Monday, February 9, 2015

Lesson 3: Using Event Viewer to Troubleshoot Problems

In today’s edition of Geek School, we’re going to teach you how to use Event Viewer to troubleshoot problems on your PC and understand what is going on under the hood.
SCHOOL NAVIGATION
  1. Understanding Windows Administration Tools
  2. Using Task Scheduler to Run Processes Later
  3. Using Event Viewer to Troubleshoot Problems
  4. Understanding Hard Drive Partitioning with Disk Management
  5. Learning to Use the Registry Editor Like a Pro
  6. Monitoring Your PC with Resource Monitor and Task Manager
  7. Understanding the Advanced System Properties Panel
  8. Understanding and Managing Windows Services
  9. Using Group Policy Editor to Tweak Your PC
The biggest problem with Event Viewer is that it can be really confusing – there are a lot of warnings, errors, and informational messages, and without knowing what it all means, you can assume (incorrectly) that your computer is broken or infected when there’s nothing really wrong.
In fact, the tech support scammers are using Event Viewer as part of their sales tactic to convince confused users that their PC is infected with viruses. They walk you through filtering by only critical errors and then act surprised that all you are seeing are critical errors.
Learning how to use and understand Event Viewer is a critical skill for figuring out what is going on with a PC, and troubleshooting problems.

Understanding the Interface

When you first open Event Viewer, you’ll notice it uses the three-pane configuration like many of the other administrative tools in Windows, although in this case, there are actually quite a few useful tools on the right-hand side.
The left-hand pane displays a folder view, where you can find all of the different event logs, as well as the views that can be customized with events from many logs at once. For instance, the Administrative Events view in recent versions of Windows displays all of the Error, Warning, and Critical events whether they originated from the Application log or the System log.
The middle pane displays a list of events, and clicking on them will display the details in the preview pane – or you can double-click on any of them to pull it up in a separate window, which can be handy when you are looking through a big set of events and want to find all the important things before beginning an internet search.
The right-hand pane gives you quick access to actions like creating custom views, filtering, or even creating a scheduled task based on a particular event.
clip_image002
The events themselves are what we’re trying to see, of course, and their usefulness can range from really specific and obvious things that you can fix easily to the very vague messages that don’t make any sense and you can’t find any information on Google. The regular fields on the display contain:
  • Log Name – while in older versions of Windows everything got dumped into the Application or System log, in the more modern editions there are dozens or hundreds of different logs to choose from. Each Windows component will most likely have its own log.
  • Source – this is the name of the software that generates the log event. The name usually doesn’t directly match with a filename, of course, but it is a representation of which component did it.
  • Event ID – the all-important Event ID can actually be a little confusing. If you were to Google for “event ID 122” that you see in the next screenshot, you wouldn’t end up with very useful information unless you also include the Source, or application name. This is because every application can define their own unique Event IDs.
  • Level – This tells you how severe the event is – Information just tells you that something has changed or a component has started, or something has completed. Warning tells you that something might be going wrong, but it isn’t all that important yet. Error tells you that something happened that shouldn’t have happened, but isn’t always the end of the world. Critical, on the other hand, means something is broken somewhere, and the component that triggered this event has probably crashed.
  • User – this field tells you whether it was a system component or your user account that was running the process that caused the error. This can be helpful when looking through things.
  • OpCode – this field theoretically tells you what activity the application or component was doing when the event was triggered. In practice, however, it will almost always say “Info” and is pretty useless.
  • Computer – on your home desktop, this will usually just be your PC’s name, but in the IT world, you can actually forward events from one computer or server to another computer. You can also connect Event Viewer to another PC or server.
  • Task Category – this field is not always used, but it ends up basically being an informational field that tells you a bit more information about the event.
  • Keywords – this field is not usually used, and generally contains useless information.
As a rule of thumb, you should try searching by the general description, or the Event ID and the Source, or a combination of those values.
Just remember that the Event ID is unique… for each application. So there is a lot of overlap and you can’t just search for “Event ID 122” because you’ll get a lot of nonsense.
Important Note: There are always going to be errors and warnings in the event log, and you can’t solve all of them. The most important thing is to use Event Viewer to troubleshoot problems you are already having, rather than trying to find problems that you don’t know about yet.
And yes, you are going to need to use your Google skills to research the events that you don’t know about. There’s no easy magic solution.
clip_image003
The one thing that you might immediately do when seeing this dialog is click that More Information link… the problem is that it currently doesn’t take you anywhere useful. You just end up at an error page on Microsoft’s site.
clip_image004
What’s scary is that 8464 people rated the Page Not Found as helpful.

Remapping the Online Event ID Search to Actually Work

For some reason, the “More Information: Event Log Online Help” link just flat out doesn’t work for us, but luckily there’s a great registry hack that you can use to fix the problem.
What we’re going to do is just change the redirection URL in the registry to point towards Google… except because of the way that the arguments are passed, we’ll need to point it towards an intermediate page that will parse out the arguments and form the correct Google search URL.
For the purpose of this article we put up a page on our own server, and you are welcome to use it. If you’d rather not use our server, the single line of PHP code is listed out at the end of this section.
To make this change, head down to the following registry key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\EventViewer
Find the MicrosoftRedirectionURL value on the right-hand side, and then change the value out from the default, which is http://go.microsoft.com/fwlink/events.asp and insert this value instead:
http://www.howtogeek.com/eventid
clip_image005
Once you’ve done that, clicking on the link in the Event Properties window will immediately redirect you over to Google, with the relevant data already included (Event ID, log name, and “application”, which tends to just say Microsoft Windows).
clip_image006
How does this work? It’s pretty simple – Event Viewer adds on a set of parameters as query string arguments to the URL that we put into the registry. Then the script extracts those arguments and redirects over to Google, passing the arguments as search terms instead.
Using a simple PHP script, this is what we came up with to handle the redirect.
header(‘Location: http://google.com/search?q=Event ID ‘ . $_GET[‘EvtID’] . ‘ ‘ . $_GET[‘EvtSrc’] . ‘ ‘ . $_GET[‘ProdName’]);
You can host the same thing over on your own server if you want, or you can use the one sitting on our server. Up to you.

Beware Internet Sites with “Solutions” for Event ID “Problems”

There are a ton of web sites out there that automatically generate pages for every single event ID, and then populate them with nonsense. That would be just fine, except for many of these events, there are not a lot of other good results.
Those sites will then offer to solve the problem if you just download some piece of software for your free analysis. In all cases these will be ads, and the software “solution” is a fraud.
There is NO software package that can solve all of your event log problems.

Using Filters and Custom Views

Rather than going through the zillion folders of custom event logs and trying to find everything that you’re looking for, you can create a custom view that displays just the events that you want to see.
For best results, you would want to filter by just the specific things you want to see – probably Critical, Error, and Warning, and then pick the specific event logs you want this view to look through. Don’t select too many, though, because it will just fail to work.
clip_image007
Once you’ve selected what you want in the view, you’ll be asked to give the custom view a name, and then you can use it to see just the events that you’ve filtered for. It’s an incredibly great way to deal with massive logs full of nonsensical information events.
clip_image008
Perhaps even easier, of course, is to just use the built-in Administrative Events view, which displays the important messages from each of the main logs.

Look Through the Windows Diagnostics Performance Log

There are a lot of interesting logs to look at when you are troubleshooting, but one of the most interesting is found by browsing through the folders to the following location:
Microsoft \ Windows \ Diagnostics-Performance
This results in an event log that shows all of the things that Windows logs internally for performance checking – if your computer boots up slower than normal, Windows will usually have a log entry for it, and will often list out the component that caused Windows to boot more slowly.
clip_image009
It’s worth noting that just because the message shows an error doesn’t mean it’s the end of the world, unless it shows up all the time. Then you might want to think about it.

Fixing that Error from Earlier

clip_image010
Curious about the Event in the screenshot earlier in the article? If you get the message “Access to drivers on Windows Update was blocked by policy”, the solution is really simple. Open up Control Panel, search for “driver” and then choose Change device installation settings.
clip_image011
You’ll notice in the next screenshot that this particular computer was set to not automatically download device drivers from Windows update. To resolve the problem and make more of the messages show up in Event Viewer, all you have to do is switch the radio button over to “Yes, do this automatically”.
clip_image012
Nice and simple. Problem solved, warning message resolved.

Attaching Tasks to Events

If you were paying attention in the last Geek School lesson, you might remember that you can create a Task Scheduler trigger by event ID – and you can also do the same thing going the other way. Right-click on any task and you can easily attach a Scheduled Task to run whenever an event happens.
clip_image013

Other Features You Might Need

Event Viewer has a couple of other features that you might be interested in using. For most people, just going through the list and knowing what to look for is important.
Subscriptions, found in the left-hand menu, is a feature largely used in an enterprise environment to forward events from one server to another so you can manage them all in one place. This requires the Windows Event Collector and Windows Remote Management services to be running. For home users, you shouldn’t mess with it, other than for learning purposes on your test system.
clip_image014
If you right-click on the items on the left-hand side, you’ll see a ton of actions (the same ones usually found on the right-hand pane).
clip_image015
You can save out all of the events in a log for viewing later or on another PC, you can copy a view or export it as an XML file to import to another computer.
Next Page: Understanding Hard Drive Partitioning with Disk Management

No comments:

Post a Comment