The event viewer explained.
The event viewer explained.

Hi, everyone. Leo Notenboom here for askleo.com.
Hi, everyone. Leo Notenboom here for askleo.com.

Let's talk about the Event viewer.
Let's talk about the Event viewer.

Unfortunately, it's a tool that is being abused by Scammers, to make you think
Unfortunately, it's a tool that is being abused by Scammers, to make you think

that things are much worse than they are. In a real world.
that things are much worse than they are. In a real world.

In an ideal world, you'd never care about the event viewer.
In an ideal world, you'd never care about the event viewer.

There's really no reason for most, quote,
There's really no reason for most, quote,

unquote normal people to fire it up and look at its contents.
unquote normal people to fire it up and look at its contents.

The ugly truth is that the event viewer
The ugly truth is that the event viewer

and what's in it, really the event logs, are a mess.
and what's in it, really the event logs, are a mess.

They're an absolute mess.
They're an absolute mess.

And that is what allows Scammers to use the event viewer to make
And that is what allows Scammers to use the event viewer to make

it seem like things are so much worse than they really are.
it seem like things are so much worse than they really are.

Let's have a quick look at exactly what it is, why it exists, what it's used, for,
Let's have a quick look at exactly what it is, why it exists, what it's used, for,

what it's useful for, and what you should never, ever pay attention to.
what it's useful for, and what you should never, ever pay attention to.

Windows has built into it this ability to log events, right?
Windows has built into it this ability to log events, right?

A program running can basically say this happened and have that scrolled
A program running can basically say this happened and have that scrolled

away in a log somewhere so that a technician or software engineer or
away in a log somewhere so that a technician or software engineer or

somebody can come back a little later and say, okay, what happened?
somebody can come back a little later and say, okay, what happened?

What are the steps that led to the problem
What are the steps that led to the problem

we're seeing or what's going on with this application or what's going on that is
we're seeing or what's going on with this application or what's going on that is

causing the system to behave in an odd way.
causing the system to behave in an odd way.

The vast majority of events that get
The vast majority of events that get

logged are actually nothing out of the ordinary.
logged are actually nothing out of the ordinary.

It's like this program started.
It's like this program started.

This program stopped those kinds of things.
This program stopped those kinds of things.

The Event viewer is the tool that allows you to view what's in those logs.
The Event viewer is the tool that allows you to view what's in those logs.

Now, each log entry will tell you the name of the application that's actually
Now, each log entry will tell you the name of the application that's actually

entering the log, and it can be an application.
entering the log, and it can be an application.

It could be a Windows component.
It could be a Windows component.

It can be something else.
It can be something else.

There are three kinds of
There are three kinds of

events informational, which means just something happened,
events informational, which means just something happened,

a warning, something I think bad happened or error.
a warning, something I think bad happened or error.

Something bad happened, except as we'll see, it's not always bad
Something bad happened, except as we'll see, it's not always bad

the time that it happened, which can be very useful for diagnostic
the time that it happened, which can be very useful for diagnostic

purposes, and then some information that's unique to that specific event log entry,
purposes, and then some information that's unique to that specific event log entry,

information that relates to whatever it is that happened.
information that relates to whatever it is that happened.

So let's run Event Viewer.
So let's run Event Viewer.

I'm over here in Windows Eleven.
I'm over here in Windows Eleven.

We'll just go ahead and hit Windows key R and hit E-V-E-N-T-V-W-R.
We'll just go ahead and hit Windows key R and hit E-V-E-N-T-V-W-R.

That's the event viewer.
That's the event viewer.

And the first thing I'm going to do is make it a little bit larger so that you
And the first thing I'm going to do is make it a little bit larger so that you

can see a little bit more of what's in some of these windows.
can see a little bit more of what's in some of these windows.

So you can see already that there are some subsets of different kinds of logs.
So you can see already that there are some subsets of different kinds of logs.

The logs that you'll generally be pointed out in the Scam attempt and the logs we're
The logs that you'll generally be pointed out in the Scam attempt and the logs we're

going to talk about today are under Windows, and you can see that there's
going to talk about today are under Windows, and you can see that there's

application security system set up what they call forwarded events.
application security system set up what they call forwarded events.

Forwarded
Forwarded

events are events that come from other systems.
events are events that come from other systems.

You don't have to worry about that tip in a normal home scenario set up.
You don't have to worry about that tip in a normal home scenario set up.

Presumably events relating to either Windows or application set up.
Presumably events relating to either Windows or application set up.

The ones that we care about the most are
The ones that we care about the most are

application security and system, because they're the ones that tell us
application security and system, because they're the ones that tell us

a little bit more about exactly what's going on.
a little bit more about exactly what's going on.

I'm going to go ahead and click on application log, and we'll see that all
I'm going to go ahead and click on application log, and we'll see that all

of a sudden we've got a list of, these are entries here, in the center pane.
of a sudden we've got a list of, these are entries here, in the center pane.

These are the entries that are telling us.
These are the entries that are telling us.

Okay, this happened.
Okay, this happened.

If I take a look at any one of those,
If I take a look at any one of those,

it just shows you some general information like this.
it just shows you some general information like this.

Very first one here.
Very first one here.

Security SPP successfully scheduled
Security SPP successfully scheduled

software protection service for a restart on this date of that time.
software protection service for a restart on this date of that time.

Reason rules, engine magic. Right.
Reason rules, engine magic. Right.

So much gobbledygook. Don't get me wrong.
So much gobbledygook. Don't get me wrong.

I don't even understand what that means.
I don't even understand what that means.

Presumably, the people that wrote this
Presumably, the people that wrote this

particular component understand that and it's very valuable information for them.
particular component understand that and it's very valuable information for them.

It's not meant for you and me.
It's not meant for you and me.

And that's actually kind of a theme here, because as we take a look at a lot
And that's actually kind of a theme here, because as we take a look at a lot

of these different informational events so far, there's just not a whole lot
of these different informational events so far, there's just not a whole lot

of information that you or I would know what to do with.
of information that you or I would know what to do with.

I did want to go back to this first one. Here's the general.
I did want to go back to this first one. Here's the general.

There are details about this event.
There are details about this event.

Maybe that tells me a little bit more about what's going on.
Maybe that tells me a little bit more about what's going on.

I can expand some of these again.
I can expand some of these again.

There's a lot of gobbledygook here
There's a lot of gobbledygook here

that honestly is not useful to me, but theoretically would be useful
that honestly is not useful to me, but theoretically would be useful

to someone else who understands that particular component.
to someone else who understands that particular component.

In this case, the Security SPP component.
In this case, the Security SPP component.

Now, if I Scroll down this list,
Now, if I Scroll down this list,

eventually, we'll probably end up seeing some events that aren't informational.
eventually, we'll probably end up seeing some events that aren't informational.

In fact, there's one right there.
In fact, there's one right there.

It's an error event.
It's an error event.

Oh, no, an error!
Oh, no, an error!

If I click on it, you'll see that the program DLL host
If I click on it, you'll see that the program DLL host

stopped interacting with Windows and was closed.
stopped interacting with Windows and was closed.

Blah, blah, blah, blah of information about the error event.
Blah, blah, blah, blah of information about the error event.

I need to point out this Windows 11 machine is running
I need to point out this Windows 11 machine is running

just fine, and that's one of the confusions.
just fine, and that's one of the confusions.

One of the reasons the event logs are so
One of the reasons the event logs are so

frustratingly confusing at times, because your event log,
frustratingly confusing at times, because your event log,

the event log of a machine that is working properly may have error events.
the event log of a machine that is working properly may have error events.

It may have lots and lots of error events.
It may have lots and lots of error events.

That is not a sign of a problem, and that's what Scammers will try to do.
That is not a sign of a problem, and that's what Scammers will try to do.

They will have you open up your event viewer to this stuff you and I don't
They will have you open up your event viewer to this stuff you and I don't

understand, and they'll use the presence of errors as
understand, and they'll use the presence of errors as

some kind of an indication that there's a problem with your system.
some kind of an indication that there's a problem with your system.

There is not
There is not

the contents of the event viewer.
the contents of the event viewer.

Do not indicate a problem with your system.
Do not indicate a problem with your system.

If anything, the event viewer is used in exactly the reverse way.
If anything, the event viewer is used in exactly the reverse way.

If you are experiencing a problem
If you are experiencing a problem

with your system, then you might open up the event viewer
with your system, then you might open up the event viewer

to see if there's any interesting information but you would not use
to see if there's any interesting information but you would not use

the event viewer first to decide if something is going wrong.
the event viewer first to decide if something is going wrong.

Errors happen all the time.
Errors happen all the time.

Just going to scroll down here some more. There's a warning.
Just going to scroll down here some more. There's a warning.

There's another error and this is just the application log, right.
There's another error and this is just the application log, right.

You can see that there are errors scrolling by here occasionally.
You can see that there are errors scrolling by here occasionally.

If I take a look at the security log, we've got lots of audit successes.
If I take a look at the security log, we've got lots of audit successes.

That's another kind of keyword for the security log.
That's another kind of keyword for the security log.

We take a look at the system log again.
We take a look at the system log again.

Information error.
Information error.

Windows Update had a problem.
Windows Update had a problem.

Imagine that Windows and installation
Imagine that Windows and installation

failure here's another one Windows failed to install.
failure here's another one Windows failed to install.

One would think that. Oh, my gosh.
One would think that. Oh, my gosh.

With all these errors going
With all these errors going

on from Windows Update, that there must be something wrong.
on from Windows Update, that there must be something wrong.

No, there is not anything wrong with this machine.
No, there is not anything wrong with this machine.

These are internal errors that potentially it's already recovered from that.
These are internal errors that potentially it's already recovered from that.

Potentially, it's already taken remediation measures
Potentially, it's already taken remediation measures

to resolve whatever the underlying issue was that caused this error to happen.
to resolve whatever the underlying issue was that caused this error to happen.

The fact is, it logged the error for informational
The fact is, it logged the error for informational

purposes and moved on and went on and did its thing.
purposes and moved on and went on and did its thing.

This is a working system.
This is a working system.

There are lots of error messages in the event viewer,
There are lots of error messages in the event viewer,

and they are not something that indicates there is a problem.
and they are not something that indicates there is a problem.

So why is the event viewer so confusing?
So why is the event viewer so confusing?

Honestly,
Honestly,

my initial reaction is to say why?
my initial reaction is to say why?

Ask why it is what it is.
Ask why it is what it is.

We need to understand what it is and not panic because of what it is.
We need to understand what it is and not panic because of what it is.

Knowing that this is the way it is.
Knowing that this is the way it is.

It is a confusing mess to the casual observer.
It is a confusing mess to the casual observer.

The fact is, it was never meant for you and me to look at.
The fact is, it was never meant for you and me to look at.

It was meant for technicians and software engineers to act as a source
It was meant for technicians and software engineers to act as a source

of information when they are diagnosing problems or developing their software.
of information when they are diagnosing problems or developing their software.

It looks confusing to you and me. Absolutely.
It looks confusing to you and me. Absolutely.

I get that.
I get that.

But to them, it's a valuable repository
But to them, it's a valuable repository

of information about what's going on in the system.
of information about what's going on in the system.

If they're trying to diagnose something, regardless of what you and I think of it,
If they're trying to diagnose something, regardless of what you and I think of it,

it's valuable to them, and it wasn't meant for us.
it's valuable to them, and it wasn't meant for us.

And don't let a scammer tell you any different.
And don't let a scammer tell you any different.

Do not pay attention to what's in the event viewer, unless, of course,
Do not pay attention to what's in the event viewer, unless, of course,

you're a technician resolving a problem and you know what to look for,
you're a technician resolving a problem and you know what to look for,

or you're the developer of the software in question and you know what to look for.
or you're the developer of the software in question and you know what to look for.

But in both cases, I'm kind of assuming you already knew this
But in both cases, I'm kind of assuming you already knew this

and haven't been watching this video, so I hope that's helpful.
and haven't been watching this video, so I hope that's helpful.

I hope that helps you identify scammers
I hope that helps you identify scammers

when they try and have you do this and help you feel a little bit better
when they try and have you do this and help you feel a little bit better

about your system not being as horrifically broken as perhaps the event
about your system not being as horrifically broken as perhaps the event

viewer might otherwise have led you to believe.
viewer might otherwise have led you to believe.

For related links for updates for more discussion on this topic, visit
For related links for updates for more discussion on this topic, visit

askleo.com/24006
askleo.com/24006

I'm Leo Notenboom, this is askleo.com
I'm Leo Notenboom, this is askleo.com