Use XP system event viewer (1)

  
        

Use XP System Event Viewer:

If you have already used Windows XP, do you realize that regardless of whether you like it or not, the operating system records all the moves in the background every day, Equivalent to the loyal historian & ldquo; stylus writing Spring & Autumn; this is the "Event Viewer" that can be found in the "Control Panel & Rarr; Management Tools", through which you can understand the system's emotions and words One line, although it is a running account, but we can taste the joy of success, but also the reason for failure, it is a loyal system assistant.

What can the Event Viewer look at?

The Event Viewer is equivalent to a thick system log that can view information about hardware, software, and system issues, as well as Windows XP security events. Here is a brief introduction:

Tip: In addition to the "Event Viewer" found in the "Control Panel & Rarr; Management Tools", you can also manually type "<quo;%SystemRoot%\\system32\\" in the "Run" dialog box. Eventvwr. Msc /s”Opens the event viewer window.

1. The application log

contains events logged by the application or system program. It mainly records the running events of the program. For example, the database program can record file errors in the application log, and the program developer can decide which events to monitor. . If an application crashes, we can find the corresponding record from the program event log, which may help you solve the problem.

2. Security logs

Log events such as valid and invalid login attempts, as well as events related to resource usage, such as creating, opening, or deleting files or other objects that system administrators can specify in the security log. What events are recorded. By default, the security log is turned off, administrators can use Group Policy to start the security log, or set an audit policy in the registry to stop the system from responding when the security log is full.

3. System Logs

Events that are logged by system components that are included with Windows XP, such as loading drivers or other system components during startup, will be logged in the system log. By default, Windows logs system events to the system log. Among them. There is a very important event here: 6006. If you don't find the event with the ID 6006 in the event viewer of a certain day, then the computer does not shut down normally on the day, double-click to open the "Event Properties" window, if you see the hand The description is “The event log service has been stopped”, indicating that “time” refers to the time when the computer is normally shut down.

If the machine is configured as a domain controller, it will also include the directory service log, file copy service log; if the machine is configured as a Domain Name System (DNS) server, the DNS server log will also be logged. When Windows is started, the "Event Log" service (EventLog) is automatically started, and all users can view the application and system logs, but only the administrator can access the security log.

Small logs contain big information

Friends should not underestimate these boring logs, which can contain a lot of very useful information. If you can analyze it carefully, you can definitely be here. Find a lot of useful information that will help you solve system errors.

1. Information: An event that describes the successful operation of an application, driver, or service, such as when the network driver loads successfully, an "information" event is logged. From here you can see the event header including date, time, user, computer machine, event ID, source, type, category, etc. The corresponding description and more information are listed in the "Description" list box. The link address from which you can point to Microsoft's "Uniform Resource Locator" (URL) address.

In most cases, there is no need to look at this type of event item by item unless you have some special needs.



2. Successful audit: A successful audit security access attempt, mainly refers to the security log, where events such as user login/logout, object access, privilege usage, account management, policy change, detailed tracking, directory service access, account login, etc. are recorded, for example All successful login systems will be recorded as “successful review” events.

3. Failure Audit: A failed audit security login attempt, such as a user attempting to access a network drive fails, the attempt is logged as a failed audit event.

4. Warning: Although it is not very important, there may be events that may cause problems in the future. In this case, you should check the problem. For example, when there is not enough disk space or the printer is not found, a “warning” event is logged.

5. Error: Important issues, such as data loss or loss of functionality, are recorded in the form of "error" events, in which case it is necessary to check the system. The error event is that the server is not registered with DCOM within a limited time. Clicking on the link in the description will automatically go to the corresponding help page, and follow the prompts to perform the corresponding operation. If you are interested, you can study the content here. I believe that in time, you will become a DIYer.

Regularly releasing extra logs

In fact, the system events recorded most of the time are some running accounts. As time goes on, the system log will continue to expand. After the pre-set log size is reached, new events are stopped, so we need to release the extra logs periodically.

Select the log to be cleared, and then select "Clear all events" from the "Operation" menu. A dialog box will pop up asking you to save the current log. Select “Yes> ; will save the log before clearing, select “No” will permanently discard the current event record and start recording new events. If you feel that if the operation is too cumbersome, you can select “Don't overwrite the event (manually clear the log)” in the “Logistics” dialog box of the activity log. For example, the default setting is “Maximum log file size”. 512KB, we can reset this value according to the actual situation. When the log reaches a certain size or the message indicating that the log is full, the system will automatically clear the log; or select “rewrite the event as needed, so that you can ensure All new events can also be written to the log when the log is full. Of course, the new log will automatically overwrite the old one.

However, to be explained, users need to log in to the system as an administrator or a member of the Administrators group to have sufficient privileges to clear or rewrite the event log. Alternatively, you can also go to the \\WINDOWS\\SYSTEM32\\config\\ folder, where the file with the extension *.evt is the so-called log file, AppEvent.evt is the application & rdquo; log, SysEvent.evt is “ System & rdquo; log, SecEvent.evt ie "security" log, delete the corresponding file directly here, but if you are using NTFS format system, you must first close the event checker before deleting the log file Service is OK.

In addition to using the Event Viewer to manage event logs, we can also use the command line tools to create and query event logs and associate programs with special log events, such as “Eventcreate.exe&rdquo Create custom event logs, “Eventquery.vbs” can list event and event properties from one or more event logs, “Eventtriggers.exe” can create event triggers so that when a specific event log occurs The corresponding program will be executed automatically, which makes up for the inability of the event viewer to track suspicious events in real time. Interested friends may wish to try.



2. Successful audit: A successful audit security access attempt, mainly refers to the security log, where events such as user login/logout, object access, privilege usage, account management, policy change, detailed tracking, directory service access, account login, etc. are recorded, for example All successful login systems will be recorded as “successful review” events.

3. Failure Audit: A failed audit security login attempt, such as a user attempting to access a network drive fails, the attempt is logged as a failed audit event.

4. Warning: Although it is not very important, there may be events that may cause problems in the future. In this case, you should check the problem. For example, when there is not enough disk space or the printer is not found, a “warning” event is logged.

5. Error: Important issues, such as data loss or loss of functionality, are recorded in the form of "error" events, in which case it is necessary to check the system. The error event is that the server is not registered with DCOM within a limited time. Clicking on the link in the description will automatically go to the corresponding help page, and follow the prompts to perform the corresponding operation. If you are interested, you can study the content here. I believe that in time, you will become a DIYer.

Regularly releasing extra logs

In fact, the system events recorded most of the time are some running accounts. As time goes on, the system log will continue to expand. After the pre-set log size is reached, new events are stopped, so we need to release the extra logs periodically.

Select the log to be cleared, and then select "Clear all events" from the "Operation" menu. A dialog box will pop up asking you to save the current log. Select “Yes> ; will save the log before clearing, select “No” will permanently discard the current event record and start recording new events. If you feel that if the operation is too cumbersome, you can select “Don't overwrite the event (manually clear the log)” in the “Logistics” dialog box of the activity log. For example, the default setting is “Maximum log file size”. 512KB, we can reset this value according to the actual situation. When the log reaches a certain size or the message indicating that the log is full, the system will automatically clear the log; or select “rewrite the event as needed, so that you can ensure All new events can also be written to the log when the log is full. Of course, the new log will automatically overwrite the old one.

However, to be explained, users need to log in to the system as an administrator or a member of the Administrators group to have sufficient privileges to clear or rewrite the event log. Alternatively, you can also go to the \\WINDOWS\\SYSTEM32\\config\\ folder, where the file with the extension *.evt is the so-called log file, AppEvent.evt is the application & rdquo; log, SysEvent.evt is “ System & rdquo; log, SecEvent.evt ie "security" log, delete the corresponding file directly here, but if you are using NTFS format system, you must first close the event checker before deleting the log file Service is OK.

In addition to using the Event Viewer to manage event logs, we can also use the command line tools to create and query event logs and associate programs with special log events, such as “Eventcreate.exe&rdquo Create custom event logs, “Eventquery.vbs” can list event and event properties from one or more event logs, “Eventtriggers.exe” can create event triggers so that when a specific event log occurs The corresponding program will be executed automatically, which makes up for the inability of the event viewer to track suspicious events in real time. Interested friends may wish to try.

Copyright © Windows knowledge All Rights Reserved