WEVTUTIL – Windows CMD Command
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119
Retrieve information about event logs and publishers. Archive logs in a self-contained format, Enumerate the available logs, Install and uninstall event manifests, run queries, Exports events (from an event log, from a log file, or using a structured query) to a specified file, Clear event logs.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
Syntax WEVTUTIL {al | archive-log} Logpath [/l:Locale] # Archive an exported log. WEVTUTIL {cl | clear-log} Logname [/bu:Backup] # Clear a log and optionally backup. WEVTUTIL {el | enum-logs}] # List Log_Names and configuration, including max. size, enabled Y/N, and pathname where the log is stored. WEVTUTIL {epl | export-log} LogFile Exportfile # Export Event log, optionally a logfile path + structured query. [/lf | Logfile :[true|false]] [/{q | query}:VALUE] # provide a Log name or log_file_path (if /lf = true) [/{sq | structuredquery}:[true|false]] [/ow | Overwrite :[true|false] ] WEVTUTIL {ep | enum-publishers} # List event publishers. WEVTUTIL {gl | get-log} Logname # Display the log configuration and optionally output [/{f | format}:[XML|Text]] # the config details in XML, plain text is the default. WEVTUTIL {gli | get-loginfo} LogName [/lf | Logfile:[true|false]] # Get log status # provide a Log name or log_file_path (if /lf = true) WEVTUTIL {gp | get-publisher} PublisherName # Get publisher configuration, and optionally Event Metadata. [/{ge | getevents}:[true|false]] [/gm:Message] # Obtain the publisher names with Wevtutil ep [/{f | format}:[ XML | Text ]] # gm=get message, f=log file format. WEVTUTIL {qe | query-events} Path [/lf | Logfile:[true|false]] # Query events from a log or log file. [/sq:Structquery] [/q:XPathQuery] [/bm:Bookmark] # provide a Log name or log_file_path (if /lf = true) [/sbm:SaveBookmark] [/rd | reversedirection}:[true|false]] [{f | format}:[ XML | Text | RenderedXml ]] [/{l | locale}:VALUE] # Reverse returns most recent events first. [{c | count}:N] [/{e | element}:VALUE] # Maximum number of events to read. / XML Root Element. WEVTUTIL [{sl | set-log} LogName [/{e | enabled}:[true|false]] # Modify the configuration of a log. [/{q | quiet}:[true|false]] [/{fm | filemax}:N] # Quiet / Max. enablements. [/{i | isolation}:[system|application|custom]] # Log isolation mode. [/{lfn | logfilename}:VALUE] [/{rt | retention}:[true|false]] # Log file / Log retention. [/{ab | autobackup}:[true|false]] [/{ms | maxsize}:Size] # Log autobackup policy /Max log size. [/{l | level}:Level] [/{k | keywords}:VALUE] # Level filter of log / Keywords filter. [/{ca | channelaccess}:VALUE] [/{c | config}:VALUE] # Access permission (SDDL)/Path to the config file # If /config is specified, do not also specify the LOG_NAME. WEVTUTIL {im | install-manifest } MANIFEST # Install event publishers and logs from MANIFEST. [ /{rf | resourceFilePath}:VALUE ] [/{mf | messageFilePath}:VALUE] # Resource/MessageFileName of the Provider [ /{pf | parameterFilePath}:VALUE] # ParameterFileName of the Provider Element to be replaced. WEVTUTIL {um | uninstall-manifest} MANIFEST] # Uninstall event publishers and logs from MANIFEST. Common options: /{r | remote}:VALUE If specified, run the command on a remote computer. VALUE is the remote computer name. Options /im and /um do not support remote operations. /{u | username}:VALUE Specify a different user to log on to the remote computer. VALUE is a user name in the form domain\user or user. Only applicable when option /r is specified. /{p | password}:VALUE Password for the specified user. If not specified, or if VALUE is "*", the user will be prompted to enter a password. Only applicable when the /u option is specified. /{a | authentication}:[Default|Negotiate|Kerberos|NTLM] Authentication type for connecting to remote computer. The default is Negotiate. /{uni | unicode}:[true|false] Display output in Unicode. If true, then output is in Unicode. |
The primary focus of WEVTUTIL is the configuration and setup of event logs.
Some applications can completely fill their respective event log with errors (Office 2016 I’m looking at you) being able to enumerate the log size and location is a useful tool for tracking down such problems.
Most options for WEVTUTIL are not case sensitive, but the built-in help is and must be requested in UPPER case.
To retrieve event log data the PowerShell cmdlet Get-WinEvent is easier to use and more flexible.
WEVTUTIL was first made available in Windows Vista.
Examples
Clear all the events from the Application log:C:\> WEVTUtil.exe clear-log Application
Batch file to parse every Event log installed on the computer and clear them all:
@echo off)
for /f "tokens=*" %%G in ('wevtutil.exe el') do (wevtutil.exe cl "%%G"
Export events from the System log to C:\backup\ss64.evtxC:\> WEVTUtil export-log System C:\backup\ss64.evtx
List the event publishers on the current computer.C:\> WEVTUtil enum-publishers
Uninstall publishers and logs from the SS64.man manifest file:C:\> WEVTUtil uninstall-manifest SS64.man
Display the 50 most recent events from the Application log in text format:wevtutil qe Application /c:50 /rd:true /f:text
Find the last 20 startup events in the System log:
C:\> WEVTUtil query-events System /count:20 /rd:true /format:text /q:"Event[System[(EventID=12)]]"
From an elevated command prompt, dump a list of all the 360 or so possible Security Event messages (publisher=Microsoft-Windows-Security-Auditing); other publishers can be enumerated with the enum-publishers switch.
C:\> WEVTUtil get-publisher Microsoft-Windows-Security-Auditing /ge /gm:true
