0

I need to get a list of events that have id of 6005 or 6006 using "wevtutil" tool. This command works fine:

wevtutil qe system /rd:true /q:*[System[EventID=6005]]

But I need to get both events with ID 6005 and 6006. I tried

wevtutil qe system /rd:true /q:*[System[EventID=6005 or EventID=6006]]

But it returns

Too many arguments are specified. The parameter is incorrect.

How should I fix it?

Note: each event has the following XML structure

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='EventLog'/><EventID Qualifiers='32768'>6005</EventID><Level>4</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2018-01-24T18:24:41.592259500Z'/><EventRecordID>350</EventRecordID><Channel>System</Channel><Computer>LAPTOP-IN03NS68</Computer><Security/></System><EventData><Binary>E20701000300180012001800290050020000000000000000</Binary></EventData></Event>
Anthony J.
  • 375
  • 1
  • 5
  • 14
  • wevtutil.exe uses the C runtime's `wmain` entry point, which tokenizes the command line according to the rules documented in [Parsing C++ Command-Line Arguments](https://learn.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments). So you need double quotes to prevent the query from getting split as separate arguments, e.g. `"/q:*[System[EventID=6005 or EventID=6006]]"` or even odd-looking `/q:*[System[EventID=6005" or "EventID=6006]]`. – Eryk Sun Mar 07 '18 at 15:04

2 Answers2

1

"/q:*[System[(EventID=6005) or (EventID=6006)]]"

xav
  • 5,452
  • 7
  • 48
  • 57
helmut
  • 11
  • 1
0

eryksun already answered in command. double quotes must be used

Anthony J.
  • 375
  • 1
  • 5
  • 14