Filtering Event Logs

by Barry Dysert
(last updated October 10, 2016)

The Windows Event Viewer captures a lot of information about your system – so much so that it may sometimes be hard to find what you're looking for. That's why the ability to filter logs is so handy. For example, let's say you want to see the times when the computer has been shut down or restarted. Start by displaying the Event Viewer. (The easiest way to do this is to use the search capabilities of Windows to look for "Event Viewer", without the quote marks.) (See Figure 1.)

Figure 1. Event Viewer main screen.

Since we're interested in system starts and shutdowns, use the left pane of the screen to navigate to Application and Services Logs | Microsoft | Windows | Diagnostics-Performance | Operational. After drilling down that far, the Event Viewer screen should be quite different from the main one you previously saw. (See Figure 2.)

Figure 2. Navigating to the "Operational" event log.

In the right pane, near the top, click on Filter Current Log. Windows displays the Filter Current Log dialog box. The Filter tab should be displayed in the dialog box. (See Figure 3.)

Figure 3. Filtering an event log.

Here you can specify quite a few options: the time the event was logged, what event level you're interested in, what log and source are to be used, the Event IDs to include, the keywords to be used to filter the log, and the user and computers related to the log.

Since we are interested in startups and shutdowns at any time, for any event level, and since we've already navigated to the correct event log, we don't need to change anything here. Similarly, we don't care about the event sources or really anything else on the screen except for the Event IDs. As it turns out, a Windows startup is denoted by the Event ID of 100, and a Windows shutdown is denoted by the Event ID of 200. So, all we need to do is enter the two numbers, separated by a comma, into the textbox that currently says "<All Event IDs>.

Go ahead and enter "100,200" (without the quotes) in the textbox. Once you click OK, the log you're looking at immediately becomes filtered to only include those events whose ID is either 100 or 200. Now you can easily skim through the log and see the details related to each restart.

 This tip (12829) applies to Windows 7, 8, and 10.

Author Bio

Barry Dysert

Barry has been a computer professional for over 35 years, working in different positions such as technical team leader, project manager, and software developer. He is currently a software engineer with an emphasis on developing custom applications under Microsoft Windows. When not working with Windows or writing Tips, Barry is an amateur writer. His first non-fiction book is titled "A Chronological Commentary of Revelation." ...

MORE FROM BARRY

Using the Sort Command

Sorting data is a common task even of end users. Fortunately, The Windows command line provides us with a Sort utility so ...

Discover More

Moving the Pictures Library

The Pictures folder is one of several system libraries created in Windows by default. This library is specifically ...

Discover More

Displaying the Home Button in Microsoft Edge

By default, Microsoft Edge does not display a Home button on its toolbar. If you like having the Home button visible, ...

Discover More
More WindowsTips

Viewing Event Logs

Event logs are automatically maintained by the operating system. By periodically viewing them, you'll have a better idea ...

Discover More

What is the Purpose of the Security Event Log?

The Security event log captures success and failure audit events when auditing is turned on. This tip explains a bit more ...

Discover More

Creating a Custom View in the Event Viewer

Creating a custom view in the Event Viewer allows you quick access to those events you're interested in watching over ...

Discover More
Subscribe

FREE SERVICE: Get tips like this every week in WindowsTips, a free productivity newsletter. Enter your address and click "Subscribe."

View most recent newsletter.

Comments

If you would like to add an image to your comment (not an avatar, but an image to help in making the point of your comment), include the characters [{fig}] in your comment text. You’ll be prompted to upload your image when you submit the comment. Maximum image size is 6Mpixels. Images larger than 600px wide or 1000px tall will be reduced. Up to three images may be included in a comment. All images are subject to review. Commenting privileges may be curtailed if inappropriate images are posted.

What is one more than 2?

There are currently no comments for this tip. (Be the first to leave your comment—just use the simple form above!)


Newest Tips
Subscribe

FREE SERVICE: Get tips like this every week in WindowsTips, a free productivity newsletter. Enter your address and click "Subscribe."

(Your e-mail address is not shared with anyone, ever.)

View the most recent newsletter.