Diagnose App Crashes & Startup Issues with Event Viewer and Custom Views (Win10/11)

Diagnose App Crashes & Startup Issues with Event Viewer and Custom Views (Win10/11)​

Difficulty: Intermediate | Time Required: 20-30 minutes

Introduction​

When an app crashes or Windows takes forever to start, the first place to look is the Event Viewer. Event Viewer records system, application, and service events that help you pinpoint what's wrong — missing DLLs, bad drivers, services that fail to start, or slow boot components. This guide walks you through using Event Viewer on Windows 10 and Windows 11 to find crash details and create a Custom View that surfaces relevant errors quickly.

Prerequisites​

• Windows 10 (version 1809+) or Windows 11. Event Viewer UI is essentially the same across these builds.
• Administrator privileges to view some logs and export events.
• The approximate time when the crash or startup delay occurred (helps narrow results).
• Basic familiarity with the Start menu and File Explorer.

Step-by-step instructions​

1. Open Event Viewer
   1. Press Windows key + X and choose Event Viewer, or press Start, type "Event Viewer" and press Enter.
   2. In Event Viewer you’ll see three panes: Navigation (left), Summary (middle), and Details (right).
2. Check the Application log for app crashes
   1. In the left pane expand Windows Logs → Application.
   2. Click the Application log. In the middle pane you'll see events sorted by date.
   3. Use the “Level” column to find Error or Critical events at or near the time of the crash.
   4. Click an event to view details in the lower/mid pane. Switch between the "General" and "Details" (XML) tabs.
   5. Look for common crash clues:
      • Event ID 1000 (Application Error) — often lists Faulting application, Faulting module, Exception code.
      • Event ID 1001 (Windows Error Reporting) — may contain a bucket id or additional fault data.
      • Event ID 1002 (Application Hang) — indicates a program stopped responding.
3. Interpret key fields
   1. Faulting application name/path — tells you which executable crashed.
   2. Faulting module name (DLL) — often identifies problematic library.
   3. Exception code — useful for research (e.g., 0xc0000005 = access violation).
   4. If you see a module that belongs to a third-party driver or antivirus, consider updating/removing it.
4. Check System and Services logs for startup issues
   1. Expand Windows Logs → System and look for Error/Warning events during boot.
   2. Common service-related Event IDs:
      • 7000/7001 — service failed to start.
      • 7009 — service timeout.
      • 7031/7034 — service terminated unexpectedly.
   3. For slow boot, expand Applications and Services Logs → Microsoft → Windows → Diagnostics-Performance → Operational. Event ID 100 indicates boot performance issues and often includes the slow component name.
5. Create a Custom View to speed future diagnostics
   1. Right-click Custom Views (left pane) → Create Custom View.
   2. In the Create Custom View dialog:
      • Logged: choose a time range if desired (e.g., Last 24 hours).
      • Event level: check Critical and Error (optionally Warning).
      • By log: select Windows Logs → Application and Windows Logs → System.
      • Event IDs: you can list common IDs separated by commas, e.g. 1000,1001,1002,7000,7001,7009,7011,7031,100 (Diagnostics-Performance events are in a different log — see note).
   3. Click OK, give the view a name like "App Crashes & Startup Errors", add a description, and click OK.
   4. Your custom view will now show only the events you specified, making it easier to triage problems.
6. Dig deeper and export/share logs
   1. If you need to analyze or send logs, right-click a log or custom view → Save All Events As… and export .evtx.
   2. Use the General/Details view to copy full event text (right-click → Copy) for forum posts or support tickets.
   3. For reproducible crashes, reproduce the issue and immediately collect events (note exact time).
7. Follow-up actions based on findings
   1. If a module or driver is implicated, update or roll back the driver; uninstall and reinstall the application; or check vendor support pages.
   2. Run SFC and DISM if system files look corrupted:
      • Open admin Command Prompt:
      • sfc /scannow
      • DISM /Online /Cleanup-Image /RestoreHealth
   3. For startup/service issues, try a clean boot (msconfig → Services → Hide Microsoft services → Disable all, reboot) to isolate third-party services.
   4. If Event Viewer shows disk or file-system errors, schedule chkdsk on next reboot: chkdsk C: /F /R.

Tips, warnings, and notes​

• Tip: Use Reliability Monitor (Start → type "reliability") as a quick visual summary of crashes and hangs — it links to Event Viewer entries.
• Tip: The Diagnostics-Performance Operational log (Microsoft → Windows → Diagnostics-Performance → Operational) is where Windows records boot and logon performance events (Event IDs 100–200 series); add it to your Custom View by selecting it during creation or by specifying its events separately.
• Warning: Don’t delete logs; exporting and sharing .evtx is safer when diagnosing with others.
• Note: Event IDs and message wording are consistent across Windows 10 and Windows 11, but Windows 11 may place some modern app/Store-related logs slightly differently (still available under Applications and Services logs).
• Note: Event Viewer shows many DistributedCOM (10016) or informational messages — focus on Error/Critical events for real troubleshooting and avoid chasing informational or benign warnings.
• Tip: When posting to a forum, include the full General view text or a copy of the XML details — that helps helpers identify module names, exception codes, and paths.

Conclusion​

Event Viewer is a powerful built-in diagnostic tool for finding why apps crash and why startup is slow or failing. By learning to locate Application and System events, interpret the key fields (faulting module, exception codes), and creating a Custom View tailored to crash/startup-related Event IDs, you’ll drastically reduce the time it takes to identify root causes and gather the right evidence to resolve issues or ask for help.
Key Takeaways:

• Use Windows Logs → Application for crashes (Event IDs 1000/1001/1002) and System for service/startup errors (7000 series).
• Create a Custom View to quickly surface Error/Critical events relevant to crashes and startup problems.
• Check Diagnostics-Performance/Operational for slow boot or logon events.
• Copy/export event details (.evtx or XML) when asking for help — it speeds diagnosis.
• Use follow-up tools (SFC, DISM, chkdsk, clean boot) based on what Event Viewer reveals.

---

This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.