What you should know about Windows’ Event Viewer


Woody leonhard By Woody Leonhard

Most of the Windows utilities we talk about in the Windows Secrets Newsletter help you work faster or better or smarter, but Windows Event Viewer doesn’t fall into that category.

A powerful diagnostic tool, Event Viewer is now being used by online support scammers who make big bucks preying on people’s fears.

As I explained in my Feb. 3 Top Story, scammers are cold-calling people in North America, Europe, Australia, and other locations, claiming to be Windows support technicians — in some cases, gaining access to users’ PCs and personal information.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



The con I discussed back in February described how a caller, possibly from India, contacted a Windows Secrets reader in the U.S. and claimed to be working on behalf of Microsoft support. My reader had posted a support question on what he thought was a Microsoft site. It was a very good con: the scammer knew the reader’s name, phone number, and the fact that he was having a problem with Windows XP. He cleverly convinced the reader to open Event Viewer and look at all the red and yellow flags indicating a malware attack. The con almost worked.

Of course, any phone call to a household in North America stands a good chance of striking pay dirt when the topic is some sort of Windows problem. Call ten people in your town at random, and say you’re calling on behalf of Microsoft (and sound like you know what you’re talking about), and I bet at least one or two of your neighbors will take you up on the offer. In my neck of the woods, it would probably be closer to nine out of ten.

In the case of my nearly duped reader, the scammer first tried to get money for the support, claiming the Windows warranty had expired. The reader was almost convinced to give the con artist direct access to the reader’s home computer via Windows Remote Access. Fortunately, the intended victim smelled something fishy and cut off the conversation. But how many other people that day got snookered by that same wily scammer?

It could be many. Lately, I’ve received a rash of messages from people who have been approached in similar ways. There’s even a post about it on the Windows Secrets Lounge. So be aware of this malicious con. To help you understand how it works, I’ll dissect this specific scare technique — used to make you believe you need their help. It all hinges on Windows’ Event Viewer, which I talked about briefly in my March 4 Top Story on the Windows Reliability Monitor.

Here’s the rest of the story.

What the Event Viewer does — and how to use it

Windows has had Event Viewer for almost a decade. Most Windows users don’t know about it, and far fewer still know how to use it. Microsoft states that its utility “maintains logs about program, security, and system events on your computer. You can use Event Viewer to view and manage the event logs, gather information about hardware and software problems, and monitor Windows security events.” In other words, it gives you a detailed window into what your system has been doing.

Windows has not just one event log file, but many; there are administrative, operational, analytic/debugging, and application logs. The logs are simple text files, written in XML format.

Every program that starts on your PC posts a notification in an event log, and every well-behaved program also posts a notification when it stops. Every system access, security change, operating-system twitch, hardware failure, driver hiccup, and more ends up in an event log. The Event Viewer scans those logs, aggregates them, and puts a pretty interface on an otherwise voluminous — and often deathly dull — set of machine-generated data.

In theory, event logs track significant events on your PC. (See Microsoft’s Help & How-to page, “What information appears in event logs [Event Viewer]?” for more info on what’s in the logs.) But in practice, what’s significant is a bit squishy — it will be different for a programmer, a repair tech, or just a regular Windows user. What’s vital and self-evident to a programmer, for example, might be useless gibberish to a user.

Still, when a PC’s condition takes a downturn, the Event Viewer can give PC users some insights into the source of problems. If you’ve never used it, I suggest taking a few minutes and checking it out. Note: You’ll need to run Event Viewer with an administrator password or account.

The Event Viewer built into Windows Vista and Win7 runs rings around XP’s version (shown in Figure 1). For Vista and Win7, Microsoft not only built a better interface but made it easier to ignore unimportant events, program more meaningful event notifications, and find what you’re looking for.

XP's event viewer
Figure 1. Windows XP’s Event Viewer is a very straightforward text-viewing application that looks into XP’s log files.

To start the Event Viewer in Windows XP, click Start, Control Panel, Performance and Maintenance, and Administrative Tools. Then double-click Computer Management.

In Vista, click Start, Control Panel, System and Maintenance, and Administrative Tools. Next, double-click Event Viewer.

In Win7, it’s Start, Control Panel, System and Security, and Administrative Tools. Double-click Event Viewer. (Or just click Start, type event into the Search programs and files box and press Enter.)

In Windows Vista and Windows 7, chances are good that the events you want to look at are in the Administrative Events folder. Double-click it; you’ll see the most important system-wide events listed to the right, as in Figure 2.

Win7's event viewer
Figure 2. Windows Vista and Win7 put the most important events into the Administrative Events folder.

Note that even the best-kept system (well, my production system anyway) boasts hundreds, if not thousands, of lines of scary-looking error messages. That’s normal.

Event-worthy — and not-worthy — warnings

Before you get hot and bothered about the thousands of errors on your PC, look closely at the date-and-time field. The bulk of them probably date back to when you first installed the PC. Chances are good you’ll see a handful more for every day the PC has been on — most of these are just repeats of the same error or warning. Generally, they have little or no effect on the way you use Windows; you may safely yawn and say, “Who cares?”

For example, looking through my most recent event log, I see a bunch of errors generated by the Microsoft Security Essentials program MSESysprep.dll. The warning

“The element imaging appears as a child of element urn:schemas-microsoft-com:asm.v1^assembly which is not supported by this version of Windows”

sounds ominous, doesn’t it? But if you look up the error message, you’ll find this sage advice from Microsoft MVP Stephen Boots on a Microsoft Answers page: “The Event Viewer is a great tool to troubleshoot issues. If you are not experiencing an issue, take Jeff’s advice … he’s from Microsoft.” Jeff’s advice? Ignore it.

That’s exactly my advice. If you aren’t experiencing problems, don’t sweat what’s in the Event Viewer. And even if you’re experiencing problems, the Event Viewer might not be able to help you.

In some cases, Event Viewer can help you by pinpointing problems or explaining odd behavior that would be very hard to isolate otherwise. For example, TechRepublic’s Greg Shultz blogged about using Event Viewer to diagnose slow boot times on a Win7 PC — and to find a failing hard drive. Sure, there are a dozen ways to monitor hard drives, but you might not immediately associate slow boots with a bad drive. The Event Viewer provided the needed view of the boot sequence’s inner workings.

On Windows SevenForums, Brink explains how to find the results of a Windows CHKDSK run inside the event logs. That information could be handy if you can’t run that important diagnostic command manually.

Event Viewer can also help you nail down network access problems; the Windows programs that control network communication spill a large number of details into the event logs. Unfortunately, translating the logs into English can be a daunting task. But at least you might be able to tell where the problem occurs — even if the logs don’t give you a clue as to how to solve the problem.

What to do if you’re getting scammed

At this point, it should be obvious that your event history is a virtual cesspool of information. And that you’re being taken for a ride if you get an unexpected support call — especially if you’re asked for payment or access to your PC.

Yes, under certain circumstances, Event Viewer can give you worthwhile information. But for most Windows users, most of the time, it’s a scary place that can obfuscate issues and intimidate you. It’s especially of little value if you aren’t conversant with terms such as DHCP or DNS or Kerberos — just to mention a few of the Windows processes that recently showed up in my event logs.

If you figure you’ve been scammed, or you know someone who fell for the Events Viewer shtick, you should first make sure that your machine isn’t infested. Letting someone else run their software on your machine is a sure road to disaster. Put your PC through as thorough a scan as you can muster, using at the very least Microsoft Security Essentials (info page) and Malwarebytes (site).

If you let someone onto your machine, you also have to assume they’ve made off with some of your files — many of the scammers are smart enough to pull data right out from under your nose.

If you suspect data theft, start with the U.S. Federal Trade Commission’s Identity Theft site. There you’ll find important information about how to recover from — or at least cope with — the loss.

Also keep in mind that if your data was taken by someone outside your home country, your chances for restitution are zero.

Pat yourself on the back if you kept the bad guys out of your PC. But if you handed over some money, head directly to your credit card company’s fraud reporting unit. Insist that you get your money back; and even if you don’t, at least you’ll be adding your voice to the worldwide call for regulation against these Event Viewer scams.

Most successful scams are exceptionally clever at separating a mark from his (or her) money. Those who get conned are often too embarrassed to report it — or they’re never sure that they were actually swindled.

Bottom line: If somebody calls you, convinces you to open up your Event Viewer, and requests money, it’s a con. And if you’ve been taken, fight back — for everybody’s sake.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.

= Paid content

All Windows Secrets articles posted on 2011-10-27:

Woody Leonhard

About Woody Leonhard

Woody Leonhard is a Windows Secrets senior editor and a senior contributing editor at InfoWorld. His latest book, the comprehensive 1,080-page Windows 8 All-In-One For Dummies, delves into all the Win8 nooks and crannies. His many writings tell it like it is — whether Microsoft likes it or not.