Windows Event Viewer: Hardware Diagnostics Guide
Your next BSOD will hide its real cause in a hex code most users can't read.
Windows logs the crash. It does not tell you which component failed, which Event ID matters, or whether your RAM is failing weeks before the final blue screen. GGFix decodes Event IDs 41 / 1001 / 219 / WHEA into plain English and pushes the diagnosis to your phone in under 10 seconds.
Start 3-Day Free TrialNo card requiredWindows Event Viewer is one of the first places to check when a PC crashes, reboots unexpectedly, or develops intermittent faults. The problem is that most guides either skip the hardware-specific logs entirely or dump every Event ID without explaining which ones are actually diagnostic. This guide covers exactly which Event IDs signal real hardware problems, how to read them correctly, and where Event Viewer stops being useful — so you know when to reach for other tools.
This post is part of our complete hardware vs. software problem diagnosis guide, which covers the full decision tree for separating hardware faults from OS and driver issues.
How to Open Event Viewer and Navigate to Hardware Logs
Press Win + R, type eventvwr.msc, and press Enter. In the left panel, expand Windows Logs. Hardware diagnostics live primarily in two logs:
- System log — Kernel-Power (ID 41), WHEA-Logger, disk controller errors, driver faults
- Application log — Windows Error Reporting (ID 1001), post-crash minidump analysis
For faster signal-to-noise, use Custom Views → Create Custom View and filter by Event Level: Critical and Error, log: System, last 7 days. This cuts out hundreds of informational entries that have nothing to do with hardware health.
Alternatively, open an elevated command prompt and run perfmon /report. Windows collects 60 seconds of performance telemetry and generates an HTML diagnostic report that cross-references Event Viewer data with resource utilization — useful for spotting correlation between CPU spikes and error events.
Windows Reliability Monitor (Win + R → perfmon /rel) is a more approachable starting point if you're not familiar with raw event logs. It presents a graphical timeline of crashes, application failures, and hardware errors with severity ratings. Clicking any entry opens the underlying Event Viewer record. For a fleet technician doing a quick first-pass audit, Reliability Monitor can surface the most recent hardware events in under 30 seconds.
The Hardware Event ID Cheat Sheet
These are the Event IDs that matter for hardware diagnostics. Everything else in the System log is either software, driver, or configuration noise.
| Event ID | Log | Source | What It Means | Confidence |
|---|---|---|---|---|
| 41 | System | Kernel-Power | Unclean shutdown — crash, freeze, or power loss | High |
| 1 | System | WHEA-Logger | Fatal hardware error — machine check exception | Very High |
| 17 | System | WHEA-Logger | Corrected hardware error — recoverable but escalating | Medium-High |
| 18 | System | WHEA-Logger | Fatal machine check exception | Very High |
| 19 | System | WHEA-Logger | Correctable hardware error | Medium |
| 7 | System | Disk | Bad block — I/O failure reading or writing a sector | High |
| 11 | System | Disk | Disk controller error — cable, driver, or hardware | Medium |
| 15 | System | Disk | Device not ready — drive failing to initialize | High |
| 219 | System | Kernel-PnP | Driver failed to load — device or driver corruption | Medium-High |
| 6008 | System | EventLog | Unexpected shutdown logged at next boot | High |
| 1001 | Application | Windows Error Reporting | Post-crash analysis — contains full stop code and faulting module | High |
The Confidence column reflects how reliably the event points to a hardware root cause versus a software or driver issue. "Very High" means the event is generated by hardware itself and is almost never a false positive. "Medium" events require correlation with other data before drawing conclusions.
Event ID 41 Kernel-Power: Unexpected Shutdown Analysis
Event ID 41 from Kernel-Power is the most important hardware event in Windows. It is written at every boot that follows an unclean shutdown — a crash, hard freeze, or sudden power loss. By itself it tells you that something went wrong. The BugcheckCode field inside the event tells you what.
Critical detail that most guides miss: the BugcheckCode is stored in decimal, not hexadecimal. A BugcheckCode of 278 in the event details is actually 0x116 in hex — which maps to VIDEO_TDR_FAILURE, a GPU driver timeout or hardware fault. Open Calculator in Programmer mode, enter the decimal value, and read the hex output.
Key stop codes to know:
- 0x124 (WHEA_UNCORRECTABLE_ERROR) — hardware-level fault, typically CPU, RAM, or VRM instability
- 0x101 (CLOCK_WATCHDOG_TIMEOUT) — CPU core not responding, often overclocking or power delivery
- 0x116 (VIDEO_TDR_FAILURE) — GPU driver timeout; check GPU temperatures and driver version
- 0xEF (CRITICAL_PROCESS_DIED) — usually software, but can be triggered by RAM instability
If BugcheckCode is 0, the machine did not blue screen — it hard-reset or lost power without generating a crash dump. Investigate the PSU and power delivery under load. A PSU that can no longer hold stable voltage under full load will cause exactly this symptom: clean shutdown, no BSOD, Kernel-Power ID 41 at next boot.
For the full stop code reference and how to trace hardware BSODs back to specific components, see our complete BSOD hardware causes and fix guide.
If the machine specifically crashes during CPU-intensive tasks, rendering, or gaming, the correlation between thermal load and crash timing is the key signal. Our PC crashes under load diagnostic workflow covers stress testing methodology and temperature correlation for that specific failure pattern.
WHEA-Logger Events: Hardware-Generated Error Codes
WHEA (Windows Hardware Error Architecture) events are different from all other Event Viewer entries. They are not written by Windows — they are written by the hardware itself. Machine Check Exceptions (MCEs) are generated by the CPU, memory controller, chipset, or PCIe subsystem when a hardware fault is detected. Windows simply captures and logs them.
This means WHEA events have essentially no false positives at the hardware level. When the CPU says it detected a cache hierarchy error, it detected a cache hierarchy error.
Event ID 1 and 18 (fatal): These require immediate action. A single occurrence can indicate a component has failed outright. Check the ErrorSeverity and ErrorType fields in the event details:
Cache Hierarchy Error— CPU internal cache faultBus/Interconnect Error— PCIe lane issue, often GPU or NVMe relatedMemory Controller Error— RAM or IMC (integrated memory controller) faultProcessor Error— core-level CPU fault
Event ID 17 and 19 (corrected): The hardware detected and corrected an error without data loss. One or two per week on a heavily loaded workstation is within normal range. What matters is frequency and trend. In our monitoring data across 500+ workstations, machines that develop fatal hardware failures almost always show a pattern of accelerating corrected WHEA errors in the weeks prior — the count climbs from 2 per day to 20 per day to 80 per day, then the fatal event hits.
When WHEA corrected events start appearing in volume, always test RAM first. Run MemTest86 for a minimum of 2 full passes — roughly 2 to 4 hours on 16 GB — before assuming CPU or motherboard. The majority of WHEA-Logger escalations we have diagnosed over the years traced back to a failing DIMM, not the CPU or VRM. For other symptoms that appear before RAM generates WHEA events, see our guide to RAM failure signs and testing methods.
Disk Errors: Event ID 7, 11, and 15
Disk errors in the System log use the source name Disk and are generated by the Windows storage driver stack when an I/O operation fails or a drive reports a problem.
Event ID 7 (bad block) is the most diagnostically reliable disk event. It means a read or write operation failed because the target sector could not be accessed. For HDDs, this means a physically damaged platter sector. For SSDs and NVMe drives, it means a flash cell that has failed and been (or attempted to be) reallocated. A single ID 7 event is not an emergency — it is a signal to immediately check SMART data and start backing up anything critical on that drive.
Event ID 11 (controller error) is less reliable as a hardware indicator. It can be caused by a loose SATA cable, a driver bug, an NVMe firmware issue, or actual controller failure. Do not treat ID 11 alone as a death sentence for a drive. Correlate it: if ID 11 events appear alongside rising SMART attributes — specifically Reallocated Sector Count (ID 5), Pending Sector Count (ID 197), or Uncorrectable Sector Count (ID 198) — the drive is failing. If SMART data looks clean, check physical connections and update storage drivers first.
Event ID 15 (device not ready) typically indicates a drive that cannot complete initialization. On HDDs, it usually means a motor or head assembly problem. On SSDs, it can indicate a failing controller or firmware corruption. Treat it as a precursor to complete failure.
The limitation here is significant: Windows Event Viewer does not read SMART data at all. A drive can have hundreds of reallocated sectors and a Remaining Life estimate of 4% with zero Event Viewer warnings. Event Viewer only logs I/O failures that have already occurred — not the degradation trends that predict them. Our SSD failure prediction using SMART data guide covers which SMART attributes are actually predictive versus which are cosmetic.
The Thermal Gap: What Event Viewer Never Captures
This is the most important limitation of Event Viewer for hardware diagnostics: it logs nothing about temperatures.
A CPU running at 97°C for three hours every day is incurring damage to the IHS solder, degrading capacitors on the motherboard, and reducing the lifespan of surrounding components. Event Viewer will show nothing — until the day a WHEA fatal event fires or the machine stops posting. By then, the damage may be permanent.
Thermal throttling is completely invisible in Windows logs. When an Intel Core i9 reduces from 5.8 GHz to 2.4 GHz to protect itself from heat, Windows dutifully runs at 2.4 GHz and writes nothing to Event Viewer. Users notice the PC feels slow. Rendering jobs take twice as long. Nothing appears in the logs.
The same gap exists for GPU temperatures above 90°C, NVMe drives above 70°C (which trigger firmware-level throttling), and VRM temperatures on the motherboard, which can reach destructive levels with zero indication in any Windows log.
For any machine that crashes under load without clear Event Viewer evidence, temperature must be investigated directly using tools that read hardware sensors in real time. Understanding which sensors matter and what thresholds indicate problems is the starting point for that investigation.
Correlating Multiple Events to Find the Root Cause
The diagnostic value of Event Viewer comes from correlation, not from individual events. A single error in isolation is rarely conclusive. A pattern across events almost always is.
Investigation sequence:
- Filter System log: Critical and Error, last 30 days. Note total count and timestamps.
- Filter Application log: look for Event ID 1001 (Windows Error Reporting) entries with minidump analysis.
- Map timestamps: do errors cluster around specific times of day, specific workloads, or specific hardware operations?
- Cross-reference event types: WHEA ID 17 + Disk ID 7 in the same window points to storage or memory controller. Kernel-Power ID 41 with BugcheckCode 0x124 + multiple WHEA events points to CPU, RAM, or VRM instability.
- If events correlate with workload: reproduce the failure under controlled conditions. Stress testing a PC safely while simultaneously logging temperatures and SMART data gives you both the Event Viewer crash data and the thermal context that Event Viewer never captures.
After 8 years of hardware diagnostics in Copenhagen, the most common mistake I see is technicians treating a single Event ID 41 as the entire story. Kernel-Power ID 41 is always a symptom. The cause is somewhere else — in the WHEA log, in SMART data, in the temperature history, or in the PSU voltage rails. Event Viewer surfaces the symptom. Identifying the cause requires all four data sources.
Auto-Decoding the Critical Event IDs
The sequence above works, but every step is manual. Open Event Viewer. Filter. Decode the BugcheckCode in Calculator. Cross-reference timestamps. For one machine after a one-off crash, that is acceptable. For a fleet — or for a single user who crashed two hours ago and just wants to know why — it is too slow.
This is the layer continuous monitoring fills. An agent that already reads the System and Application logs every minute can decode the four critical Event IDs the moment they fire and surface a plain-language explanation in real time, with no Calculator hex conversion and no SMART data tab to open separately.
| Event ID | Manual Event Viewer workflow | Auto-decoded explanation |
|---|---|---|
| 41 Kernel-Power | Open Event Viewer → find ID 41 → read BugcheckCode in decimal → convert to hex in Calculator → look up the stop code online | "Unclean shutdown at 14:32. BugcheckCode 0x124 = WHEA_UNCORRECTABLE_ERROR. CPU/RAM/VRM fault, not a software crash. RAM should be tested first." |
| 1001 Windows Error Reporting | Open Application log → find ID 1001 → read minidump path → download WinDbg → analyse the dump | "BSOD at 14:32. Faulting module: nvlddmkm.sys (NVIDIA display driver). GPU hotspot was 108°C in the prior 60 seconds — thermal trigger, not a driver bug." |
| 219 Kernel-PnP | Open Event Viewer → find ID 219 → read driver path → cross-reference with Device Manager → check vendor driver updates | "Driver failed to load at 09:14: usbxhci.sys. Pattern: occurred after the same external SSD was attached three times this week. Likely failing USB controller on that port or device." |
| WHEA 17/19 | Open System log → filter for WHEA-Logger → count occurrences over time — manual trend tracking | "Corrected WHEA errors are accelerating: 2/day baseline, now 18/day for the last 4 days. RAM is the most likely cause — schedule MemTest86 before this becomes a fatal event." |
This is what GGFix's agent does on every monitored Windows machine. It captures the last 24 hours of critical events on every telemetry tick (BSOD codes 41/1001, disk errors 7/11, driver failures 219, app crashes 1000/1002, unexpected shutdown 6008), correlates them with the sensor history from the same window, and the AI layer writes the explanation in plain language. A user who would never open Event Viewer gets a Telegram message that says "your PC restarted at 14:32 because the GPU hit thermal protection while running Cyberpunk — here's the dust-cleaning recommendation."
That is the same answer a technician would reach with manual Event Viewer work, but delivered in seconds instead of an hour, and pushed to the user instead of waiting for them to file a ticket.
Beyond Event Viewer: Monitoring at Fleet Scale
Event Viewer works adequately for diagnosing a single machine after the fact. It does not scale. There is no built-in mechanism to query Event IDs across 50 machines, track error frequency trends, or send an alert when WHEA corrected errors start accelerating on a specific workstation.
In practice, machines in a fleet that generate their first fatal WHEA event without any prior visible warning almost always had corrected WHEA events accumulating for weeks — on a machine where nobody was watching Event Viewer.
Continuous hardware monitoring closes this gap by aggregating sensor data, SMART values, and system events across all machines and surfacing trends before they become failures. Instead of checking Event Viewer after a crash, you receive an alert when WHEA corrected errors on a specific machine exceed their normal baseline, or when a drive's reallocated sector count increases by more than 10 in a week.
GGFix monitors Windows machines every 60 seconds — CPU, GPU, SSD SMART data, fan speeds, temperatures, and memory metrics — and uses AI pattern recognition to separate normal variation from early failure signals. Understanding hardware monitoring alert thresholds explains which metrics trigger alerts and what the threshold logic looks like in practice.
Event Viewer is a reactive tool: it tells you what broke. Continuous monitoring is a proactive tool: it tells you what is about to break. Both have their place, and neither replaces the other.
Frequently Asked Questions
Q: How do I find hardware errors in Windows Event Viewer?
Open Event Viewer (Win + R → eventvwr.msc), expand Windows Logs → System, and right-click to filter by Source: WHEA-Logger, Kernel-Power, or Disk, with level Critical or Error, last 7-30 days. The Event IDs that matter most for hardware are 41 (Kernel-Power), 1 and 17-19 (WHEA-Logger), 7, 11, 15 (Disk), and 219 (Kernel-PnP).
Q: What does Event ID 41 Kernel-Power mean?
Event ID 41 is written at the next boot after any unclean shutdown — crash, hard freeze, or sudden power loss. The BugcheckCode field inside the event contains the stop code in decimal format; convert it to hexadecimal to look it up. A BugcheckCode of 0 means no blue screen occurred — the machine hard-reset or lost power, pointing to PSU, power delivery, or a thermal shutdown.
Q: Are WHEA-Logger errors serious?
WHEA Event IDs 1 and 18 (fatal) indicate actual hardware failure and require immediate investigation. Event IDs 17 and 19 (corrected errors) are less urgent if they appear occasionally, but an accelerating frequency over days or weeks almost always precedes a fatal hardware event. Run MemTest86 for at least 2 passes when WHEA corrected errors become frequent — RAM faults are the most common root cause.
Q: Why does Event Viewer show nothing but my PC keeps crashing?
The most common explanation is thermal shutdown. Windows does not log CPU, GPU, or SSD temperatures anywhere in Event Viewer. A machine that shuts down due to CPU overheating at 100°C will log Kernel-Power ID 41 but nothing indicating heat as the cause. Use hardware sensor monitoring tools to log temperatures alongside Event Viewer data, especially on machines that crash under heavy workloads.
Q: Can a monitoring tool decode Event Viewer entries automatically?
Yes. The four highest-value Event IDs for hardware diagnostics — 41 (Kernel-Power), 1001 (Windows Error Reporting), 219 (Kernel-PnP), and the WHEA-Logger family — all follow predictable formats that an agent can parse the moment they fire. GGFix decodes BugcheckCode hex conversions, faulting module names, driver failure paths, and WHEA error type/severity into plain-language explanations and pushes them via Telegram or email, eliminating the manual Event Viewer round-trip for most crash investigations.
Q: Can Event Viewer detect a failing hard drive or SSD?
Partially. Event ID 7 (bad block) and ID 15 (device not ready) indicate drive problems, but Event Viewer does not read SMART data — the most reliable predictor of drive failure. A drive can have hundreds of reallocated sectors with no Event Viewer warnings at all. Always combine Event Viewer with dedicated SMART monitoring tools for complete drive health assessment.
Q: How do I interpret the BugcheckCode in Event ID 41?
The BugcheckCode value in Event ID 41 details is stored in decimal. Open Windows Calculator in Programmer mode, enter the decimal value, and read the hexadecimal output. That hex value is the actual Windows stop code (BSOD code). For example, BugcheckCode 278 decimal = 0x116 hex = VIDEO_TDR_FAILURE (GPU issue). A value of 0 means no stop code was generated — the machine did not blue screen before shutting down.
Stop decoding BSODs by hand. Get the diagnosis pushed to your phone.
GGFix reads the Windows Event Log on every tick, decodes Event IDs 41 / 1001 / 219 / WHEA into plain English, correlates them with sensor and process history, and tells you which component to test first — in under 10 seconds.
- 3-day free trial — no credit card, 1 machine included
- Installs silently as a Windows Service (2 minutes)
- 50+ sensors + top 25 processes monitored every minute
- Auto-decodes BSODs and Event IDs 41 / 1001 / 219 / WHEA
- AI names the exact app that caused any crash or spike
- Telegram or email alerts in under 10 seconds
| Scenario | Typical cost (USD) |
|---|---|
| Technician hour to decode a BSOD by hand | $80 – $250 |
| Wrong-component swap before correct diagnosis | $100 – $800 |
| Windows reinstall when RAM was the real cause | $300 – $1,000 |
| Failed RAM caught early via WHEA trend | $50 – $200 |
| GGFix monitoring (per machine / month) | $20 |
| GGFix monitoring (per machine / year — 2 months free) | $200 |
Early warning is the cheapest insurance you can buy. GGFix catches problems when the fix is still cheap — and names the exact app, sensor, or BSOD code responsible.
GGFix Technical Team
Writing about hardware monitoring, fleet management, and keeping machines alive. Powered by GGFix.
Related Articles
PSU Failure Signs: When Your Power Supply Is Dying
A dying PSU is the most misdiagnosed component in PC repair. Voltage instability, load-specific crashes, and USB dropouts are the real warning signs — here is what the ATX spec requires, how long quality units actually last, and which diagnostic tools work.
The Real Cost of Hardware Failure: A Business Impact Analysis
Hardware failure costs 5-10x the price of the broken component when you count downtime, lost productivity, data recovery, and emergency labor. This analysis breaks down the real numbers for small and mid-sized businesses.
PC Troubleshooting Guide: Diagnose and Fix Hardware Problems
The complete starting point for diagnosing PC hardware problems. Covers every major symptom and component failure, with step-by-step diagnostic approaches and links to in-depth guides.
[ free 3-day trial · no credit card ]
Know before it breaks.
GGFix installs in 2 minutes and starts watching your hardware immediately — CPU temps, GPU load, disk health, fan speeds, and 50+ sensors. AI tells you what's wrong before it causes damage.