Where to find CHKDSK results in Vista, Windows 7

powershell-chkdsk

My recent hard disk failure made me realize that I had no idea where to find the CHDSK logs that are created when Windows runs CHKDSK at boot. In my case, I had just installed a drive that had a bunch of NTFS corruptions caused by a different computer.

Below I walk though what I think is the easiest way to find the CHKDSK logs (and more) which are available in the Windows Event Log.

Short Answer

1. Start Windows PowerShell as Administrator
image

2. Type in the following at the prompt:
get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message

Note: if you want to limit the search to just the recent events, you can add the starttime="11/25/2009" to the FilterHashTable parameter above.

powershell-chkdsk

Long Answer

Windows Event Log
Windows stores the results of CHKDSK, among other things, in the Windows Event Log. This is a good thing because the Event Log does a great job managing a lot of data. Given that so many different parts of the OS are involved in writing to the disk, it wouldn’t make sense to write the results in several different text files. You’d never be able to find out anything. The only downside to this is that you have to learn to use the Event Log, which isn’t that hard.

Windows PowerShell & the Event Log
The easiest way to read the Event Log is to use Windows PowerShell and the Get-WinEvent cmdlet. (Note: Windows PowerShell is built into Windows 7/Server 2008 R2.  You will have to install PowerShell V2 on Windows Vista to get this to work.)

PowerShell makes it is easy to just for exactly what you need. For example, in the “Short Answer” above I just ask for the specific CHKDSK event ID 1001 from the “Microsoft-Windows-Wininit” event provider:

get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message

But how did you know where to find that!?
Truthfully, I really didn’t. I had to dig. This is one of the reasons I use PowerShell. Sometimes I have to ask for everything and filter through to find what I want. In this case, I started with looking at absolutely everything that had happened since 7:00am today, which was the time of my last boot. I dumped this all to Out-GridView so I could see it easily.

get-winevent -FilterHashTable @{logname="*"; starttime="7:00am"} | select timecreated,providername,id,containerlog,message | out-gridview

Capture - OutGridView

(Note: that the ‘starttime’ can take all manner of date and time formats, e.g. 11/25/2009 would have worked as well. If you need to set an upper bound on the time, use ‘endtime’.)

Next, I used Out-GridView to filter the results looking for the keyword “CHKDSK” in the Message field. This showed me who logged the event (Microsoft-Windows-Wininit) and what ID the event has (1001). From there, I created the query that is in the “Short” answer above.

What about other related events?
I was wondering the same thing. Probably the most useful query here is to search for the keyword “Disk” in Out-GridView which will show you several events of interest. It was interesting to see that there are also several events from NTFS, for example, which have indicated that the volume was corrupt in the first place. Also, I apparently have a few bad blocks on some of my disks I’m gonna see about taking care of…

Alternatives
You can also see the same data in the Windows EventViewer, but I find it much harder to find things in there unless you know exactly what you’re looking for. The Event Viewer can be found on Vista and Windows 7 by going to Start and then searching for “Event Viewer”.

26 thoughts on “Where to find CHKDSK results in Vista, Windows 7”

  1. This has turned into a Windows help blog!! Where did all the drinking and running go?! Are you being paid by MS?! Wait, you are… ^_^

    1. Sain, you've got a point. I wanted to post this one for a couple of reasons. One of them is that I helped in creating 'Get-WinEvent'. The other is that I get really annoyed when I can't find the answer to what I think are simple questions. I figure if I can't figure it out or find it on the web, someone ought to put it out there so it can be found with some creative Goog… I mean, Binging. :p

      1. Yeah, search engines have a ways to go before properly interpreting our questions. Explains how those text for answers services can still exist. :)
        Happy holidays!!

  2. This was a very helpful post for me, thank you!
    In the date part, if you use a different system of date (e.g.: DD/MM/YYYY) you have to put in the command line to show the correct date interval.

  3. I tried it and got an error message:
    The term 'logname=application' is not recognized as the name of a cmdlet, function, script file, or operable program." I did put it in quotes as suggested.

    1. Ken,
      If you cut and pasted the commandl ine into PowerShell, it's possible that there was a problematic line break inserted somewhere. Try typing out the full command without cutting and pasting and see if that works.
      Kevin

  4. EventViewer seemed easier. Yes, finding what you want can be tough. It helped knowing that I had to look for wininit and id 1001. I found that from last night's chkdsk run, went to the details tab, and could read my results. Thanks!

    1. I tend to agree, there are several things where the Event Viewere is easier to deal with – particularly if you're willing to use the advanced features like "Create Custom View…". However, I find myself writing short PowerShell scripts to do the same thing as creating custom scripts more often than not. It really comes down to if you like command lines or GUIs more. :)

  5. Pingback: Where to Find CHKDSK results | MCB Systems
    1. true – but looking through all the log entries can be a pain.
      And, the real point of this post was 'how to find what you're looking for' more than the chkdsk logs themselves. :)

  6. JFYI, if the chkdsk log is too long, it gets truncated.

    Bad luck two times in a row (the first time was when your disk crashed and made chkdsk to be very verbose).

  7. When you said your ntfs drive was corrupted by another computer, that rang a bell for me. My 8 mo. old external hard drive suddenly had a ton of problems right after I started switching it between my Vista computer and Win7 laptop. Is that a no no?

  8. Open Windows Explorer->Root Partition-> Folder "System Volume Information"->Right Click,Properties and add your User Account with read permissions->open "System Volume Information" an go to the subfolder "Chkdsk". There are all CHKDSK Logs.

    Sorry for my english

    1. My log file wasn't showing in event viewer, but it was right there. So much for log files being all on one master location.

  9. Why make the answer so complicated, here is the simple version

    Scandisk /chkdsk log file in windows 7

    Every time after you scandisk or chkdsk in Windows boot up, it will store the log file to your windows.
    But where is it ?

    Just right click My Computer … Manage … System Tools … Event Viewver … Windows Logs … Application …

    Then sort by source and look for Wininit :)

  10. I like the answer above posted by Käv
    January 8, 2012 at 8:16 am · Reply

    Open Windows Explorer->Root Partition-> Folder "System Volume Information"->Right Click,Properties and add your User Account with read permissions->open "System Volume Information" an go to the subfolder "Chkdsk". There are all CHKDSK Logs.

    Sorry for my english

    =======================
    I don't know why the event viewer can't show all of the log file. Where does that setting get changed? My last chkdsk /r log file found in the System Volume InformationChkdsk directory was 56K and only the first 16k was logged in the event viewer. Not a very good thing to truncate it. Why oh why Microsoft!!!!

  11. Hi Kevin!!

    What to do when no "wininit" key is found and the powershell example above fails??

    Here are the results from the powershel:
    PS C:Usersjay> get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername -match "wininit"} | fl timecreated, message |
    out-file DesktopCHKDSKResults.txt
    Get-WinEvent : The system cannot find the path specified
    At line:1 char:13
    + get-winevent <<<< -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername -match "wininit"} | fl timecreated, message | out-file
    DesktopCHKDSKResults.txt
    + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogNotFoundException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogNotFoundException,Microsoft.PowerShell.Commands.GetWinEventCommand

    TIA,
    Jay

  12. Pingback: PC/Computer gives a Blue Screen of Death (BSOD, tracked down to the hard disk drive by using chkdsk, which said that the C: drive was in the RAW format and the disk could not be checked | PC Buyer Beware!

Leave a Reply

Your email address will not be published. Required fields are marked *