User runs Windows Memory Diagnostic (Standard mode). Event Log: Event ID 1202 with “detected hardware errors.”
Get-WinEvent -FilterHashtable @LogName='System'; ProviderName='MemoryDiagnostics-Results' | Select-Object TimeCreated, Message -First 1 To export all 1202 events to a CSV: windows memory diagnostic event id 1202
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MemoryDiagnostics-Results" /> <EventID Qualifiers="0">1202</EventID> <Level>4</Level> <Task>0</Task> <TimeCreated SystemTime="2026-04-14T08:30:00.000Z" /> <Computer>PC-WS01</Computer> </System> <EventData> <Data>MemoryDiagnostics-Results</Data> <Data>1</Data> <Binary>01000000</Binary> </EventData> </Event> User runs Windows Memory Diagnostic (Standard mode)
Author: AI Research Team Date: April 14, 2026 Subject: Windows System Log Analysis – Memory Diagnostic Events 1. Abstract Windows Event ID 1202, generated by the source MemoryDiagnostics-Results , is a critical informational log entry that signifies the successful completion of the Windows Memory Diagnostic (WMD) tool. This paper examines the trigger conditions, event structure, result interpretation, and systematic troubleshooting steps associated with Event ID 1202. Understanding this event is essential for system administrators and forensic analysts to determine whether reported system instability (e.g., crashes, application faults) originates from physical RAM failure. 2. Introduction When a Windows operating system experiences frequent blue screen errors (BSODs), application crashes, or file corruption, physical memory (RAM) is a primary suspect. The built-in Windows Memory Diagnostic tool performs a series of read/write tests on RAM. Upon completion, it logs a definitive result via Event ID 1202 in the System log. This event serves as the official diagnostic verdict, eliminating guesswork in hardware vs. software fault isolation. 3. Event Details | Field | Value | |-------|-------| | Event ID | 1202 | | Source | MemoryDiagnostics-Results | | Log | System | | Level | Information | | Opcode | Info | | Task Category | None | | User | SYSTEM | | Computer | (Target machine name) | Typical Event Message: "The Windows Memory Diagnostic tested the computer's memory and detected no errors" or "The Windows Memory Diagnostic tested the computer's memory and detected hardware errors." 4. Result Interpretation Event ID 1202 contains one of three possible outcomes: This paper examines the trigger conditions, event structure,
Get-WinEvent -FilterHashtable @LogName='System'; ID=1202 | Export-Csv -Path C:\memdiag_results.csv Symptom: Windows 11 workstation crashes to MEMORY_MANAGEMENT BSOD every 2–3 hours.