Stack Overflow
Stack Overflow

Questions tagged [wevtutil]

wevtutil ("Windows event utility") is a command line tool that can retrieve information about and manipulate Windows event logs and -publishers.

More Information: TechNet article on wevtutil

16 questions
4
votes
1 answer

WEVTUtil export certain event

I want to export only event id 4624 from Security Code below exports all event from security (i want only 4624); WEVTUtil query-events Security /rd:true /format:text > %~dp0Logins.txt /q:"4624" When all 4624 events exported i…
acid magic
  • 387
  • 1
  • 3
  • 10
2
votes
2 answers

Why I have empty windows logs after success EventWrite function call

I have a manifest file with several events and two channels. I generate include and resource file via mc command: mc -um manifest.man I link resource files into the application. I install manifest in the system via wevtutil command: wevtutil.exe im…
synacker
  • 1,722
  • 13
  • 32
2
votes
1 answer

Publisher MyTestSource resources could not be found or are not accessible to the EventLog service account (NT SERVICE\EventLog)

I'm trying register EventSource using Microsoft.Diagnostics.Tracing.EventRegister from nuget. I rebuild my project and its generates manifest. After that I run cmd by admin and execute this command: wevtutil.exe im "ETW…
Dilshod K
  • 2,924
  • 1
  • 13
  • 46
2
votes
2 answers

how to use xpath in wevtutil to retrieve events since a specific time

I don't know xpath. I have looked at the W3 tutorial, but they do not seem to work. I'm using wevtutil to extract events from the windows event logs I'm on Windows Server 2008 R2 Enterprise If I list just the last three events using the following…
Graham
  • 7,807
  • 20
  • 69
  • 114
1
vote
0 answers

How can I get in C++ the same behavior of `wevtutil qe Application`?

I would like to export the Windows Application event log to an XML file. In the past I asked How can I programmatically (C++) save the event log file as a CSV? with no success. Today I tried EvtArchiveExportedLog fails with ERROR_DIRECTORY with no…
Alessandro Jacopson
  • 18,047
  • 15
  • 98
  • 153
0
votes
0 answers

PowerShell: wevtutil epl Produces Incorrect Output

In UIPath Studio, I am trying to use the Invoke PowerShell activity to extract some filtered event logs as a .evtx file. My command is: wevtutil epl Application…
DualBall
  • 79
  • 2
  • 12
0
votes
1 answer

Event Tracing for Windows (ETW) increase session buffer size

I'm using ETW for tracing events of some custom applications (written in C++) I'm developing. The providers are manifest-based providers. During some test sessions, I saw some events are missing and, debugging, I found out that the EventWrite method…
BugsFree
  • 540
  • 1
  • 6
  • 24
0
votes
1 answer

filter logs by username instead of sid

I want to filter some logs for specific username. In event viewer, you can enter username in the mentioned field and it will filter your logs. but I want to use cmd ( wevtutil ) , so I should use xml query to filter my logs. But the problem appears…
john pridogov
  • 3
  • 1
  • 3
0
votes
0 answers

Passing the results of wevtutil to a variable or array in git bash

GOAL: As the title suggests i'm needing to pass the results of a function to a variable. Specifically, LASTLOG() { wevtutil qe "$WINLOG" //c:1 //rd:.ture //f:text } This primary command is wevtutil qe "$WINLOG" //c:1 //rd:.ture //f:text. ISSUE:…
dex
  • 11
  • 6
0
votes
2 answers

WEVTUtil Filter from a source

I have been trying to filter the Application log from WEVTUtil in order to view specific log. However, in filtering for event id 1036, there are two separate publishers. I want to be able to just get the events from MsiInstaller, but cannot for the…
Flynn
  • 11
  • 4
0
votes
0 answers

Is there a way to quietly run the "wevtutil" command

DESCRIPTION: I have a script that is suppose to be collecting log system information however upon the end of shell script the error that is output by the following command wevtutil epl "$ALOG" "${SYSNAM}_${SAFNAM}.evtx", is Failed to export log....…
dex
  • 11
  • 6
0
votes
2 answers

Wevtutil\Event Viewer: Getting list of events with different event ids using XPath Filter

I need to get a list of events that have id of 6005 or 6006 using "wevtutil" tool. This command works fine: wevtutil qe system /rd:true /q:*[System[EventID=6005]] But I need to get both events with ID 6005 and 6006. I tried wevtutil qe system…
Anthony J.
  • 375
  • 1
  • 5
  • 14
0
votes
1 answer

Interrogate all event log based on date/time, not on path

I'm investigating a problem on my PC (more exactly a sharing violation during the xcopy of a bunch of files), and I'm thinking of verifying the event log, but I'd like to investigate all events which occured between the beginning of that xcopy and…
Dominique
  • 16,450
  • 15
  • 56
  • 112
0
votes
1 answer

remote wevtutil "The account is not authorized to log in from this station."

I am responsible for running centralized backups of Windows Security logs on a network of ~15 Windows boxes. To automate this task, I have been writing a Powershell script that utilizes wevtutil's /r parameter to do it all remotely. All of the boxes…
Alexander
  • 3
  • 1
  • 4
0
votes
1 answer

How to get just description field from a wevtutil output

I can fetch latest 5 events generated by MsiInstaller from Event logs with - wevtutil qe Application /rd:true /f:text /c:5 /q:"*[System[Provider[@Name='MsiInstaller']]]" But the output is too descriptive. Is it possible to get only the description…
A_N
  • 127
  • 1
  • 1
  • 14
1
2