WEvtUtil Scripting

If you haven’t used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you’re missing out.  The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn’t suffer from any of the drawbacks around getting field delimiting correct.

The tool’s command to query events from a log is “qe”, and takes a log name as a parameter.

If you want to specify a query expression, then you can use XPath with the /q switch.  The easiest way to do this is to use Event Viewer to build a filter for just the events that you want, and then copy just the XPath expression out of the XML tab of the filter dialog in Event Viewer.  Be careful to copy only the filter expression and not the XML that surrounds it. 

Finally, the default output format of wevtutil is XML.  However it dumps each event as XML, but does not include a root element- in other words it’s not well-formed XML by default.  To include a root element you need to include the /e switch and a root element name.

I put this all together in a batch file, with an example XPath filter that just gathers interactive logon events (event ID=4624, logon type=2).  You can save this as a .cmd file and run it as an administrator on Vista or WS08 and it will pull up a list of your interactive logons in Internet Explorer (or your default XML handler application if you’ve changed the registration).  It has to run as admin because it accesses the security event log.

If you’re really good (better than me, which is not hard) you could write an XSL style sheet and put this into a report format.

Good luck!

@echo off


REM (C) 2008 Microsoft Corporation

REM All Rights Reserved

set outputfile=%temp%\interactive-logon-events.xml

if “%1” NEQ “” set outputfile=%1


REM The next command is all one line and has no carriage returns

REM The only spaces in the XPath are around the AND keywords

wevtutil qe Security /q:”*[System[Provider[@Name=’Microsoft-Windows-Security-Auditing’] and Task=12544 and (EventID=4624)] and EventData[Data[@Name=’LogonType’]=’2′]]” /e:Events > %outputfile%

start %outputfile%

set outputfile=


Comments (4)

  1. Murat Eraydin says:

    When I use "gp" command with "microsoft-windows-security-kerberos" (and some others), I get really large event ids. Bitwise ANDing with 0xFFFF gives me a normal ID but now I'm getting duplicate values and no "EventType" information is there. Any idea what's wrong here?


    wevtutil gp microsoft-windows-security-kerberos /ge /gm

    gives me the following…



       <event value="1073741829" version="0" opcode="0" channel="0" level="0" task="0" keywords="0x80000000000000" message="The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server %1. This indicates that the ticket used against that server is not yet valid (in relationship to that server time).  Contact your system administrator to make sure the client and server times are in sync, and that the KDC in realm %2 is in sync with the KDC in the client realm.">


       <event value="65541" version="0" opcode="0" channel="0" level="0" task="0" keywords="0x80000000000000" message="An error occurred while retrieving a digital certificate from the inserted smart card. %1">


  2. ericfitz says:

    Sorry for the slow reply, somehow I didn't get notified of this comment.

    There is a bug in how the security log sends events to eventlog.  The fix for this is being considered for a future release of Windows.

  3. question says:

    I have a question getting used to the new Wevtutil.exe.  

    Trying to make a bat file that will simply make a subfolder under one I have called "EventLogs" clear the entire System, Application, and Security log and save all three each day in the dated folder they were put in.  Does this make sense to anyone.  I can pull and clear the logs but what I can't do is get my script to create the subfolder and put each days logs in the correct folder with that days's date.  The path I am putting them will be C:EventLogs20101227 for today and tomorrow the folder under EventLogs would be 20101228 with the evtx files in the corresponding folder.  

    Here is what I have so far:


    REM Get the current date and save it to the %date% variable


    FOR /F "TOKENS=2-4 DELIMS=/ " %%A IN ('DATE /T') DO (SET date=%%A%%B%%C)

    REM Use wevtutil to backup (/bu) and clear (cl) the various event logs

    WEVTUTIL CL Application /BU:C:EventlogsapplicationLogs%date%.evtx

    WEVTUTIL CL Security /BU:C:EventlogssecurityLogs%date%.evtx

    WEVTUTIL CL System /BU:C:EventlogssystemLogs%date%.evtx

  4. ericfitz says:

    It looks like you need to create the subfolders, e.g. "MD C:EventlogsapplicationLogs%date%".