Event Viewer ( eventvwr.msc )

  • Purpose: This is the primary built-in Windows GUI tool for browsing, searching, filtering, and managing event logs.

  • Access: Launched via the Run dialog (Win+R -> eventvwr or eventvwr.msc) or by searching for "Event Viewer".

  • Basic Use: Provides a tree structure on the left pane to navigate different log channels (under "Windows Logs" and "Applications and Services Logs"). Key functionalities include:

    • Viewing event details (description, source, Event ID, user, time logged).

    • Sorting logs by columns (e.g., Date and Time, Level, Event ID).

    • Filtering: This is crucial for efficient analysis. Users can filter the current log based on time range (e.g., "Last hour," "Last 24 hours"), event level (Critical, Error, Warning, Information), specific Event IDs (e.g., 4616, 1102, 3079), keywords within the event description, user accounts, or log sources.

  • Caution: Event logs often contain a massive volume of entries. Simply browsing without a specific goal or target (like a known Event ID related to a suspected bypass) can be extremely time-consuming and unproductive. Effective use relies on knowing what to look for based on the investigation's context. The specific Event IDs mentioned earlier (4616, 1102, 3079, 104, 4798) are prime examples of targeted searches during screenshares.

PreviousThe EventLog ServiceNextManual SS Techniques (Basic and Intermediate)

Last updated