{ "id": "43b59f30-13f0-4339-b159-c14c664b1cff", "created_at": "2026-04-06T00:11:14.058141Z", "updated_at": "2026-04-10T03:35:21.458884Z", "deleted_at": null, "sha1_hash": "084fce5410deca9c8ecbd95f104fd2fa0e98a9b5", "title": "Clear-EventLog (Microsoft.PowerShell.Management) - PowerShell", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66927, "plain_text": "Clear-EventLog (Microsoft.PowerShell.Management) - PowerShell\r\nBy sdwheeler\r\nArchived: 2026-04-05 17:06:20 UTC\r\nIn this article\r\n1. Syntax\r\n2. Description\r\n3. Examples\r\n4. Parameters\r\n5. Inputs\r\n6. Outputs\r\n7. Notes\r\n8. Related Links\r\nClears all entries from specified event logs on the local or remote computers.\r\nSyntax\r\nDefault (Default)\r\nClear-EventLog\r\n [-LogName] \u003cString[]\u003e\r\n [[-ComputerName] \u003cString[]\u003e]\r\n [-WhatIf]\r\n [-Confirm]\r\n [\u003cCommonParameters\u003e]\r\nDescription\r\nThe Clear-EventLog cmdlet deletes all of the entries from the specified event logs on the local computer or on\r\nremote computers. To use Clear-EventLog , you must be a member of the Administrators group on the affected\r\ncomputer.\r\nThe cmdlets that contain the EventLog noun (the EventLog cmdlets) work only on classic event logs. To get\r\nevents from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows,\r\nuse the Get-WinEvent cmdlet.\r\nExamples\r\nExample 1: Clear specific event log types from the local computer\r\nhttps://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog\r\nPage 1 of 6\n\nClear-EventLog \"Windows PowerShell\"\r\nThis command clears the entries from the Windows PowerShell event log on the local computer.\r\nExample 2: Clear specific multiple log types from the local and remote computers\r\nClear-EventLog -LogName ODiag, OSession -ComputerName localhost, Server02\r\nThis command clears all of the entries in the Microsoft Office Diagnostics (ODiag) and Microsoft Office Sessions\r\n(OSession) logs on the local computer and the Server02 remote computer.\r\nExample 3: Clear all logs on the specified computers then display the event log list\r\nClear-EventLog -LogName Application, System -Confirm\r\nThis command prompts you for confirmation before deleting the entries in the specified event logs.\r\nExample 4: Clear all logs on the specified computers then display the event log list\r\nfunction clear-all-event-logs ($ComputerName=\"localhost\")\r\n{\r\n $logs = Get-EventLog -ComputerName $ComputerName -List | ForEach-Object {$_.Log}\r\n $logs | ForEach-Object {Clear-EventLog -ComputerName $ComputerName -LogName $_ }\r\n Get-EventLog -ComputerName $ComputerName -List\r\n}\r\nclear-all-event-logs -ComputerName Server01\r\nMax(K) Retain OverflowAction Entries Log\r\n------ ------ -------------- ------- ---\r\n15,168 0 OverwriteAsNeeded 0 Application\r\n15,168 0 OverwriteAsNeeded 0 DFS Replication\r\n512 7 OverwriteOlder 0 DxStudio\r\n20,480 0 OverwriteAsNeeded 0 Hardware Events\r\n512 7 OverwriteOlder 0 Internet Explorer\r\n20,480 0 OverwriteAsNeeded 0 Key Management Service\r\n16,384 0 OverwriteAsNeeded 0 Microsoft Office Diagnostics\r\n16,384 0 OverwriteAsNeeded 0 Microsoft Office Sessions\r\n30,016 0 OverwriteAsNeeded 1 Security\r\n15,168 0 OverwriteAsNeeded 2 System\r\n15,360 0 OverwriteAsNeeded 0 Windows PowerShell\r\nThis function clears all event logs on the specified computers and then displays the resulting event log list.\r\nhttps://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog\r\nPage 2 of 6\n\nNotice that a few entries were added to the System and Security logs after the logs were cleared but before they\r\nwere displayed.\r\nParameters\r\n-ComputerName\r\nSpecifies a remote computer. The default is the local computer.\r\nType the NetBIOS name, an Internet Protocol (IP) address, or a fully qualified domain name of a remote\r\ncomputer. To specify the local computer, type the computer name, a dot ( . ), or localhost .\r\nThis parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of\r\nGet-EventLog even if your computer is not configured to run remote commands.\r\nParameter properties\r\nType: String[]\r\nDefault value: Local computer\r\nSupports wildcards: False\r\nDontShow: False\r\nAliases: Cn\r\nParameter sets\r\n(All)\r\nPosition: 1\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: True\r\nValue from remaining arguments: False\r\n-Confirm\r\nPrompts you for confirmation before running the cmdlet.\r\nParameter properties\r\nhttps://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog\r\nPage 3 of 6\n\nType: SwitchParameter\r\nDefault value: False\r\nSupports wildcards: False\r\nDontShow: False\r\nAliases: cf\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-LogName\r\nSpecifies the event logs. Enter the log name (the value of the Log property not the LogDisplayName) of one or\r\nmore event logs, separated by commas. Wildcard characters are not permitted. This parameter is required.\r\nImportant\r\nThis parameter is supposed to accept values from the pipeline by property name. However, there is a bug that\r\nprevents this from working. You must pass a value using the parameter directly.\r\nParameter properties\r\nType: String[]\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nAliases: LN\r\nParameter sets\r\nhttps://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog\r\nPage 4 of 6\n\n(All)\r\nPosition: 0\r\nMandatory: True\r\nValue from pipeline: False\r\nValue from pipeline by property name: True\r\nValue from remaining arguments: False\r\n-WhatIf\r\nShows what would happen if the cmdlet runs. The cmdlet is not run.\r\nParameter properties\r\nType: SwitchParameter\r\nDefault value: False\r\nSupports wildcards: False\r\nDontShow: False\r\nAliases: wi\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\nCommonParameters\r\nThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -\r\nInformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction,\r\nand -WarningVariable. For more information, see about_CommonParameters.\r\nInputs\r\nhttps://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog\r\nPage 5 of 6\n\nNone\r\nYou cannot pipe objects to Clear-EventLog .\r\nOutputs\r\nNone\r\nThis cmdlet does not generate any output.\r\nNotes\r\nTo use Clear-EventLog on Windows Vista and later versions of Windows, start Windows PowerShell\r\nwith the Run as administrator option.\r\nGet-EventLog\r\nLimit-EventLog\r\nNew-EventLog\r\nRemove-EventLog\r\nShow-EventLog\r\nWrite-EventLog\r\nSource: https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog\r\nhttps://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog" ], "report_names": [ "clear-eventlog" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434274, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/084fce5410deca9c8ecbd95f104fd2fa0e98a9b5.pdf", "text": "https://archive.orkl.eu/084fce5410deca9c8ecbd95f104fd2fa0e98a9b5.txt", "img": "https://archive.orkl.eu/084fce5410deca9c8ecbd95f104fd2fa0e98a9b5.jpg" } }