WEVTUTIL – Windows CMD Command

Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118

Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119

Retrieve information about event logs and publishers. Archive logs in a self-contained format, Enumerate the available logs, Install and uninstall event manifests, run queries, Exports events (from an event log, from a log file, or using a structured query) to a specified file, Clear event logs.

The primary focus of WEVTUTIL is the configuration and setup of event logs.

Some applications can completely fill their respective event log with errors (Office 2016 I’m looking at you) being able to enumerate the log size and location is a useful tool for tracking down such problems.

Most options for WEVTUTIL are not case sensitive, but the built-in help is and must be requested in UPPER case.
To retrieve event log data the PowerShell cmdlet Get-WinEvent is easier to use and more flexible.

WEVTUTIL was first made available in Windows Vista.


Clear all the events from the Application log:
C:\> WEVTUtil.exe clear-log Application

Batch file to parse every Event log installed on the computer and clear them all:

@echo off
for /f "tokens=*" %%G in ('wevtutil.exe el') do (wevtutil.exe cl "%%G"

Export events from the System log to C:\backup\ss64.evtx
C:\> WEVTUtil export-log System C:\backup\ss64.evtx

List the event publishers on the current computer.
C:\> WEVTUtil enum-publishers

Uninstall publishers and logs from the SS64.man manifest file:
C:\> WEVTUtil uninstall-manifest SS64.man

Display the 50 most recent events from the Application log in text format:
wevtutil qe Application /c:50 /rd:true /f:text

Find the last 20 startup events in the System log:

C:\> WEVTUtil query-events System /count:20 /rd:true /format:text /q:"Event[System[(EventID=12)]]"

From an elevated command prompt, dump a list of all the 360 or so possible Security Event messages (publisher=Microsoft-Windows-Security-Auditing); other publishers can be enumerated with the enum-publishers switch.

C:\> WEVTUtil get-publisher Microsoft-Windows-Security-Auditing /ge /gm:true

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *