Troubleshoot Windows XP with Event Viewer

Anything noteworthy that happens in Windows is referred to as an "event" and is recorded in an "event log". Windows actually creates three logs, the Application log stores events related to applications. The Security log stores events related to security related events, for example user logons. The System log stores Windows operating system events. Most people ignore these logs; however, they can be very useful for troubleshooting purposes.
- Some applications create their own separate event log which is displayed in Event Viewer along with Windows standard Application, Security and System event logs. Sometimes an aplication will leave its event log behind after you uninstall it. You can remove the log by removing its subkey from the key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog

Also remove the associated file from the folder:
\Windows\system32\config
It will have an .evt extension. But never remove AppEvent.evt, SecEvent.evt, or SysEvent.evt, the Application, Security and System event logs.
To view an event log, in Control Panel select the Administrative Tools. In the Administrative Tools window, select the Event Viewer. You can also open Event Viewer by selecting Start | Run and typing eventvwr.msc in the Run dialog box.

There are three types of events, an Information event records that a task was performed successfully or that a service had a change of status. Information events are usually nothing to be concerned about. A Warning event records that a noncritical error occurred. If your system is recording a high number of Warning events from a single source, you might want to investigate the cause.
An Error event records that a critical error has occurred. You might want to investigate an Error event before it becomes a more serious problem. To view the details of an event, double-click on the event in the list. The Event Properties dialog box will open. The Event Properties dialog box Description section will display a description of the event, and maybe a link to a source of more information about that type of event.

 Note the memory dump data at the bottom of the dialog box. This information would only be useful to Microsoft's programmers in India.

How to Use Event Description Information
The information provided by the Event Properties dialog box should point you towards the source of the problem. Use your regular troubleshooting tools, resources, and techniques to solve the problem.
If the Event Properties dialog box includes a link to Micosoft's website (and your computer is connected to the Internet), click on the link. This will execute the Microsoft Help and Support Center which will retrieve information related to the error from Microsoft's web site. This information may include instructions about how to solve the problem, along with links to relevant information on Microsoft's web site.
You can also visit the Microsoft Knowledge Base where you can search for information by typing the error description or a question into the search box. You can also type the error description into a general search engine to perform a general web search.
When to Use Event Viewer
Use the Event Viewer when an error occurs while using your computer. Windows will generate an Error event log proving details about the error. You'll want to review the event log immediately after the error.
Use the Event Viewer before and after you make a major change to the system. Inspect the event logs before installing software, hardware, or making a major configuration change. Then, after a short interval, view the event logs again to see if the change is causing warning or error events.
Review the event logs periodically to learn about problems that may not be apparent from the operation of the computer, but can become serious if not attended to.
Set Event Log Options
You can set several Event Log options to aid in troubleshooting and improve Windows performance. In the left pane of Event Viewer right-click on one of the event logs and select Properties in the popup menu. The log's Properties dialog box will appear.

On the [Filter] tab you can configure the Event Viewer to filter out specific event types from specific Sources. Then you won't need to scroll through a long list of events to view the events caused by the source you are investigating. For example, you might to filter out all Information and Warning event types from all sources in order to focus on only the Error type events.
 After you fix the problem causing Error events, use the filter to select and delete all related events so when you check the log later you won't be confused. You can also select to clear all events.

The default size of a log is 512 KB. There is no reason to maintain such large logs. In the log's Properties dialog box, on the [General] tab, in the Log size section, set the Maximum log size to 64 KB.

In order to maintain the log size at 64 KB, when a new event occurs, the oldest event will be overwritten. An alternative configuration would be to leave the log size at 512 KB, but set the log to overwrite events older than a certain date. You can also configure it to allow you to clear events manually.

Security Log
Each time you logon or logoff the system, a Security event is created. In a corporate network environment, system administrators will regularly analyze the Security log for signs of hacker activity. There are third party applications that can perform this analysis for them.

 You might find it interesting to know that it's not just user logon that create Security events. Software applications and even Windows services need permission to access a systems resources.
Anything noteworthy that happens in Windows is recorded in an "event log". Most people ignore these logs; however, they can be very useful for troubleshooting purposes.