February 27, 2026 • Junior (1-3 years) How-To
Windows Event Log Essentials for IT
The essential Windows Event Logs every IT pro should monitor. Learn to read, filter, and act on Windows logs effectively.
Windows Event Log Essentials for IT
When something breaks, the Event Logs are your first stop. But there’s a lot of noise in there. This guide covers the essential logs you need to monitor and how to read them effectively.
The Big Five Logs
1. System Log
Location: Application and Services Logs\Microsoft\Windows\EventID\...
What you’ll find:
- Driver failures
- Service starts/stops
- Hardware issues
- Blue Screen events (BugCheck)
# Quick System log check
Get-WinEvent -LogName System -MaxEvents 50 |
Where-Object { $_.LevelDisplayName -eq 'Error' } |
Select-Object TimeCreated, Id, Message2. Application Log
What you’ll find:
- Application crashes
- .NET errors
- Software installation issues
# Recent application errors
Get-WinEvent -LogName Application -MaxEvents 20 |
Where-Object { $_.Level -eq 2 } |
Select-Object TimeCreated, ProviderName, Message3. Security Log
What you’ll find:
- Logon events (4624, 4625)
- Account changes (4728, 4729)
- Privilege use (4672)
- Failed password attempts
# Recent successful logons
Get-WinEvent -LogName Security -FilterHashtable @{
ID = 4624
TimeCreated = (Get-Date).AddHours(-24)
} -MaxEvents 10 | Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}
# Failed logon attempts
Get-WinEvent -LogName Security -FilterHashtable @{
ID = 4625
TimeCreated = (Get-Date).AddHours(-24)
} -MaxEvents 104. Setup Log
What you’ll find:
- Windows Update issues
- Installation failures
- Component store corruption
# Setup log location
$SetupLog = "$env:SystemRoot\Panther\setupact.log"
Get-Content $SetupLog -Tail 505. Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
What you’ll find:
- Intune enrollment issues
- MDM sync problems
- Policy deployment failures
# Intune/MDM logs
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" -MaxEvents 20Essential Event IDs to Know
Security
| Event ID | Meaning |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4634 | Logoff |
| 4672 | Special privileges assigned |
| 4720 | User account created |
| 4726 | User account deleted |
System
| Event ID | Meaning |
|---|---|
| 6005 | Event Log service started |
| 6006 | Event Log service stopped |
| 6008 | Unexpected shutdown |
| 7036 | Service state changed |
| 7045 | New service installed |
PowerShell Log Queries
The “Something Broke” Starter Pack
# Everything error-level from last 24 hours
Get-WinEvent -FilterHashtable @{
LogName = 'System', 'Application'
Level = 2
StartTime = (Get-Date).AddDays(-1)
} -MaxEvents 100
# Find crashes
Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=(Get-Date).AddDays(-7)} |
Where-Object { $_.Message -match "faulting|exception|error" } |
Select-Object TimeCreated, ProviderName, MessageMonitor a Specific Service
# Track a service
$ServiceName = "W32Time"
Get-WinEvent -FilterHashtable @{
LogName = 'System'
ProviderName = 'Microsoft-Windows-Time-Service'
} -MaxEvents 50Remote Log Collection
# Collect from remote computer
Invoke-Command -ComputerName "TARGET-PC" -ScriptBlock {
Get-WinEvent -LogName System -MaxEvents 20 -ErrorAction SilentlyContinue
} | Select-Object TimeCreated, MachineName, MessagePro Tips
- Create custom views — Filter once, save the view
- Use XML queries — More powerful filtering
- Export to CSV — For analysis
- Set up subscriptions — Central collection with Windows Event Forwarding
Wrap-Up
The Event Logs are your friend. Know your Event IDs, build good queries, and you’ll diagnose issues faster.
Questions? Drop them below!
Was this helpful?