程序(device driver)无法加载。该事件很严重,您应该调查导致它的原因。
- 警告:(Warning:)没有错误(Error)消息严重(程序员术语再次起作用)。例如,如果您的闪存驱动器空间不足,您可能会收到一条警告消息。(Warning)另一个例子是当一些错误的参数被发送到应用程序时,它不能以有用的方式使用它们。警告(Warning )消息为您提供有关特定事件的警报,但这并不一定意味着发生了可怕的事情。
- 信息:(Information:)显示您计算机上发生的事情的详细信息。大多数日志条目被归类为Information,这意味着Windows或应用程序正在做他们应该做的事情,或者,如果出现某种错误(不是程序员所说的“错误”),它没有引起任何问题。
让我们看看如何在Windows中启动(Windows)事件查看器(Event Viewer),以及如何使用它来收集信息并对您的计算机或平板电脑(computer or tablet)进行故障排除:
如何打开事件查看器
在Windows中,启动事件查看器(Event Viewer)的最快方法是搜索它。从任务栏(在Windows 10中)或开始菜单(Start Menu)(在Windows 7中)或直接在开始屏幕(Start Screen)(在Windows 8.1中)的搜索框中(search box)键入“事件查看器”("event viewer")。然后,单击或点击(click or tap)事件查看器(Event Viewer)搜索结果。
在Windows中还有其他打开事件查看器(Event Viewer)的方法,但我们已经在本教程中展示了它们:如何在Windows中启动(Windows)事件查看器(Event Viewer)(所有版本)。
启动它后,可能需要几秒钟才能显示事件查看器(Event Viewer),因为它需要在首次使用之前进行初始化。它应该看起来像这样:
让我们看看查看和显示Windows(Windows)日志的各种方式,以及如何检查它们的含义,以便对计算机上的问题进行故障排除:
如何使用事件查看器(Event Viewer)检查应用程序(Application)事件
展开左侧面板中名为Windows Logs的菜单项,以查看我们在本教程上一节中讨论的应用程序、安全性、设置、系统(Application, Security, Setup, System,)和转发事件日志。(Forwarded Events)
请注意,安全(Security)日志是唯一对标准用户不可用的日志。仅当您使用管理员帐户(administrator account)登录或在启动事件查看器(Event Viewer)时右键单击并选择以管理员身份运行(Run As Administrator)时,您才能看到其内容。
最大化事件查看器(Event Viewer)窗口,以便您可以更清楚地看到正在发生的事情。然后,单击左窗格中的事件类别之一。现在,单击/点击Applications。在事件查看器(Event Viewer)窗口的中心,您现在应该会看到许多消息。
Windows跟踪它一直在做的所有事情,并以以下三种方式之一对信息进行分类:错误、警告(Error, Warning)或信息(Information)。您可以单击或点击任何单个条目(单击)以查看显示在下方面板中的说明。您还可以看到右侧面板中显示的事件,以及您可以采取的操作菜单。
出现的解释通常很神秘,一些错误消息看起来非常不祥。请记住,大多数消息只是:消息。它们并不意味着有任何问题。每个事件也有一个Event ID,而且有很多。要获取有关这些事件 ID(Event IDs)的信息,请在以下网站上搜索它们:EventIDNet。当您找到该活动时,请不要忘记查看第一个网页底部的评论。这是其他用户解释发生了什么的地方,并且您更有可能看到普通用户也可以理解的解释。
选择一个事件后,您可以在右窗格的下半部分看到其名称重复并突出显示。尝试单击不同的事件以查看此显示更改(display change)。
请注意,右窗格中的信息对于左窗格中的所有Windows 日志(Windows Logs)都是相同的。右侧窗格中显示的某些内容与您在底部窗格中看到的内容重复。例如,如果您单击右侧窗格中的事件属性(Event Properties),则会弹出一个窗口,其中包含您在下部窗格中看到的相同错误消息。(error message)但是,您可以使用“事件属性(Event Properties)”窗口中的信息执行更多操作。
如果您单击“复制”(Copy),它不仅会复制错误消息:它还会复制(error message)错误日志(error log)的整个部分。如果您正在与技术支持人员讨论问题,技术支持人员可能会要求您提供错误日志(error log)的副本。这是获得它的最快和最简单的方法。单击(Click)该复制(Copy)按钮,然后使用Ctrl+V粘贴结果。当您将这样的一条消息粘贴到记事本(Notepad)中时,它是这样的。
右侧窗格中还有一个单独的Copy 菜单项,它为您提供了两个选项: (menu item)“Copy Table”和“Copy Details as Text”:
- “复制表”("Copy Table" )复制出现在上窗格中的单行错误消息。(error message)
- “将详细信息复制为文本”与“("Copy Details as Text")事件属性(Event Properties)”窗口中的“复制(Copy)”按钮的作用相同。
要获得更全面的错误解释,您可以从“事件属性(Event Properties)”窗口单击“事件日志联机帮助(Event Log Online Help)”,以访问Microsoft的TechNet 网站(TechNet website)。但是,看起来他们不再在线了。但是,由于TechNet在设计时始终考虑到专家用户,因此您可以在那里找到的解释可能不会比原始的神秘信息更有启发性。因此,一个可能更好的选择是让您突出显示该消息,复制它,然后将其粘贴到您最喜欢的搜索引擎(search engine)中。我们发现使用必(Bing)应更有可能列出微软(Microsoft)页面,但您的体验可能会有所不同。值得尝试多个搜索引擎(search engine)以获得可理解的结果。通常,您会找到一个论坛,有人在其中询问该消息。对问题的答复可能有用,也可能没有用。如果微软(Microsoft)提供了一些网页来向普通用户解释这些事情,那就太好了。
如果您单击Save Selected Event,则会弹出一个窗口,其中包含您的Documents文件夹。如果您将文档存储在其他位置,则可以像使用文件资源管理器(File Explorer)或Windows 资源管理(Windows Explorer)器一样使用此窗口来定位您的首选存储文件夹。事件保存为事件文件(event file),后缀为“.EVTX”。如果您双击该文件,它会打开事件查看器(Event Viewer):如果您已经运行了该程序的第二个实例。
如何使用事件查看器(Event Viewer)检查安全(Security)事件
单击左侧窗格中的安全(Security)菜单。在这里您可以找到另一个消息列表,其中大部分应标记为Audit Success。Windows 会在您每次登录以及每次创建、修改或删除文件时进行安全审核。(security audit)它还会记录使用您无权访问的资源的任何尝试,在这种情况下,标签将为Audit Fail。它还检查您的系统完整性(system integrity)。如有必要,向右滚动(Scroll)显示,或拖放列宽,以便查看每个事件的标签。
如何使用事件查看器(Event Viewer)检查设置(Setup)事件
每次设置新软件以及每次安装Windows更新时,事件查看器都会在(Event Viewer)设置(Setup )菜单中创建一个日志。每个Windows 更新(Windows Update)项目可能会在日志中生成多个条目。你可以在这里看到很多事情在2018年2 月 14日同时发生。(February 14)
每个事件还有一个事件 ID(Event ID )代码。它们如下(我们的简化解释,而不是微软官方术语(Microsoft terminology)):
- Windows 10 已被要求安装某些东西并正在处理它。
- 安装成功。
- 软件尝试自行准备安装,但未成功。
- 安装完成前必须重新启动计算机。在Windows(Windows)更新的情况下经常会遇到这种情况。
如何使用事件查看器(Event Viewer)检查系统(System)事件
如您所料,系统日志是由 Windows 和其他已安装软件(如设备驱动程序)生成的系统(System)消息(Windows)。如果某些东西无法加载,这里会有一个日志条目,标记为警告(Warning)。在下面的屏幕截图中,您可以看到有关第一次尝试加载失败的驱动程序的警告。(Warning )
这些事件中的每一个都有一个事件 ID,但查找它们可能会或可能不会提供信息。
结论
本教程介绍了事件查看器(Event Viewer)的主要用途,我们只查看了每个日志,而不是采取任何行动。虽然事件查看器(Event Viewer)是针对更高级用户的程序,但任何人都可以通过使用它找到有用的信息。您是否使用事件查看器(Event Viewer)来解决Windows 计算机或平板电脑(Windows computer or tablet)上的问题?在下面的评论部分分享(Share)您的想法。
How to work with the Event Viewer in Windows
Some of our readers have asked themselves "What on Earth is the Event Viewer, and why would I want to work with it?" Windows starts to keep track of what it is doing as soon as you start it up, and continuously saves log files that can provide a wealth of information when something goes wrong, and even when everything is fine. The Event Viewer gives you an easy way to look those logs. In this tutorial, we take a look at the Windows logs, and the information Event Viewer provides about what is going on with your system:
What are the Event Viewer snap-in and the events it displays?
In technical terms, Microsoft refers to things like app installations, security management operations, and system setup operations as "events." Event Viewer is a built-in Windows application that lets you check the events that take place on your computer, by giving you access to logs about program, security, and system events. With the information found in the Event Viewer, you can troubleshoot your Windows computer and see whether there are any hardware or software problems. Microsoft also refers to the Event Viewer as a "Microsoft Management Console Snap-In," a term you might have encountered before. We are not sure why Microsoft chose to call it a "snap-in," but then programmers think in different terms from the users of their software.
To summarize, Microsoft calls it viewing events with a snap-in, and the rest of us call it looking at logs with Event Viewer. There are five primary types of events recorded by Event Viewer in Windows:
- Application: shows events related to software installed on your computer
- Security: contains events related to the security of your computer
- Setup: refers to domain control events, which is something home users do not use, but enterprises do
- System: shows events that are related to Windows system files events
- Forwarded Events are events from other computers in your network, which were forwarded to your computer.
Each event in each category of events can have one of these levels:
- Error: means there might have been data loss or some program is not working correctly, or a device driver failed to load. The event was critical, and you should investigate what caused it.
- Warning: is less severe than an Error message (programmer terminology at work again). You might get a Warning message if you are running out of space on a flash drive, for example. Another example is when some wrong parameters have been sent to an application, and it cannot use them in a useful way. A Warning message gives you an alert about a particular event, but it does not necessarily mean that something terrible has happened.
- Information: shows you details about things happening on your computer. Most of the log entries are classified as Information, which means that Windows or the applications are doing what they are supposed to be doing, or, if there was an error (not what a programmer would call an "error") of some kind, it did not cause any problems.
Let's see how to launch Event Viewer in Windows, and how to use it to gather information and troubleshoot your computer or tablet:
How to open the Event Viewer
In Windows, the fastest way to start the Event Viewer is by searching for it. Type "event viewer" into the search box from your taskbar (in Windows 10) or your Start Menu (in Windows 7), or directly on the Start Screen (in Windows 8.1). Then, click or tap on the Event Viewer search result.
There are also other ways to open Event Viewer in Windows, but we have already shown them in this tutorial: How to start the Event Viewer in Windows (all versions).
Once you launch it, it may take a few seconds for the Event Viewer to appear, since it needs to be initialized before you use it for the first time. It should look something like this:
Let's see the various ways you can view and display Windows logs, and how to check what they mean so that you can troubleshoot problems on your computer:
How to use Event Viewer to check on the Application events
Expand the menu item called Windows Logs in the left panel, to see the Application, Security, Setup, System, and Forwarded Events logs that we talked about in the previous section of this tutorial.
Note that the Security log is the only one that is not available to standard users. You can see its content only if you are logged in using an administrator account, or by right-clicking and choosing Run As Administrator when you start the Event Viewer.
Maximize the Event Viewer window so you can see what is going on more clearly. Then, click on one of the events categories from the left pane. For now, click/tap on Applications. In the center of the Event Viewer window, you should now see many messages.
Windows keeps track of everything it has been doing and classifies the information in one of three ways: Error, Warning, or Information. You can click or tap on any individual entry (single-click) to see an explanation displayed in the lower panel. You can also see the event shown in the right panel, with a menu of actions you can take.
The explanations that appear are often cryptic, and some of the error messages look downright ominous. Just keep in mind that most messages are just that: messages. They do not mean that anything is wrong. Each event also has an Event ID, and there are a lot of those. To get information on those Event IDs, search for them on this website: EventIDNet. When you find the event, do not forget to also check the comments at the bottom of the first webpage. This is where other users explain what happened, and where you are more likely to see an explanation that can be understood by regular users too.
When you have selected an event, you can see its name duplicated and highlighted in the lower half of the right pane. Try clicking on different events to see this display change.
Note that the information in the right pane is the same for all of the Windows Logs in the left pane. Some of what appears in the right pane duplicates what you see in the bottom pane. For example, if you click on Event Properties in the right pane, a window pops up with the same error message that you see in the lower pane. However, you can do more with the information from the Event Properties window.
If you click on Copy, it does not just copy the error message: it copies that whole section of the error log. If you are discussing a problem with technical support, the tech-support person may ask you to provide a transcript of the error log. This is the fastest and easiest way to get it. Click that Copy button and then use Ctrl+V to paste the result. Here is what it looks like when you paste one such message into Notepad.
There is also a separate Copy menu item in the right pane, which gives you two options: "Copy Table" and "Copy Details as Text":
- "Copy Table" copies the one-line error message that appears in the upper pane.
- "Copy Details as Text" works the same as the Copy button in the Event Properties window.
To get a fuller explanation of an error, from the Event Properties window you can click Event Log Online Help, to be taken to Microsoft's TechNet website. However, it looks like they are not online anymore. However, since TechNet was designed with the expert user in mind anyway, the explanation you could find there might not have been any more instructive than the original cryptic message. So, a likely better option is for you to highlight the message, copy it, then paste it into your favorite search engine. We have found that using Bing is more likely to list Microsoft pages, but your experience may be different. It is worth trying more than one search engine to get understandable results. Usually what you find is a forum where someone is asking about that message. The replies to the question might or might not be useful. It would have been nice if Microsoft had provided some web pages to explain these things to normal users.
If you click on Save Selected Event, a window pops up with your Documents folder. If you store your documents somewhere else, you can use this window the same way you would use File Explorer or Windows Explorer to locate your preferred folder for storage. The event is saved as an event file, with the suffix ".EVTX". If you double-click on that file, it opens up the Event Viewer: a second instance of the program if you already have it running.
How to use Event Viewer to check on the Security events
Click on the Security menu in the left pane. Here you can find another list of messages, most of which should be labeled Audit Success. Windows does a security audit each time you log on, and each time you create, modify or delete a file. It also logs any attempt to use resources for which you do not have authorized access, in which case the label would be Audit Fail. It also checks your system integrity. Scroll the display to the right, if necessary, or drag and drop the column widths so you can see the labels for each event.
How to use Event Viewer to check on the Setup events
Each time you set up new software, and each time you install Windows updates, the Event Viewer creates a log in the Setup menu. Each Windows Update item may generate multiple entries in the log. You can see here that many things happened at the same time on February 14, 2018.
Each event also has an Event ID code. Those are as follows (our simplified explanation rather than the official Microsoft terminology):
- Windows 10 has been asked to install something and is working on it.
- The installation was successful.
- The software attempted to prepare itself for installation but did not succeed.
- The computer must be rebooted before the installation is complete. This is often encountered in the case of Windows updates.
How to use Event Viewer to check on the System events
The System log is, as you might expect, for system messages generated by Windows and by other installed software such as device drivers. If something fails to load, there will be a log entry for it here, marked as a Warning. In the screenshot below, you can see a Warning about a driver that failed to load on the first attempt.
Each of these events has an event ID, but looking them up may or may not be informative.
Conclusion
This tutorial covered the primary use of the Event Viewer, and we only looked at each log, rather than taking any action. While the Event Viewer is a program aimed at more advanced users, anyone can find useful information by using it. Do you use Event Viewer to troubleshoot problems on your Windows computer or tablet? Share your thoughts in the comments section below.
