Where to find CHKDSK results in Vista, Windows 7

powershell-chkdsk

My recent hard disk failure made me realize that I had no idea where to find the CHDSK logs that are created when Windows runs CHKDSK at boot. In my case, I had just installed a drive that had a bunch of NTFS corruptions caused by a different computer.

Below I walk though what I think is the easiest way to find the CHKDSK logs (and more) which are available in the Windows Event Log.

Short Answer

1. Start Windows PowerShell as Administrator
image

2. Type in the following at the prompt:
get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message

Note: if you want to limit the search to just the recent events, you can add the starttime="11/25/2009" to the FilterHashTable parameter above.

powershell-chkdsk

Long Answer

Windows Event Log
Windows stores the results of CHKDSK, among other things, in the Windows Event Log. This is a good thing because the Event Log does a great job managing a lot of data. Given that so many different parts of the OS are involved in writing to the disk, it wouldn’t make sense to write the results in several different text files. You’d never be able to find out anything. The only downside to this is that you have to learn to use the Event Log, which isn’t that hard.

Windows PowerShell & the Event Log
The easiest way to read the Event Log is to use Windows PowerShell and the Get-WinEvent cmdlet. (Note: Windows PowerShell is built into Windows 7/Server 2008 R2.  You will have to install PowerShell V2 on Windows Vista to get this to work.)

PowerShell makes it is easy to just for exactly what you need. For example, in the “Short Answer” above I just ask for the specific CHKDSK event ID 1001 from the “Microsoft-Windows-Wininit” event provider:

get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message

But how did you know where to find that!?
Truthfully, I really didn’t. I had to dig. This is one of the reasons I use PowerShell. Sometimes I have to ask for everything and filter through to find what I want. In this case, I started with looking at absolutely everything that had happened since 7:00am today, which was the time of my last boot. I dumped this all to Out-GridView so I could see it easily.

get-winevent -FilterHashTable @{logname="*"; starttime="7:00am"} | select timecreated,providername,id,containerlog,message | out-gridview

Capture - OutGridView

(Note: that the ‘starttime’ can take all manner of date and time formats, e.g. 11/25/2009 would have worked as well. If you need to set an upper bound on the time, use ‘endtime’.)

Next, I used Out-GridView to filter the results looking for the keyword “CHKDSK” in the Message field. This showed me who logged the event (Microsoft-Windows-Wininit) and what ID the event has (1001). From there, I created the query that is in the “Short” answer above.

What about other related events?
I was wondering the same thing. Probably the most useful query here is to search for the keyword “Disk” in Out-GridView which will show you several events of interest. It was interesting to see that there are also several events from NTFS, for example, which have indicated that the volume was corrupt in the first place. Also, I apparently have a few bad blocks on some of my disks I’m gonna see about taking care of…

Alternatives
You can also see the same data in the Windows EventViewer, but I find it much harder to find things in there unless you know exactly what you’re looking for. The Event Viewer can be found on Vista and Windows 7 by going to Start and then searching for “Event Viewer”.

22 comments to Where to find CHKDSK results in Vista, Windows 7

  • Sain

    This has turned into a Windows help blog!! Where did all the drinking and running go?! Are you being paid by MS?! Wait, you are… ^_^

    • Sain, you've got a point. I wanted to post this one for a couple of reasons. One of them is that I helped in creating 'Get-WinEvent'. The other is that I get really annoyed when I can't find the answer to what I think are simple questions. I figure if I can't figure it out or find it on the web, someone ought to put it out there so it can be found with some creative Goog… I mean, Binging. :p

      • Sain

        Yeah, search engines have a ways to go before properly interpreting our questions. Explains how those text for answers services can still exist. :)
        Happy holidays!!

  • Fabio

    This was a very helpful post for me, thank you!
    In the date part, if you use a different system of date (e.g.: DD/MM/YYYY) you have to put in the command line to show the correct date interval.

  • Nico

    This has been very helpful indeed. thanks!

  • Ken

    I tried it and got an error message:
    The term 'logname=application' is not recognized as the name of a cmdlet, function, script file, or operable program." I did put it in quotes as suggested.

    • Ken,
      If you cut and pasted the commandl ine into PowerShell, it's possible that there was a problematic line break inserted somewhere. Try typing out the full command without cutting and pasting and see if that works.
      Kevin

  • Ken

    EventViewer seemed easier. Yes, finding what you want can be tough. It helped knowing that I had to look for wininit and id 1001. I found that from last night's chkdsk run, went to the details tab, and could read my results. Thanks!

    • I tend to agree, there are several things where the Event Viewere is easier to deal with – particularly if you're willing to use the advanced features like "Create Custom View…". However, I find myself writing short PowerShell scripts to do the same thing as creating custom scripts more often than not. It really comes down to if you like command lines or GUIs more. :)

  • [...] the Application event log, filter for Wininit event 1001. This article talks about using PowerShell, but I find it easier to just use the Event Viewer’s filter [...]

  • Rico

    Could have put it in 1 line:
    For Windows 7 the Chkdsk log can be found in the event viewer, applications, under "wininit".

    • kmwoley

      true – but looking through all the log entries can be a pain.
      And, the real point of this post was 'how to find what you're looking for' more than the chkdsk logs themselves. :)

  • guest

    This blog post has been very helpful, Thxs for the time-saver tips!

  • Sashman

    JFYI, if the chkdsk log is too long, it gets truncated.

    Bad luck two times in a row (the first time was when your disk crashed and made chkdsk to be very verbose).

  • Donna

    When you said your ntfs drive was corrupted by another computer, that rang a bell for me. My 8 mo. old external hard drive suddenly had a ton of problems right after I started switching it between my Vista computer and Win7 laptop. Is that a no no?

  • Esam

    Thanks sooo much, just what I need

  • Käv

    Open Windows Explorer->Root Partition-> Folder "System Volume Information"->Right Click,Properties and add your User Account with read permissions->open "System Volume Information" an go to the subfolder "Chkdsk". There are all CHKDSK Logs.

    Sorry for my english

  • Charles

    Phew. It is a lot easier just to go in Event Viewer, Find and type chkdsk, bang!

  • Christ

    Why make the answer so complicated, here is the simple version

    Scandisk /chkdsk log file in windows 7

    Every time after you scandisk or chkdsk in Windows boot up, it will store the log file to your windows.
    But where is it ?

    Just right click My Computer … Manage … System Tools … Event Viewver … Windows Logs … Application …

    Then sort by source and look for Wininit :)

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>