Windows Event Logging

Windows defines several standard logs:

• Application – Events logged by applications.
• System – Events from Windows components.
• Security – Audit events for security-related activities.
• Setup – Installation events.
• Forwarded Events – Events collected from remote machines.

Custom logs can be created by applications using the EventLog API.

Logs can be accessed via:

• Event Viewer GUI (eventvwr.msc)
• PowerShell cmdlets (Get-EventLog, Get-WinEvent)
• The EvtSubscribe and EvtQuery APIs

Example PowerShell snippet:

Get-WinEvent -LogName Security -MaxEvents 10 | Format-Table TimeCreated, Id, Message -AutoSize

Applications can write events using the Event Log API or PowerShell.

C# example using EventLog:

using System.Diagnostics;

EventLog log = new EventLog("Application");
log.Source = "MyApp";
log.WriteEntry("Operation completed successfully.", EventLogEntryType.Information);

PowerShell example:

Write-EventLog -LogName Application -Source MyApp -EventId 1000 -Message "Task finished."

Key functions in the Windows API:

• EvtOpenLog
• EvtQuery
• EvtSubscribe
• EvtRender
• EvtClose

For detailed signatures and usage, see the official Microsoft Docs.

Common cmdlets for event log management:

• Get-EventLog
• Clear-EventLog
• Write-EventLog
• Limit-EventLog

Example: Clear the Application log:

Clear-EventLog -LogName Application

Common issues and solutions:

• Log file size limit reached – Increase MaxSize via registry or use wevtutil sl.
• Permission denied – Ensure the account has the SeAuditPrivilege or is a member of the Event Log Readers group.
• Corrupted log – Run wevtutil cl to clear the log or restore from backup.