Windows troubleshooting

Windows troubleshooting

VRAGEN: + openen vanuit ticketing, wachtwoord en gebruiker + custom even viewer view? + test server?


run: eventvwr

  • custom views
  • windows
    • application (non windows standard, puppet, vmware, mssql, …)
    • security, aan en afmelden
    • set-up: updates en installatie verwijderen programma’s
    • system: OS meldingen
  • application and services: diep graven

–> Filter Log:

  • logged (date range)
  • event level
  • event source
  • event ID: 99,-1024,-4634

rechtsonderaan > event copy > copy as text


$first = 
$last = 
get-eventlog -Logname system -
 `get-winevent -LogName 'Microsoft-Windows-TaskScheduler/Operational' | Where-Object { $_.Message -like ‘*insta* }`

Task Viewer

  • tasks
  • users
  • performance (indien gecrasht, bevestigen anders is het netwerk)

Resource monitor

(task manager > performance > open resouce monitor)

Overview > CPU (ovenste tab) app aanvinken –> filtert alles


netstat -abo > C:\temp\log.txt


C:\ProgramData\chocolatey\bin\Procmon.exe –> selecteer lijn+kolom > exclude ‘name’ (=grep -v) / include ‘name’ (=grep)

Usefull programs

  • TreeView
  • VBluescreenviewer
  • Sysinternals
  • Zabbix
  • VMware events
  • BareTail
  • choco install
  • choco list -lo (view choco installed programs)
  • telnet 900
  • powershell: stop service 'name'


  • Event ID 6005: “The event log service was started.” This is synonymous to system startup.
  • Event ID 6006: “The event log service was stopped.” This is synonymous to system shutdown.
  • Event ID 6008: “The previous system shutdown was unexpected.” Records that the system started after it was not shut down properly.
  • Event ID 6009: Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
  • Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id. Add to that a couple more from the Server Fault answers listed in my OP:

  • Event ID 1074: “The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z.” Indicates that an application or a user initiated a restart or shutdown.

  • Event ID 1076: “The reason supplied by user X for the last unexpected shutdown of this computer is: Y.” Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.


$filter = "*abbix*"
get-winevent -logname 'Application'  | Where-Object { $_.Message -like $filter }
More Reading
Newer// MySQL Tuner
Older// Luks Encryption
comments powered by Disqus