Using Windows Event Viewer to Inspect Login and RPC Service Failure Events on Windows Server 2012 R2

On Windows Server 2012 R2 you can open the Event Viewer via Start → Administrative Tools → Event Viewer to view built‑in system logs; the tutorial demonstrates checking login events for various accounts, including special system accounts and the familiar Administrator account.

Typically, after the server boots, the winlogon.exe process logs on as NT AUTHORITY\SYSTEM , presents the Ctrl+Alt+Del screen, hashes the entered password, and compares it with the hash stored in the SAM database; a match grants the user access and appropriate privileges.

All these steps are recorded in the "Security" log, which can be browsed in Event Viewer. Other system processes, such as services.exe , also log on with NT AUTHORITY\SYSTEM and spawn svchost.exe child processes that host essential Windows services.

The article then walks through two practical scenarios with screenshots:

1. Open Event Viewer, expand Windows Logs → Security , right‑click the Security log and choose Filter Current Log… . Use the filter dialog to select the last 24 hours and click OK.

2. After applying the filter, the result shows 73 security events recorded in the past 24 hours. You can sort by date, Event ID, or Task Category (e.g., "Logon" and "Special Logon") to trace which system processes used which built‑in accounts during startup.

The guide then shifts to a second example: troubleshooting a failed Remote Procedure Call (RPC) service that prevents administrator login.

It clarifies a common misconception: the RPC listener on the loopback address (127.0.0.1) port 135 must remain open; closing it disables RPC and many dependent services. The real risk lies in non‑loopback listeners (e.g., 192.168.0.1:135) that expose the system to remote exploits.

If RPC fails, you can boot into Safe Mode, run services.msc , set both "Remote Procedure Call (RPC)" and "RPC Endpoint Mapper" to start automatically, then use msconfig to ensure the RPC Endpoint Mapper service is checked, reboot, and the administrator login should succeed.

Finally, the article shows screenshots of an Event Viewer entry indicating an RPC service start failure, illustrating how to locate and interpret the relevant error details.