Tips'n'Trix / Windows 7 / Windows 8

Event Viewer: How to manage with commands, wevtutil.exe

Posted by

If you haven’t seen the new event logs in Event Viewer it’s time to take a look! Instead of going Windows Logs, expand Application and Services Logs\Microsoft\Windows

image

If you need some more information, like debug or analytics logs, just hit View > Show Analytic and Debug Logs in the menu

image

Wait a while and you will not only see new Logs categories appear but also additional Logs, one example is the Offline Files category, with Show Analytic and Debug Logs option enabled and disabled

imageimage

When you look at the properties of these logs you will notice that some of the logs is not enabled.

image

So how do I manage these log settings from the command prompt?

Easy, just the command is called: WEVTUTIL.EXE

This command can more or less help you do anything with the logs, list the logs, set and get configurations, query logs, export etc. It’s also possible to the command to a remote computer.

Hit wevutil /? at the prompt for more information, to configure the event log requires administrator privileges so don’t forget to run the Command prompt elevated.

image

For more information about each command, write wevtutil Command /? Example: wevtutil set-log /?

Some examples

To enable/disable a log, use the Set-Log command and the option /E for enable and a value true/false and if you want the command to be silent, just add /Q:true for quiet.

wevtutil set-log Microsoft-Windows-OfflineFiles/Analytic /e:true /q:true

wevtutil set-log Microsoft-Windows-OfflineFiles/Analytic /e:false /q:true

To set the max size of a log, use the Set-Log command and the option /MS for MaxSize and a value, remember that some logs needs to be disabled first.

wevtutil set-log Microsoft-Windows-OfflineFiles/Analytic /ms:5000000

To clear the log, use the Clear-Log command, and again remember that some logs need to be disabled first.

wevtutil clear-log Microsoft-Windows-OfflineFiles/Analytic

and to Export a log, use the ExportLog command

wevtutil export-log Microsoft-Windows-OfflineFiles/Operational C:\Temp\OffFilesOp.evtx

So how can I use this information? If you need more information to troubleshoot a component, feature, function. you can automate this with some batch files to make it easier for Service technicians to gather right information

The first script could enable the log and followed by a restart command.

wevtutil set-log Microsoft-Windows-OfflineFiles/Analytic /e:true /q:true
Shutdown /r /t 10

The second script could export the log, disable it and clear the log.

wevtutil export-log Microsoft-Windows-OfflineFiles/Analytic C:\Temp\OffFilesOp.evtx
wevtutil set-log Microsoft-Windows-OfflineFiles/Analytic /e:false /q:true
wevtutil clear-log Microsoft-Windows-OfflineFiles/Analytic

Note! All of this can be done with Powershell aswell, if you need examples of this just send me comment

One comment

  1. want to collect all the entries of particular event from application log and save it in txt file using wevtutil. please help me. i searched a lot and fed.

    Like

    Reply

Leave a comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.