What are Windows crash logs?

Windows crash logs are essential system records generated when a critical failure—such as a system or application crash—occurs on a Windows operating system. These logs are stored in the Windows Event Viewer, primarily under the system or application categories, and play a vital role in diagnosing and troubleshooting issues related to system stability and performance.

There are several types of crashes that are captured in Windows crash logs, including:

• System crashes ( Blue Screen of Death - BSOD ): Critical errors forcing a system restart, logged with STOP error codes and mini-dump files. Potential causes include faulty hardware or drivers.
• Application crashes : Failures in software programs due to bugs or memory issues, logging faulting modules and exception codes.
• Service failures : Crashes in Windows services caused by misconfigurations or resource issues, logging the service name and error message.
• Driver failures: Crashes due to faulty drivers, logging driver details, and associated hardware.
• Kernel crashes: Errors in the OS kernel, often caused by hardware issues, logging kernel error codes and crash dumps.

This information from the crash logs helps diagnose and resolve various system failures by providing detailed insights into the nature and cause of the crashes.

Crash logs help you with:

• Root cause analysis: Crash logs help identify the underlying issues that led to a system or application failure. By analyzing error codes and event details, administrators can trace the root cause. This includes hardware failure, driver malfunction, or software conflict.
• Preventive action: Regularly reviewing crash logs allows IT teams to spot trends (e.g., frequent crashes due to a specific driver or software). This proactive monitoring helps in applying fixes, such as updating drivers or uninstalling faulty software, before major system failures occur.
• Compliance and auditing: In some industries, crash logs are essential for compliance reporting, as they provide records of system behavior. Logs help organizations prove that incidents were addressed and systems were restored promptly.

How to view and access Windows crash logs in Windows 11?

Windows crash logs can typically be found in the Event Viewer , a built-in tool in Windows.

To find and view Windows crash logs in Windows 11, follow these steps:

Method 1: Using Event Viewer:

• Press Windows + X and select Event Viewer from the menu.

• In the Event Viewer, expand Windows Logs from the left panel.

• Click System to view system crash logs or Application for application crash logs.
• In the right pane, look for logs marked with Error or Critical related to the crash.

• Double-click the log entry to view details about the crash, including error codes, faulting modules, or STOP codes.

To create a custom filter in Event Viewer to view all crash logs in Windows 11, follow these steps:

• Open Event Viewer: Press Windows + X and select Event Viewer from the menu. Alternatively, you can also press Windows + R, type eventvwr.msc, and press Enter.
• Navigate to Custom Views: In the Event Viewer window, expand the Custom Views section in the left-hand panel.

• Create a new custom view: Right-click on Custom Views and select Create Custom View.

• Set filter criteria: In the Create Custom View window, you will set filters for the crash logs:
  • Log: In the Event logs dropdown, check Windows Logs, then select both System and Application logs.
  • Event level: Check Critical and Error (these are the types most associated with crashes).
  
  • Event sources: For system crashes (e.g., BSOD), set the Event Sources to BugCheck. For application crashes, set the Event Sources to Application Error.
  • Time range: Additionally, you can filter logs from a specific time by adjusting the time and date range.
  
• Save the custom view: Click OK once you’ve set the filter criteria. A prompt will appear asking for a name and description for the custom view. Name it something like Crash Logs and click OK.
• View crash logs: After saving the custom view, you will see it listed under Custom Views in the left panel. Click it to view all crash logs filtered by the criteria you set. You can double-click any log entry to view detailed information.

This custom filter will display all critical and error logs from both system and application logs, providing a focused view of crash-related events.

Method 2: Using PowerShell:

• Press Windows + X and select Terminal (Admin) or open PowerShell as an administrator .

• Run the following command to list system errors: Get-EventLog -LogName System -EntryType Error | Out-GridView

• This command lists recent system errors from which you can filter and analyze the crashes.

Method 3: Using WinDbg (Windows Debugger)

• Download and install WinDbg from Microsoft’s website.

• Open WinDbg as an administrator.
• Navigate to File → Open Crash Dump and select the crash dump file (located in C:\Windows\Minidump or C:\Windows\MEMORY.DMP).

• Use the !analyze -v command to analyze the crash dump and identify the cause.
• Review the output to find the STOP code, faulting driver, or other relevant information.

Method 4: Analyzing dump files:

For a deeper analysis, you can check crash dump files generated during BSOD, using the following steps:

• Navigate to C:\Windows\Minidump or C:\Windows\MEMORY.DMP to find the dump files.

• Use tools like WinDbg (Windows Debugger) or third-party utilities like BlueScreenView to analyze these dump files.

These methods allow you to find detailed information about crashes to troubleshoot issues effectively. To analyze Windows crash logs, you can also use third-party log management tools like ManageEngine EventLog Analyzer, which aggregates logs from multiple sources, identifies patterns, and helps correlate crashes with system changes.

How to leverage ManageEngine EventLog Analyzer for effective troubleshooting of Windows crashes?

ManageEngine EventLog Analyzer is a comprehensive log management and IT compliance tool designed to centralize and analyze event logs from your Windows infrastructure. It offers an out-of-the-box widget to track and analyze top crash events across your network, allowing you to drill down into raw logs for detailed troubleshooting.

By centralizing the collection and analysis of Windows crash logs, EventLog Analyzer simplifies the troubleshooting process. The tool automatically gathers logs from all Windows devices and provides predefined reports like Windows critical reports and application crashes, offering detailed insights into the causes and timing of these events.

You can configure real-time alerts for critical crash events and use the search console to filter and examine crash logs for root cause analysis. EventLog Analyzer also supports proactive monitoring by identifying patterns in crashes, enabling the prevention of future incidents. Its automated reports and real-time notifications ensure efficient troubleshooting and compliance tracking, reducing system downtime.

Specific Windows device reports that track crash logs include:

• Windows critical reports: Highlights critical events, including crashes, based on severity and trends.
• Windows system events: Monitors system crashes related to startup, shutdown, updates, and software installations.
• Application crashes: Tracks failures like BSOD, application hangs, and system errors.

By utilizing EventLog Analyzer, organizations can establish a strong monitoring framework that not only detects crashes but also provides actionable insights for swift response, enhancing overall system security and reliability.

What's next?