What is WevtUtil and how do you use it?

WevtUtil.exe is a command-line utility in the Windows operating system, used primarily to register your Provider on the computer. The tool is placed in %windir%System32 folder. This command is limited to members of the Administrators group and must be run with elevated privileges. In this post, we discuss how to use this inbuilt tool in Windows 11 or Windows 10 computers.

What is WevtUtil and how do you use it?

What is C System32 WevtUtil exe?

The process known as Windows Events Command Line Utility is native to the Windows operating system by Microsoft. The wevtutil.exe file is located in the C:WindowsSystem32 folder. The file size on Windows 11/10 is 171,008 bytes. The WevtUtil.exe is a Windows core system file.

What is WevtUtil and how do you use it?

The WevtUtil.exe command enables you to retrieve information about event logs and publishers. You can use the command to get metadata information about the provider, its events, and the channels to which it logs events, and to query events from a channel or log file.

PC users can run the WevtUtil command for the following:

  • Retrieve information about event logs and publishers.
  • Archive logs in a self-contained format.
  • Enumerate the available logs.
  • Install and uninstall event manifests.
  • Run queries.
  • Exports events (from an event log, from a log file, or using a structured query) to a specified file.
  • Clear event logs.

For usage information, enter wevtutil /? at a command prompt.

Using WevtUtil command

Let’s take a look at some basic usage of the WevtUtil command on Windows 11/10 system.

Press Windows key + R, type cmd and hit Enter to open Command Prompt. Alternatively, open Windows Terminal and select Command Prompt profile. In the CMD prompt, run the commands below for the corresponding task(s).

Note: Most options for WevtUtil are not case sensitive, but the built-in help is and must be requested in the UPPER case. To retrieve event log data, the PowerShell cmdlet Get-WinEvent is easier to use and more flexible.

  • List the names of all logs:
wevtutil el
  • Display configuration information about the System log on the local computer in XML format:
wevtutil gl System /f:xml
  • Use a configuration file to set event log attributes (see Remarks for an example of a configuration file):
wevtutil sl /c:config.xml
  • Display information about the Microsoft-Windows-Eventlog event publisher, including metadata about the events that the publisher can raise:
wevtutil gp Microsoft-Windows-Eventlog /ge:true
  • Install publishers and logs from the myManifest.xml manifest file:
wevtutil im myManifest.xml
  • Uninstall publishers and logs from the myManifest.xml manifest file:
wevtutil um myManifest.xml
  • Display the three most recent events from the Application log in textual format:
wevtutil qe Application /c:3 /rd:true /f:text
  • Display the status of the Application log:
wevtutil gli Application
  • Export events from System log to C:backupsystem0506.evtx:
wevtutil epl System C:backupsystem0506.evtx
  • Clear all of the events from the Application log after saving them to C:adminbackupsa10306.evtx:
wevtutil cl Application /bu:C:adminbackupsa10306.evtx
  • Clear all the events from the Application log:
wevtutil clear-log Application
@echo off
for /f "tokens=*" %%G in ('wevtutil.exe el') do (wevtutil.exe cl "%%G")
  • Export events from the System log to C:backupss64.evtx:
wevtutil export-log System C:backupss64.evtx
  • List the event publishers on the current computer:
wevtutil enum-publishers
  • Uninstall publishers and logs from the SS64.man manifest file:
wevtutil uninstall-manifest SS64.man
  • Enable event logs for the Task Scheduler:
wevtutil set-log "Microsoft-Windows-TaskScheduler/Operational" /e:true >null 2>&1
  • Display the 50 most recent events from the Application log in text format:
wevtutil qe Application /c:50 /rd:true /f:text
  • Find the last 20 startup events in the System log:
wevtutil query-events System /count:20 /rd:true /format:text /q:"Event[System[(EventID=12)]]"

The WevtUtil.exe command can control nearly every aspect of the Event Viewer and Logs which requires a lot of parameters and switches to control these details. To see the main structure of the syntax for WevtUtil.exe and learn more about this native tool, check out the Microsoft documentation.

Hope you find this post informative enough!

How do I use Windows logs?

To access the Event Viewer in Windows 11, Windows 10, and Server, do the following:

  • Right-click on the Start button.
  • Select Control Panel > System & Security.
  • Double-click Administrative tools.
  • Double-click Event Viewer.
  • Select the type of logs that you wish to review (ex: Application, System).

What do system logs show?

In Windows 11/10 computer, the system log (Syslog) contains a record of the operating system (OS) events that indicates how the system processes and drivers were loaded. The Syslog shows informational, error, and warning events related to the computer OS.

Can I delete log files?

By default, DB does not delete log files for you. For this reason, DB’s log files will eventually grow to consume an unnecessarily large amount of disk space. To guard against this, you should periodically take administrative action to remove log files that are no longer in use by your application. You can delete application level log files via System View > Database Properties > Enterprise View. Expand the Planning application type and the application that contains the log files you want to delete. Right-click the application, and select Delete Log.

Source link


MORRIS is an impassioned technology writer. He always inspires technologists with his innovative thinking and practical approach. A go-to personality for every Technical problem, no doubt, the chief problem-solver!

Leave a Reply