Event Viewer Archives

Winsage

November 17, 2025

Custom Windows Event Viewer log notifications upped my debugging game

Windows Task Scheduler can be configured to monitor system events and send notifications for anomalies, allowing users to proactively address issues before they escalate. Users can set up custom notifications by specifying Event IDs in the Task Scheduler. Common Event IDs for debugging include: - Application crash: Event ID 1000 (Application Error) - Application hang: Event ID 1002 (Application Hang) - Service failure: Event ID 7000 (Service Control Manager) - Service stopped: Event ID 7036 (Service Control Manager) - Disk/I/O issues: Event ID 129 (Disk or NTFS) - Group policy failure: Event ID 1058 (Microsoft-Windows-GroupPolicy) - Driver error: Event ID 7023 (Service Control Manager or Kernel-PnP) - Failed logon: Event ID 4625 (Microsoft-Windows-Security-Auditing) - User account locked out: Event ID 4740 (Microsoft-Windows-Security-Auditing) - Audit log cleared: Event ID 1102 (EventLog) - Unexpected system shutdown: Event ID 41 (Kernel-Power) To set up notifications, users can create a PowerShell script that performs specific actions based on the event type, such as sending an email for critical alerts or displaying on-screen messages for less critical events. This setup enables effective monitoring without the need for third-party applications.

Winsage

October 30, 2025

Windows event logs are still the most powerful diagnostic tool on your PC

Event Viewer is a built-in diagnostic tool in Windows that logs every event occurring on a PC, helping users troubleshoot performance issues. It categorizes logs into Application, System, Security, and Setup sections, allowing users to focus on relevant categories during troubleshooting. Events are classified as Critical, Error, Warning, and Information, with Critical events indicating potential sources of system crashes. Users can filter logs, research Event IDs, and utilize the Details section for deeper insights. Event Viewer can be paired with Reliability Monitor for a visual overview of system stability. Many third-party diagnostic tools also rely on data from Event Viewer, making it a valuable resource for addressing persistent errors.

Winsage

October 24, 2025

Weird Authentication Failures? Could Be That Microsoft Doesn’t Like Duplicate SIDs Anymore

Microsoft has introduced a feature that requires unique Security Identifiers (SIDs) across systems, effective August 29, 2025, impacting users who previously cloned images with duplicate SIDs for Kerberos or NTLM connections. This change has led to SECENO_CREDENTIALS errors in the Event Viewer and other reported issues. Microsoft recommends using the Sysprep tool for fresh machine setups. A workaround exists through a Group Policy setting that allows duplicate SIDs, but users must contact Microsoft support to access it, as it is not available by default. This update marks the third occurrence of authentication errors associated with Microsoft updates.

Winsage

October 23, 2025

Microsoft says Windows update may have caused login problems

Microsoft has acknowledged that recent updates for Windows operating systems, specifically Windows 11 versions 24H2 and 25H2, and Windows Server 2025, may have caused login complications for some users. The problematic updates are KB5064081 (OS Build 26100.5074) released on August 29, 2025, and KB5065426 (OS Build 26100.6584) released on September 9, 2025. These updates can lead to authentication failures related to Kerberos and NTLM protocols, particularly on devices with duplicate Security IDs (SIDs). Symptoms include repeated prompts for credentials, failed access requests, inability to access shared network folders, challenges in establishing Remote Desktop connections, and specific error messages logged in the Event Viewer. The root cause is enhanced security measures that enforce checks on SIDs, which can block authentication handshakes when devices have duplicate SIDs, often due to unsupported cloning methods. There is no automated fix; administrators are advised to rebuild devices with duplicate SIDs using supported cloning methods or to configure a special Group Policy for a temporary workaround.

Winsage

October 23, 2025

Microsoft Confirms Recent Updates Causing Login Issues Across Windows Versions

Microsoft has identified a significant issue affecting users of Windows 11 version 24H2, version 25H2, and Windows Server 2025, where many users experience persistent login failures due to duplicate Security Identifiers (SIDs) after installing updates released on or after August 29, 2025. Reports indicate that after installing the preview update KB5064081 or the cumulative update KB5065426, devices with identical SIDs struggle to complete Kerberos or NTLM authentication, leading to repeated prompts for credentials and common error messages such as "Login attempt failed" and "Your credentials didn’t work." Shared network folders become inaccessible, and Remote Desktop connections fail. The root cause is enhanced security checks enforcing SID uniqueness, which block authentication handshakes when duplicate SIDs are detected. Duplicate SIDs typically occur when administrators clone Windows installations without using Sysprep, which is necessary to assign unique SIDs. Microsoft recommends rebuilding devices with duplicate SIDs using supported methods and running Sysprep prior to capturing images for deployment. As a temporary measure, administrators can install a specific Group Policy provided by Microsoft Support for Business.

Winsage

October 22, 2025

Microsoft Confirms Recent Updates Cause Login Issues on Windows 11 24H2, 25H2, and Windows Server 2025

Microsoft has identified an authentication issue affecting users of Windows 11 versions 24H2 and 25H2, as well as Windows Server 2025, due to updates rolled out since late August 2025. These updates have caused failures in Kerberos and NTLM protocols on devices with identical Security Identifiers (SIDs), leading to widespread login disruptions in enterprise networks. Users have reported repeated credential prompts, error messages, and compromised network access, including issues with Remote Desktop Protocol (RDP) sessions and Failover Clustering operations. Event Viewer logs indicate machine ID mismatches and potential session discrepancies. The problem is particularly severe in virtual desktop infrastructure (VDI) environments where multiple machines share SIDs. Microsoft has emphasized the importance of using the Sysprep tool to ensure unique SIDs during cloning, as the recent updates now strictly verify SIDs during authentication. IT administrators can temporarily alleviate the authentication blocks with a specialized Group Policy, but a permanent solution involves rebuilding devices using approved cloning procedures. As of October 21, 2025, no broader patch has been released.

Winsage

October 22, 2025

Microsoft: Recent Windows updates cause login issues on some PCs

Microsoft has acknowledged a significant issue affecting Windows systems following updates released since August 29, 2025, which are causing authentication failures on devices with duplicate Security Identifiers (SIDs). SIDs are unique alphanumeric strings used by Windows to manage user and computer accounts. The updates enforce checks on SIDs, leading to authentication failures, particularly impacting Windows 11 24H2, Windows 11 25H2, and Windows Server 2025. Users may experience failed remote desktop connections, "Access denied" errors, and failed login attempts despite valid credentials, along with SECENO_CREDENTIALS errors in the Event Viewer. Duplicate SIDs often arise from cloning Windows installations without proper preparation using the Sysprep tool. Microsoft recommends rebuilding systems with duplicate SIDs using supported methods and offers a temporary workaround through a specific Group Policy.

Winsage

October 8, 2025

How to deploy Data Duplication on Windows Server

Storage capacity is crucial for managing data costs and performance, leading to the use of data deduplication to reduce redundant data and optimize storage space. Microsoft’s Data Deduplication feature, introduced with Windows Server 2012, can achieve storage savings of up to 50% for user documents and 95% for virtualization libraries. Data deduplication is applicable to file servers, backup storage servers, and virtualization hosts, requiring Windows Server 2012 or later and the NTFS file system. To install Data Deduplication, users must access Server Manager, add the feature, and can also use PowerShell with the cmdlet PLACEHOLDERb80efd5ce6cbf150. Configuration involves managing settings through Server Manager, including selecting a deduplication type, setting a file age, and scheduling the deduplication process. Monitoring and optimizing deduplication can be done using the Data Deduplication Saves Evaluation Tool (ddpeval.exe) and PowerShell cmdlets like PLACEHOLDER6242a4d48a44de3e. Alternative deduplication products include Veeam Backup and Replication, Arcserve UDP, and Acronis Cyber Protect, which may offer additional features for cloud or hybrid environments. Best practices for deduplication include using the latest Windows Server versions, avoiding system volumes, ensuring adequate free space, and scheduling tasks during off-peak hours. Troubleshooting tips involve checking memory and processor performance, utilizing ddpeval.exe, and reviewing Event Viewer logs.

Winsage

September 12, 2025

Announcing Windows 11 Insider Preview Build 27943 (Canary Channel)

Windows 11 Insider Preview Build 27943 has been rolled out to the Canary Channel, featuring general enhancements and fixes. Key fixes include resolving an unresponsive issue in the Storage settings, correcting a taskbar glitch with app previews, fixing HDR settings, addressing an Event Viewer error related to the Microsoft Pluton Cryptographic Provider, and resolving issues with device casting PIN confirmation and the Group Policy Editor display in Chinese. Known issues include potential rollbacks during installation with specific error codes, increased bugchecks on Arm64 PCs, inability to playback GPU captures in PIX, screen flickering in browsers, and audio issues with devices marked in Device Manager. Insiders are advised to update drivers to resolve audio problems. The Canary Channel builds are early development versions and may not align with future Windows releases. Features may change, be removed, or not be released to the public. A clean installation is required to exit the Canary Channel, and a desktop watermark will be present in pre-release builds.

Winsage

September 6, 2025

Announcing Windows 11 Insider Preview Build 26120.5790 (Beta Channel)

Windows 11 Insider Preview Build 26120.5790 (KB5065779) has been released to the Beta Channel for Windows 11, version 24H2. Key features include: - Introduction of fluid dictation in voice access for Copilot+ PCs, which automatically corrects grammar and punctuation during voice dictation. - Expansion of Windows Studio Effects to additional cameras, allowing AI-powered enhancements on USB webcams and built-in laptop rear cameras. - New agent in Settings experience rolling out for users with French as their primary display language. - File Explorer Home now includes on-hover actions for file management, requiring a Microsoft account for access. - Various fixes addressing performance issues, taskbar misalignments, context menu behavior in File Explorer, and unresponsive settings. - Known issues include a bug causing green screens during hibernation and audio problems with certain devices in Device Manager. Feedback can be submitted through the Feedback Hub for various features and issues.