ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer and Task Manager displaying application hang monitoring on a system administrator's workstation
Event ID 23WarningApplication ErrorWindows

Windows Event ID 23 – Application Error: Application Hang Detection

Event ID 23 indicates Windows has detected an application hang condition where a program becomes unresponsive and fails to process messages within the timeout threshold.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 23Application Error 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 23 represents a critical component of the operating system's application health monitoring infrastructure. When an application enters a hung state, it means the program's main thread has become blocked and cannot process Windows messages, user input, or system requests within the expected timeframe.

The hang detection mechanism works by monitoring message queues and thread responsiveness. When Windows sends a message to an application window and doesn't receive a response within the timeout period, it marks the application as hung and generates Event ID 23. This process involves the Windows Message Manager and the Desktop Window Manager working together to track application responsiveness.

The event provides forensic data that helps administrators understand not just which application hung, but also the circumstances surrounding the hang. This includes timing information, process details, and sometimes stack trace data that can be correlated with crash dumps or performance counters. In Windows 11 and Server 2025, Microsoft has enhanced the hang detection algorithms to reduce false positives while maintaining sensitivity to genuine application issues.

Understanding this event is crucial for maintaining system stability, especially in server environments where hung applications can impact service availability and user experience. The event serves as an early warning system, allowing proactive intervention before complete application failure occurs.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Deadlock conditions where multiple threads are waiting for each other to release resources
  • Infinite loops in application code that prevent message processing
  • Resource exhaustion including memory leaks or handle depletion
  • Blocking I/O operations that tie up the main application thread
  • Third-party component failures or driver compatibility issues
  • Network timeouts when applications wait indefinitely for remote resources
  • Database connection issues causing applications to hang during query execution
  • Antivirus software interference with application file access or memory operations
  • System resource contention during high CPU or memory usage periods
  • COM object initialization failures or inter-process communication timeouts
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the specific details of Event ID 23 to identify the problematic application and gather initial diagnostic information.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsApplication
  3. Filter for Event ID 23 by right-clicking the Application log and selecting Filter Current Log
  4. Enter 23 in the Event IDs field and click OK
  5. Double-click on recent Event ID 23 entries to view detailed information
  6. Record the application name, process ID, and hang duration from the event description
  7. Note the timestamp to correlate with other system events or user reports
Pro tip: Look for patterns in the timing of these events - recurring hangs at specific times may indicate scheduled tasks or batch processes causing resource contention.
02

Use PowerShell to Query and Analyze Hang Events

PowerShell provides powerful filtering and analysis capabilities for Event ID 23 occurrences across multiple time periods.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 23 occurrences with detailed information:
    Get-WinEvent -FilterHashtable @{LogName='Application'; Id=23} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap
  3. Analyze patterns by grouping events by application:
    Get-WinEvent -FilterHashtable @{LogName='Application'; Id=23} -MaxEvents 100 | ForEach-Object { if ($_.Message -match 'Program: (.+?)\s') { $matches[1] } } | Group-Object | Sort-Object Count -Descending
  4. Export detailed event data for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Application'; Id=23; StartTime=(Get-Date).AddDays(-7)} | Export-Csv -Path "C:\Temp\HangEvents.csv" -NoTypeInformation
  5. Check for correlation with system performance:
    Get-Counter "\Process(*)\% Processor Time" -SampleInterval 5 -MaxSamples 12
Warning: Large numbers of Event ID 23 occurrences may indicate systemic issues requiring immediate attention to prevent system instability.
03

Monitor Application Performance and Resource Usage

Use built-in Windows tools to monitor the problematic application's resource consumption and identify the root cause of hangs.

  1. Open Task Manager (Ctrl + Shift + Esc) and navigate to the Details tab
  2. Locate the application mentioned in Event ID 23 and monitor its CPU, Memory, and Handle count
  3. Launch Resource Monitor by clicking Open Resource Monitor in Task Manager
  4. In Resource Monitor, switch to the CPU tab and monitor the application's thread activity
  5. Check the Memory tab for memory leaks or excessive private bytes usage
  6. Use Performance Monitor to create a custom data collector set:
    logman create counter "AppHangMonitor" -f csv -o "C:\Temp\AppPerf.csv" -c "\Process(YourApp)\*" -si 10
  7. Start the data collection:
    logman start "AppHangMonitor"
  8. Allow monitoring during typical application usage, then stop collection:
    logman stop "AppHangMonitor"
Pro tip: Enable Application Verifier for problematic applications to catch heap corruption and handle leaks that commonly cause hangs.
04

Configure Advanced Hang Detection and Debugging

Implement advanced debugging techniques to capture detailed information about application hangs for root cause analysis.

  1. Configure Windows Error Reporting to capture hang dumps by modifying the registry:
    New-ItemProperty -Path "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "DumpType" -Value 2 -PropertyType DWord -Force
  2. Set the dump folder location:
    New-ItemProperty -Path "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "DumpFolder" -Value "C:\CrashDumps" -PropertyType String -Force
  3. Create the dump directory:
    New-Item -Path "C:\CrashDumps" -ItemType Directory -Force
  4. Enable hang reporting for specific applications:
    New-Item -Path "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\YourApp.exe" -Force
  5. Install Windows SDK and use Application Verifier:
    appverif.exe -enable Heaps Handles Locks -for YourApp.exe
  6. Configure ProcDump to capture hangs automatically:
    procdump.exe -h YourApp.exe C:\CrashDumps\
  7. Monitor hang detection sensitivity in the registry:HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Warning: Dump files can be large and contain sensitive information. Ensure adequate disk space and proper security measures are in place.
05

Implement Preventive Measures and System Optimization

Deploy comprehensive strategies to prevent application hangs and improve overall system stability.

  1. Update all applications to their latest versions and install pending Windows updates:
    Get-WindowsUpdate -Install -AcceptAll -AutoReboot
  2. Configure application compatibility settings for problematic programs:
    Set-ProcessMitigation -Name "YourApp.exe" -Enable DEP,SEHOP,ForceRelocateImages
  3. Optimize system virtual memory settings:
    $cs = Get-WmiObject -Class Win32_ComputerSystem; $cs.AutomaticManagedPagefile = $false; $cs.Put()
  4. Implement application restart policies using Task Scheduler or service recovery options
  5. Configure system file checker to run regularly:
    sfc /scannow
  6. Set up automated monitoring with PowerShell scripts:
    Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Application' AND EventCode=23" -Action { Write-Host "Application hang detected at $(Get-Date)" }
  7. Implement application pool recycling for web applications and configure service restart policies
  8. Review and optimize antivirus exclusions for frequently hanging applications
Pro tip: Consider implementing application containerization or virtualization for problematic legacy applications to isolate their impact on system stability.

Overview

Event ID 23 fires when Windows detects that an application has stopped responding to system messages for an extended period. This hang detection mechanism is part of Windows' application responsiveness monitoring system, designed to identify when programs become unresponsive due to deadlocks, infinite loops, or resource contention issues.

The event typically appears in the Application log and provides crucial diagnostic information including the hung application's process name, process ID, and the duration of the hang condition. Windows generates this event after the application fails to respond to window messages for approximately 5 seconds by default, though this threshold can vary based on system configuration and application type.

This event is particularly valuable for system administrators monitoring application stability in enterprise environments, as it provides early warning of potential application issues before users report problems. The event data includes the executable name, process identifier, and hang duration, making it easier to correlate with performance monitoring tools and identify patterns in application behavior.

Frequently Asked Questions

What exactly does Windows Event ID 23 indicate and how serious is it?+
Event ID 23 indicates that Windows has detected an application hang condition where a program has become unresponsive for an extended period, typically 5 seconds or more. While not immediately critical, it's a warning sign that an application is experiencing issues that could lead to complete failure. The severity depends on the frequency and the affected application - occasional hangs might be acceptable for non-critical applications, but frequent hangs or hangs in essential business applications require immediate investigation. The event serves as an early warning system, allowing administrators to address issues before they impact users or system stability.
How can I determine which specific application is causing Event ID 23 to appear?+
The Event ID 23 entry contains detailed information about the hung application in its message field. You can identify the specific application by examining the event details in Event Viewer, which will show the program name, executable path, and process ID. Use PowerShell to extract this information systematically: Get-WinEvent -FilterHashtable @{LogName='Application'; Id=23} | Select-Object Message will display the full event messages. The message typically includes the program name and file path. You can also correlate the process ID mentioned in the event with running processes in Task Manager to identify the current state of the application.
Can Event ID 23 be caused by system-wide issues rather than application-specific problems?+
Yes, Event ID 23 can be triggered by system-wide issues that affect application responsiveness. Common system-level causes include high CPU utilization, memory pressure, disk I/O bottlenecks, network connectivity problems, or driver conflicts. Antivirus software performing deep scans, Windows updates installing in the background, or hardware issues like failing hard drives can also cause multiple applications to hang simultaneously. If you see Event ID 23 affecting multiple different applications around the same time, investigate system-wide performance metrics, check for hardware issues, and review recent system changes or updates that might be impacting overall system performance.
What's the difference between Event ID 23 and application crash events, and which is more concerning?+
Event ID 23 indicates an application hang (unresponsive but still running), while application crash events (like Event ID 1000) indicate complete application termination due to errors. Hangs are often precursors to crashes - an application that hangs frequently may eventually crash completely. From a troubleshooting perspective, hangs can be more challenging because the application is still running but not functioning, making it harder to identify the exact cause. Crashes provide more definitive error information and stack traces. Both are concerning, but persistent hangs might indicate deeper issues like deadlocks or resource leaks that could affect system stability over time, while crashes are more immediately disruptive but often easier to diagnose and resolve.
How can I prevent Event ID 23 from occurring frequently on my systems?+
Preventing Event ID 23 requires a multi-layered approach focusing on application health, system optimization, and proactive monitoring. Keep all applications and Windows updated to the latest versions, as updates often include hang detection and stability improvements. Implement proper resource management by monitoring memory usage, ensuring adequate virtual memory, and preventing resource exhaustion. Configure applications with appropriate timeout settings and implement restart policies for critical services. Use Application Verifier and debugging tools during development or testing phases to identify potential hang conditions. Optimize system performance by managing startup programs, scheduling resource-intensive tasks during off-peak hours, and ensuring adequate hardware resources. Finally, implement monitoring solutions that can detect and automatically restart hung applications before they impact users.
Documentation

References (2)

1
Microsoft Learn - Windows Event LoggingComprehensive documentation on Windows event logging architecture and event typeshttps://learn.microsoft.com/en-us/windows/win32/eventlog/event-logging
2
Windows Error Reporting DocumentationOfficial guide to configuring Windows Error Reporting for application hang detection and debugginghttps://learn.microsoft.com/en-us/windows/win32/wer/windows-error-reporting
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-23#application-hangs#windows-troubleshooting

Related Windows Events

Windows Event Viewer displaying critical application error logs on a system administrator's monitoring setup
Event 16394
Application Error
Windows EventError

Windows Event ID 16394 – Application Error: Critical Application Crash with Memory Access Violation

Event ID 16394 indicates a critical application crash caused by memory access violations or corrupted application data, requiring immediate investigation to prevent system instability.

March 1812 min
Windows Event Viewer displaying Event ID 1026 application crash logs on a system administrator's monitoring setup
Event 1026
Application Error
Windows EventError

Windows Event ID 1026 – Application Error: Application Crash or Hang Detection

Event ID 1026 indicates an application has crashed, hung, or encountered a critical error. This event helps administrators track application stability and identify problematic software components.

March 1812 min
Windows Event Viewer displaying application crash logs and system diagnostics on multiple monitors
Event 1004
Application Error
Windows EventError

Windows Event ID 1004 – Application Error: Application Crash or Hang Detection

Event ID 1004 indicates an application has crashed, hung, or encountered a critical error. This event helps administrators track application stability and identify problematic software across Windows systems.

March 189 min
Windows Event Viewer displaying Event ID 1003 application crash details on a system administrator's monitoring setup
Event 1003
Application Error
Windows EventError

Windows Event ID 1003 – Application Error: Application Crash or Hang Detection

Event ID 1003 indicates an application crash or hang detected by Windows Error Reporting. This critical event logs when applications terminate unexpectedly or become unresponsive, requiring immediate investigation.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...