Windows Internals
beginnerStart Here Step 4

Diagnostics & logging

Where Windows records what happened: Event Log, ETW, and crash-oriented clues.

Related labs

Hands-on exercises for this area — in the browser or on a Windows machine.

EVTX Lab

Load and explore Windows Event Log files in the browser with Rust WASM parsing.

Open lab
View all labs

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Windows Event Log

learn.microsoft.com

Microsoft Learn

Instrumenting your code with ETW

learn.microsoft.com

Microsoft Learn

Adding event tracing to kernel-mode drivers

learn.microsoft.com

Why it matters

Understanding where telemetry comes from lets beginners move from 'Windows is acting weird' to 'I can inspect evidence and explain what happened.'

Mental model

Windows emits different kinds of traces for different goals: durable logs for history, ETW for high-volume tracing, and dumps for failures.

Schematic

Click a highlighted zone to understand the layer and jump deeper into the tree.
Event log pipelineProviderPublisher APIEvent Log svc.evtx fileWASM parser

Provider

A Windows component emits a structured event with fields and metadata.

Open related topic

Windows building blocks

Names and paths you can look for in Task Manager, Explorer, or documentation.

  • ServiceWindows Event Log

    Persists EVTX channels

Go one level deeper

Extra detail for readers who want more precision before opening a child topic.

  • ETW is high-volume and often in-memory; Event Log is durable and channel-oriented.
  • Many providers emit both ETW and Event Log records with different retention.

How it works

  1. 1Providers publish structured events with metadata.
  2. 2The Event Log service persists selected events in channel-specific .evtx files.
  3. 3ETW sessions can also stream detailed high-volume traces for real-time diagnostics.

Key terms

Provider
A component that emits Windows events or tracing data.
Channel
A logical event log destination such as Application, Security, or System.
EVTX
The file format used by the Windows Event Log service.

Troubleshooting a failed login or driver issue

You can often begin with Event Log for a durable history, then move to ETW if you need high-resolution tracing.

Common misconception

Event Log and ETW are related but not identical. Event Log stores selected records; ETW is a broader tracing pipeline.

Go deeper

Windows Event Log

Providers publish structured events; the Event Log service stores them in durable channels.

ETW tracing

Real-time sessions, controllers, and consumers for higher-volume tracing.

WMI & CIM

The management instrumentation layer behind many admin tools and scripts.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

beginner

Windows Event Log

Providers publish structured events; the Event Log service stores them in durable channels.

Next step in your guided path

intermediate

ETW tracing

Real-time sessions, controllers, and consumers for higher-volume tracing.

Go deeper in this branch

intermediate

WMI & CIM

The management instrumentation layer behind many admin tools and scripts.

Go deeper in this branch

Related topics

Windows Event Log

Providers publish structured events; the Event Log service stores them in durable channels.

ETW tracing

Real-time sessions, controllers, and consumers for higher-volume tracing.

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Previous

Memory management

Virtual address spaces, paging, working sets, and how Windows tracks memory.

Next

Windows Event Log

Providers publish structured events; the Event Log service stores them in durable channels.