Free Download

Sherlock Universal Events Viewer Stop reading event IDs. Start reading sentences.

Forensic-grade triage on Windows event logs in plain English. Click "Have I Been Hacked?" and get a five-phase incident summary. Click "USB Devices Connected" and see every drive that ever touched the box across three different Windows channels.

Free to view, filter and triage. Forensic Edition unlocks export and branded PDF reports.

Sherlock Universal Events Viewer is a forensic event-log triage tool that turns raw Windows event logs into plain-English narratives. One-click buttons answer the questions that actually matter. Did anyone log in? Was the audit log cleared? Did Defender get disabled? Free to use; Forensic Edition unlocks export and branded PDF reports.

Free Forever

What You Get for Free

  • Load any .evtx file from disk or auto-discover every event log on the current system
  • 16 one-click triage buttons across 6 categories (logon activity, account changes, Defender events, USB, scheduled tasks, persistence)
  • Plain-English narrative for every event (Flesch 60 to 65 reading level)
  • Raw event JSON always visible. Never narrative-only
  • "Have I Been Hacked?" five-phase incident triage
  • "Ransomware Pre-Flight Check"
  • IOC scanner with surrounding-events blast-radius tab
  • PowerShell base64 auto-decoder
  • Scheduled task XML extractor
  • Ghost RDP detector (sessions with no matching logon)
  • Time-tampering detector (clock changes outside normal NTP drift)
  • Defender state classifier (tiers config changes High/Medium/Low by registry path)
  • Cross-channel USB correlation (Security 6416 + Partition/Diagnostic + WPD-MTP)
  • Service-install with suspicious image-path detection
  • Right-click hide with pattern grouping (collapses repetitive noise)
  • Keyboard navigation through 400k+ events
  • "All Other Events" browse for the long tail

Forensic Edition

Export and Report ($97)

  • Export starred events to CSV (spreadsheet-ready)
  • Export to JSON (SIEM / case-management ingestion)
  • Export to Markdown (converts cleanly to anything)
  • Export to branded PDF report with cover page, executive summary, per-event narrative + metadata grid + raw blob
  • Reveal-in-Explorer jump to exported file
  • Suite license unlocks every Sherlock Pro tool
Every export includes the narrative and the raw event blob. Together. Always. That is the forensic invariant. Explanation and evidence travel as a pair so the chain of custody from raw log to finished report is unbroken.

Compare

Windows Event Viewer vs Sherlock

CapabilityWindows Event ViewerSherlock Universal Events Viewer
Plain-English explanationsNoYes, every event
One-click triage buttonsNo16 buttons, 6 categories
Cross-channel USB correlationNoSecurity + Partition + WPD-MTP
Auto-decode base64 PowerShellNoYes, inline
Filters noise from logon eventsNoPattern grouping + hide
Defender severity classificationNoHigh/Medium/Low by registry path
Branded PDF reportNoForensic Edition
CSV/JSON/Markdown exportNoForensic Edition
Linux/macOS supportNoSprint 2+
CostIncluded with WindowsFree (Forensic Edition $97)

Pricing

One-Time Payment. Yours Forever.

Forensic Edition

$97 USD
One-time payment. No subscription. Suite license unlocks every Sherlock Pro tool.
  • All free features included
  • Export starred events to CSV
  • Export to JSON for SIEM ingestion
  • Export to Markdown
  • Branded PDF report with cover page and executive summary
  • Reveal-in-Explorer jump to exported file
  • Suite license for all Sherlock Pro tools
  • 30-day money-back guarantee

5+ machines? Contact us for volume pricing.

Who It's For

Built for Every Skill Level

For IR Responders

The first 30 minutes of an incident matter more than the next 30 hours. Stop scrolling through 400,000 lines. Click Have-I-Been-Hacked, get the five-phase summary, then drill in.

For Sysadmins

You do not do forensics every day. When something weird happens, you should not need to. One click. "Your audit log was cleared at 3:47am" beats reading XML.

For Consultants

Branded PDF reports with your client's name on the cover. Narrative on the left, raw evidence on the right, every event. Defensible in court, parseable by Excel, ready to email.

For Curious Users

Worried your laptop got popped? Run Have-I-Been-Hacked. Free. No signup. Tells you in English.

Guide

How to Analyze Windows Event Logs

  1. Download Sherlock Universal Events ViewerDownload the free viewer from this page. No installation barriers. Launch and go.
  2. Load Your Event LogsOpen any .evtx file from disk or click Auto-Discover to load every event log on the current system automatically.
  3. Run One-Click TriageClick "Have I Been Hacked?" for a five-phase incident summary. Use any of the 16 triage buttons across logon activity, USB devices, Defender events, scheduled tasks and persistence.
  4. Read Plain-English NarrativesEvery event is translated into a readable sentence alongside the raw JSON. No more memorizing Event IDs.
  5. Export Your FindingsForensic Edition users export starred events to CSV, JSON, Markdown or branded PDF reports with narrative and raw evidence paired on every page.

Questions

Events Viewer FAQ

What is the Sherlock Universal Events Viewer?
Sherlock Universal Events Viewer is a free Windows desktop tool that reads .evtx event log files and translates every event into a plain-English narrative. It provides 16 one-click triage buttons across logon activity, USB devices, Defender state, scheduled tasks and persistence mechanisms. The Forensic Edition at $97 USD adds export to PDF, CSV, JSON and Markdown.
How do I check if my Windows computer has been hacked?
Open Sherlock Universal Events Viewer and click the "Have I Been Hacked?" button. The tool runs a five-phase incident triage across your Windows event logs and presents a plain-English summary of logon anomalies, audit log clearing, Defender disablement, suspicious services and persistence mechanisms. Free to use, no signup required.
What does Event ID 4624 mean?
Event ID 4624 is a Windows Security log entry that records a successful logon. It includes the logon type (interactive, network, remote desktop, service), the account name and the source IP address. Sherlock Universal Events Viewer translates 4624 events into plain-English sentences so you do not need to memorize the raw fields.
Can I export Windows event logs to PDF?
Yes. The Forensic Edition ($97 USD) exports starred events to branded PDF reports with a cover page, executive summary, per-event narrative alongside the raw event metadata grid and full event blob. Each export includes both the plain-English explanation and the raw evidence.
What is forensic event log analysis?
Forensic event log analysis is the systematic examination of Windows event logs (.evtx files) to reconstruct what happened on a computer. Examiners look for logon patterns, privilege escalation, service installations, scheduled task creation, Defender configuration changes and audit log clearing. Sherlock Universal Events Viewer automates this process with one-click triage and plain-English narratives.
Is the $97 price a subscription?
No. The $97 USD Forensic Edition is a one-time payment. No subscriptions, no recurring charges. The suite license also unlocks every other Sherlock Pro tool.
Do you offer volume licensing?
Yes. For 5 or more machines, contact Sherlock Forensics at 604.229.1994 or info@sherlockforensics.com for volume pricing.

Get Started

Download Sherlock Universal Events Viewer

Free for viewing, filtering and triage. Forensic Edition at $97 USD for export and branded PDF reports. Built by CISSP, ISSAP and ISSMP certified examiners with 20 years of courtroom experience. See our full forensic tool suite and expert witness services.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994

Sherlock Universal Events Viewer is provided for lawful use. Terms of Service

Download

Enter your details to download. We will send you update notifications for new versions.

Checkout - Events Viewer Forensic Edition

$97.00 USD. One-time payment. License key delivered to your email.

Secure via Stripe 30-day money back No subscription