1. Utilizing and configuring the Event Viewer logging system in Windows 10
Sometimes, Event Viewer can take a little while to load just because there are a lot of logs. But when I expand Windows logs, I can click on the different logs that I’ve got available. Alright, so I got the application log. The application log is going to contain events related to applications. So if you’ve been running programmers on your machine—Word, Excel, PowerPoint, all that—this is going to be logging those types of things. So if a log or something closes, or, I’m sorry, an application or something closes, it’s going to log that here in the event. Or if it crashes and you’re getting errors or warnings, that’s where that’s going to show up. Okay, you have the security log.
This is also called the audit log. So Windows is going to write down things that it’s doing and things that it’s dealing with using the Event Viewer security log. All right. Another thing is that, again, this takes a little time to load if you have a lot of log entries, but this is going to be your audit log. As you can see, I have all these little key symbols here, and I can look at them and pretty much anything that my user account does, anything that involves its authority, will log an entry there. It will record when I log in and all of that. Okay, again, applications are going to show you application logs. There’s an error right there for you. You can see it’s talking about activation. I have the setup log. The setup log is going to involve me installing things. So if I’m going through there and I’m installing updates or applications, any of those types of things, this setup log is going to log that for me.
Okay? So the majority of these are updates. And then, if I look at the system log, I can see things related to my operating system. There are numerous types of errors and warnings that I receive. You can see I made an error here. This is a remote management error in Windows RM. I received some warnings here. You can also double-click on these, and if you double-click on the entries, it will bring them up centered on the screen for you. And from there, it gives you some information about what the event involves. You can even look up the event ID numbers. There’s actually a website called Eventid.net. You can go there and look up these codes, these eventide codes, and it’s got people on there that talk about troubleshooting and trying to fix it and all that. Microsoft’s Knowledge Base also has a lot of that. Another thing you can do is forward events. Forwarded events allow me to forward my event logs to other machines or have other machines forward them to me. You must, however, do so through the subscriptions section here.
So I can go to subscriptions, and it will ask you if this is the first time you’ve ever been here, and it’s going to ask you to turn that on. Okay? And you’ll notice in a previous example that I made a mistake with one. But I can right-click this. I can say “create a subscription.” All right, let me zoom out. I had to give the subscription a name. So maybe if I wanted to gather events from my domain controller, I’m going to call this the Nycdc One subscription. Of course, you can name it anything you want. Now, there are two ways to collect events from another machine, okay? You can use Collector Initiated, which means that the computer that’s going to receive the events from another computer is called the Collector, okay? The computer that generates the events that you’re collecting is called the source computer. So I could do “Collector Initiated,” where this computer goes and gets the events that it wants.
Or I could do source-initiated, where the computer would send it to me. All right, I’m going to have this computer go collect the events. So I’m going to choose computers. At that point, I would add the computer that I want to collect events from. Maybe I want to add my NYCDC computer there. And then, at that point, you would want to run a test to make sure it’s going to work. And, of course, it does work. It uses the WinRM service to do that. Okay? And at that point, I would click OK. And then I’m going to select events that I want to collect. I’m going to click on these select events here, all right? And then I can choose which events I care about. All right, so let me zoom in on that for you. We’ll call them critical errors and warnings. Those are the things that I want to look at. Critical usually involves some kind of performance-related thing.
Something breaks. A warning is just something that’s broken. But it didn’t necessarily stop anything from doing its job. So I can go here, click this, and choose the logs that I want. Maybe I want to do all of them. Okay? From there, I can actually choose the ID numbers. If I care about specific ID numbers and keywords, I can pinpoint specific users I want to be monitoring and computers I want to look at. I can specify all of that there. And then I can click okay. And then I’ve now created my little subscription. And at that point, it would start syncing the log entries. Now the log entries, as they get synced to my computer, are going to show up right here under “Forwarded Events.” One more thing I want to show you is that I can actually adjust. I can filter events. If I come up here to custom views, I can right-click that and say “create a custom view.” And I can filter the same way you just did. I can select what I want and filter.
I’m just going to select errors, warnings, and alerts. I’m going to say that I’m going to call these important events, okay? And then, at that point, this filter is only going to show me the stuff that I told it to show me. So here are the things that have gone on in my log. Now, the other thing to understand is that these logs, as time goes on, will override older entries as the log fills up. Now, let’s say you did not want Windows to overwrite old events. So I could go to a log like this application log. I could come over here and go to its properties of it.I want you to look closely here. Right here, right now It says, “Do not overwrite events.” If I did not want Windows to overwrite old events, I could do that. Keep in mind that if your hard drive ran out of space, it would not log anything. But, usually, you do the override of older events so that your hard drive doesn’t fill up, okay? So hopefully that gives you a decent understanding of the Windows event viewer and how it works. It’s pretty straightforward and easy. I definitely encourage you to open it up and take a look at it.
2. Using the Windows 10 Monitoring Tools
See all the processes that are running the programmers running right now. I can see my CPU memory and disc network and get a feel for all the things that are happening. Okay, I can also click Performance, and I can get a nice little chart view of what’s going on in the graphs of my CPU, my memory usage, my disk, and Ethernet. I can see app-related information and apps that I’ve had open by clicking on app history. Keep in mind that it’s only going to show you things like Windows Store apps, Universal Windows apps, and things like that, not regular programs. It’s going to show you how frequently you use them. The Startup tab is going to show you all the programmers that start when your computer boots up. So maybe you want to disable certain things that you don’t want to start.
You can do that there. You now have access to the Users tab. The Users tab is going to allow you to see which users are logged on right now. As you can see, I just have one user logged on. But you could disconnect from this profile and logon to another user, and you would see what processes that user is running right now. You have details, which are going to show you every process that’s running on the computer, all the different exe files, and all that. And then services, which we talked about. This gives you a glimpse of your services. So if you wanted to see what services are running and start or stop them, you can do that through Task Manager. So Task Manager has been around for a long, long time. We’ve had it for well over 25 years. It’s definitely gotten better over the years. Okay, so I’m going to open that up. Just type the word “resource.” gives you a little more information than Task Manager. It will show you your CPU processes running on disk and in network memory, so you can kind of get a more detailed look. I can see which programmers are using CPU time.
What I really love about it is that I get this nice graph of what my memory is doing. I can see what my hard drives are doing, and then my favorite is networking. I can see exactly which programmers are using network activity on my machine. I can drop network activity. I can see every exe. I can see what ports they’re using and how much traffic they’re generating. I’ve actually used this before to troubleshoot a denial of service attack and a flood attack against the company. It’s a really handy little tool. You can see what your listening ports are. Okay, just maximize this for you here, and you’ll be able to see what ports are currently open on your firewall and accepting connections on. So Resource Monitor is another helpful little tool. They’ll give you a tool that you can use. This is another little tool that a lot of people don’t know about. It’s called a reliability monitor. If you type “reel” down here at the bottom, you can get into reliability history. It’s when you’ve had crashes that have occurred. As you can see, this little VM I’ve had has been a bit of a temperamental VM because I’ve been doing a bunch of crazy things with it and starting it up and shutting it down. So you can see I get some errors here, and it’s showing me things that have crashed. But it really helps me see when things happen.
You talk to a user, and sometimes users don’t give you enough information. They’ll say, “Well, my computer crashes every once in a while, and I don’t know if it happens on a particular day or at a particular time.” If you pull this up on their computer, you can see exactly when they’ve had crashes that have occurred. This tool is not going to show you; it’s not going to fix problems for you, but it definitely will help you visualize when the problems have occurred. Okay, even give this a one-to-ten rating. Every time the computer crashes, it lowers your rating, which tries to go up over time. But as you can see as we go through, I can see all these different things that have happened on my machine. Essentially, you’re going to get a lot of the same information you get from Event Viewer, but PSR just gives you another visual way of looking at it called PSR. It’s called the problems and steps recorder. You can go in there and just click on a few things to generate some screenshots, as you can see. Performance Monitor. So I’m going to type the word “performance” down here in the search bar.
This is going to let me monitor even more than our resource monitor and all that does. It is not as visually appealing as resource monitor, but it provides more information. As you can see, my CPU is ticking away here, showing you what my performance looks like. But I can come up here and click this green plus sign, and I have all these counters that I can add for monitoring. There are actually thousands of counters that you can monitor. I could even remote into somebody else’s machine right here and monitor other machines from it. So I’m just scrolling down here. Let’s look at my processor. Drop that down. You have all these counters related to your processor. Of course, for a lot of people, seeing that is a little overwhelming. What you can do is click on one of these, and if you come down here to the bottom where it says “Show description,” you’ll notice you get a description of each counter. Okay? So you could add whichever counters you want. You could do this for memory, or you could do it for disk. And then all you have to do is click OK. And the different counters are color-coded here.
So this can help you with troubleshooting. What’s going on? You can even gather metrics over a period of days or weeks. You have something called a data collector set, which you can schedule and manage or monitor over a long period of time if you want. And then you could save that and print it out if you want. Save it as a PDF or something like that. As a result, performance monitor is a very powerful and useful tool. It can be a bit intimidating just because there are so many counters. But, in terms of the exam, I wouldn’t worry about memorizing all the counters or anything; instead, just understand the concepts behind performance monitor: how to get in and then how to add counters. OK, so that gives you a decent understanding of some of the main tools we can use to monitor Windows 10.