WEVTUTIL

Retrieve information about event logs and publishers. Archive logs in a self-contained format, Enumerate the available logs, Install and uninstall event manifests, run queries, Exports events (from an event log, from a log file, or using a structured query) to a specified file, Clear event logs.

Syntax
      WEVTUTIL {al | archive-log} Logpath [/l:Locale]     # Archive an exported log.

      WEVTUTIL {cl | clear-log} Logname  [/bu:Backup]     # Clear a log and optionally backup.

      WEVTUTIL {el | enum-logs}]           # List Log_Names and configuration, including max. size, enabled Y/N, and
                                             pathname where the log is stored.

      WEVTUTIL {epl | export-log} LogFile Exportfile      # Export Event log, optionally a logfile path + structured query.
         [/lf | Logfile :[true|false]] [/{q | query}:VALUE]  # provide a Log name or log_file_path (if /lf = true)
            [/{sq | structuredquery}:[true|false]]  [/ow | Overwrite :[true|false] ]
                                           
      WEVTUTIL {ep | enum-publishers}       # List event publishers.

      WEVTUTIL {gl | get-log} Logname       # Display the log configuration and optionally output
         [/{f | format}:[XML|Text]]         # the config details in XML, plain text is the default.

      WEVTUTIL {gli | get-loginfo} LogName [/lf | Logfile:[true|false]]    # Get log status
                                            # provide a Log name or log_file_path (if /lf = true)
 
      WEVTUTIL {gp | get-publisher} PublisherName        # Get publisher configuration, and optionally Event Metadata.
         [/{ge | getevents}:[true|false]] [/gm:Message]  # Obtain the publisher names with Wevtutil ep
            [/{f | format}:[ XML | Text ]]               # gm=get message, f=log file format. 

      WEVTUTIL {qe | query-events} Path [/lf | Logfile:[true|false]]  # Query events from a log or log file.
         [/sq:Structquery] [/q:XPathQuery] [/bm:Bookmark]             # provide a Log name or log_file_path (if /lf = true)
            [/sbm:SaveBookmark] [/rd }:[true|false]]        # Reverse direction so most recent events first.
               [{f | format}:[ XML | Text | RenderedXml ]]  # Output format.
                  [/{l | locale}:VALUE]                     # A Locale short string.
                     [{c | count}:N]                        # Maximum no. of events to read (1=most recent only).
                        [/{e | element}:VALUE]              # Select an XML Root Element.

      WEVTUTIL [{sl | set-log} LogName [/{e | enabled}:[true|false]]     # Modify the configuration of a log.
         [/{q | quiet}:[true|false]] [/{fm | filemax}:N]                 # Quiet / Max. enablements.
            [/{i | isolation}:[system|application|custom]]               # Log isolation mode.
               [/{lfn | logfilename}:VALUE] [/{rt | retention}:[true|false]]   # Log file / Log retention.
                  [/{ab | autobackup}:[true|false]] [/{ms | maxsize}:Size]  # Log autobackup policy /Max log size.
                     [/{l | level}:Level] [/{k | keywords}:VALUE]        # Level filter of log / Keywords filter.
                        [/{ca | channelaccess}:VALUE] [/{c | config}:VALUE] # Access permission (SDDL)/Path to the config file
                                                      # If /config is specified, do not also specify the LOG_NAME.

      WEVTUTIL {im | install-manifest } MANIFEST        # Install event publishers and logs from MANIFEST.
         [ /{rf | resourceFilePath}:VALUE ] [/{mf | messageFilePath}:VALUE]  # Resource/MessageFileName of the Provider
            [ /{pf | parameterFilePath}:VALUE]          # ParameterFileName of the Provider Element to be replaced.

      WEVTUTIL {um | uninstall-manifest} MANIFEST]      # Uninstall event publishers and logs from MANIFEST.

Common options:

   /{r | remote}:VALUE
              If specified, run the command on a remote computer. VALUE is the remote computer
              name. Options /im and /um do not support remote operations.

   /{u | username}:VALUE
              Specify a different user to log on to the remote computer. VALUE is a user name
              in the form domain\user or user. Only applicable when option /r is specified.
   /{p | password}:VALUE
              Password for the specified user. If not specified, or if VALUE is "*", the user
              will be prompted to enter a password. Only applicable when the /u option is specified.

   /{a | authentication}:[Default|Negotiate|Kerberos|NTLM]
              Authentication type for connecting to remote computer. The default is Negotiate.

   /{uni | unicode}:[true|false]
              Display output in Unicode. If true, then output is in Unicode.

The primary focus of WEVTUTIL is the configuration and setup of event logs.

Some applications can completely fill their respective event log with errors (Office 2016 I'm looking at you) being able to enumerate the log size and location is a useful tool for tracking down such problems.

Most options for WEVTUTIL are not case sensitive, but the built-in help is and must be requested in UPPER case.
To retrieve event log data the PowerShell cmdlet Get-WinEvent is easier to use and more flexible.

WEVTUTIL was first made available in Windows Vista.

Examples

Clear all the events from the Application log:

C:\> WEVTUtil.exe clear-log Application

List the most recent shutdown event (Event ID 1074) from the System event log:

C:\> WEVTUtil query-events system "/q:*[System [(EventID=1074)]]" /rd:true /c:1 /format:text

Enable History for all tasks, (to disable again, set to false):

wevtutil set-log Microsoft-Windows-TaskScheduler/Operational /enabled:true

View the current Log History status:

wevtutil get-log Microsoft-Windows-TaskScheduler/Operational

Batch file to parse every Event log installed on the computer and clear them all:

@Echo off
for /f "tokens=*" %%G in ('wevtutil.exe el') do (wevtutil.exe cl "%%G")

Export events from the System log to C:\backup\ss64.evtx:

C:\> WEVTUtil export-log System C:\backup\ss64.evtx

List the event publishers on the current computer:

C:\> WEVTUtil enum-publishers

Uninstall publishers and logs from the SS64.man manifest file:
C:\> WEVTUtil uninstall-manifest SS64.man

Enable event logs for the Task Scheduler:

C:\> WEVTUtil set-log "Microsoft-Windows-TaskScheduler/Operational" /e:true >null 2>&1

Display the 50 most recent events from the Application log in text format:

wevtutil qe Application /c:50 /rd:true /f:text

Find the last 20 startup events in the System log:

C:\> WEVTUtil query-events System /count:20 /rd:true /format:text /q:"Event[System[(EventID=12)]]"

From an elevated command prompt, dump a list of all the 360 or so possible Security Event messages (publisher=Microsoft-Windows-Security-Auditing); other publishers can be enumerated with the enum-publishers switch.

C:\> WEVTUtil get-publisher Microsoft-Windows-Security-Auditing /ge /gm:true

"The Statesman who yields to war fever must realize that once the signal is given, he is no longer the master of policy but the slave of unforeseeable and uncontrollable events" ~ Sir Winston Spencer Churchill

Related commands

EVENTCREATE - Add a message to the Windows event log.
SYSMON - Monitor and log system activity to the Windows event log.
PowerShell: Get-WinEvent - Get event log data (Vista+).
List of Windows Event IDs.
WMIC NTEVENTLOG - WMI access to the event log.


 
Copyright © 1999-2024 SS64.com
Some rights reserved