{
	"id": "f4be85d1-86a5-4bb4-a9bd-bd836f6a050a",
	"created_at": "2026-04-06T00:18:21.605953Z",
	"updated_at": "2026-04-10T13:12:43.825239Z",
	"deleted_at": null,
	"sha1_hash": "d2074cca6b4a9934c8f837cd31d97321120b9e52",
	"title": "wevtutil",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70979,
	"plain_text": "wevtutil\r\nBy robinharwood\r\nArchived: 2026-04-05 19:08:46 UTC\r\nEnables you to retrieve information about event logs and publishers. You can also use this command to install and\r\nuninstall event manifests, to run queries, and to export, archive, and clear logs.\r\nSyntax\r\nwevtutil [{el | enum-logs}] [{gl | get-log} \u003cLogname\u003e [/f:\u003cFormat\u003e]]\r\n[{sl | set-log} \u003cLogname\u003e [/e:\u003cEnabled\u003e] [/i:\u003cIsolation\u003e] [/lfn:\u003cLogpath\u003e] [/rt:\u003cRetention\u003e] [/ab:\u003cAuto\u003e] [/ms:\u003c\r\n[{ep | enum-publishers}]\r\n[{gp | get-publisher} \u003cPublishername\u003e [/ge:\u003cMetadata\u003e] [/gm:\u003cMessage\u003e] [/f:\u003cFormat\u003e]]\r\n[{im | install-manifest} \u003cManifest\u003e] [/rf:\u003cPath\u003e] [/mf:\u003cPath\u003e] [/pf:\u003cPath\u003e]\r\n[{um | uninstall-manifest} \u003cManifest\u003e] [{qe | query-events} \u003cPath\u003e [/lf:\u003cLogfile\u003e] [/sq:\u003cStructquery\u003e] [/q:\u003cQuer\r\n[{gli | get-loginfo} \u003cLogname\u003e [/lf:\u003cLogfile\u003e]]\r\n[{epl | export-log} \u003cPath\u003e \u003cExportfile\u003e [/lf:\u003cLogfile\u003e] [/sq:\u003cStructquery\u003e] [/q:\u003cQuery\u003e] [/ow:\u003cOverwrite\u003e]]\r\n[{al | archive-log} \u003cLogpath\u003e [/l:\u003cLocale\u003e]]\r\n[{cl | clear-log} \u003cLogname\u003e [/bu:\u003cBackup\u003e]] [/r:\u003cRemote\u003e] [/u:\u003cUsername\u003e] [/p:\u003cPassword\u003e] [/a:\u003cAuth\u003e] [/uni:\u003cUni\r\nParameters\r\nParameter Description\r\n{el | enum-logs} Displays the names of all logs.\r\n{gl | get-log} \u003cLogname\u003e [/f:\u003cFormat\u003e]\r\nDisplays configuration information for the specified log, which\r\nincludes whether the log is enabled or not, the current\r\nmaximum size limit of the log, and the path to the file where the\r\nlog is stored.\r\n{sl | set-log} \u003cLogname\u003e [/e:\u003cEnabled\u003e]\r\n[/i:\u003cIsolation\u003e] [/lfn:\u003cLogpath\u003e] [/rt:\r\n\u003cRetention\u003e] [/ab:\u003cAuto\u003e] [/ms:\r\n\u003cMaxSize\u003e] [/l:\u003cLevel\u003e] [/k:\r\n\u003cKeywords\u003e] [/ca:\u003cChannel\u003e] [/c:\r\n\u003cConfig\u003e]\r\nModifies the configuration of the specified log.\r\n{ep | enum-publishers} Displays the event publishers on the local computer.\r\n{gp | get-publisher} \u003cPublishername\u003e\r\n[/ge:\u003cMetadata\u003e] [/gm:\u003cMessage\u003e] [/f:\r\nDisplays the configuration information for the specified event\r\npublisher.\r\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\r\nPage 1 of 7\n\nParameter Description\r\n\u003cFormat\u003e]]\r\n{im | install-manifest} \u003cManifest\u003e\r\n[/{rf | resourceFilePath}:value]\r\n[/{mf | messageFilePath}:value]\r\n[/{pf | parameterFilePath}:value]\r\nInstalls event publishers and logs from a manifest. For more\r\ninformation about event manifests and using this parameter, see\r\nthe Windows Event Log SDK at the Microsoft Developers\r\nNetwork (MSDN) Web site (https://msdn.microsoft.com). The\r\nvalue is the full path to the mentioned file.\r\n{um | uninstall-manifest} \u003cManifest\u003e\r\nUninstalls all publishers and logs from a manifest. For more\r\ninformation about event manifests and using this parameter, see\r\nthe Windows Event Log SDK at the Microsoft Developers\r\nNetwork (MSDN) Web site (https://msdn.microsoft.com).\r\n{qe | query-events} \u003cPath\u003e [/lf:\r\n\u003cLogfile\u003e] [/sq:\u003cStructquery\u003e] [/q:\r\n\u003cQuery\u003e] [/bm:\u003cBookmark\u003e] [/sbm:\r\n\u003cSavebm\u003e] [/rd:\u003cDirection\u003e] [/f:\r\n\u003cFormat\u003e] [/l:\u003cLocale\u003e] [/c:\u003cCount\u003e] [/e:\r\n\u003cElement\u003e]\r\nReads events from an event log, from a log file, or using a\r\nstructured query. By default, you provide a log name for\r\n\u003cPath\u003e. However, if you use the /lf option, then \u003cPath\u003e must be\r\na path to a log file. If you use the /sq parameter, \u003cPath\u003e must be\r\na path to a file that contains a structured query.\r\n{gli | get-loginfo} \u003cLogname\u003e [/lf:\r\n\u003cLogfile\u003e]\r\nDisplays status information about an event log or log file. If the\r\n/lf option is used, \u003cLogname\u003e is a path to a log file. You can\r\nrun wevtutil el to obtain a list of log names.\r\n{epl | export-log} \u003cPath\u003e \u003cExportfile\u003e\r\n[/lf:\u003cLogfile\u003e] [/sq:\u003cStructquery\u003e] [/q:\r\n\u003cQuery\u003e] [/ow:\u003cOverwrite\u003e]\r\nExports events from an event log, from a log file, or using a\r\nstructured query to the specified file. By default, you provide a\r\nlog name for \u003cPath\u003e. However, if you use the /lf option, then\r\n\u003cPath\u003e must be a path to a log file. If you use the /sq option,\r\n\u003cPath\u003e must be a path to a file that contains a structured query.\r\n\u003cExportfile\u003e is a path to the file where the exported events will\r\nbe stored.\r\n{al | archive-log} \u003cLogpath\u003e [/l:\r\n\u003cLocale\u003e]\r\nArchives the specified log file in a self-contained format. A\r\nsubdirectory with the name of the locale is created and all\r\nlocale-specific information is saved in that subdirectory. After\r\nthe directory and log file are created by running wevtutil al,\r\nevents in the file can be read whether the publisher is installed\r\nor not.\r\n{cl | clear-log} \u003cLogname\u003e [/bu:\r\n\u003cBackup\u003e]\r\nClears events from the specified event log. The /bu option can\r\nbe used to back up the cleared events.\r\nOptions\r\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\r\nPage 2 of 7\n\nOption Description\r\n/f:\u003cFormat\u003e\r\nSpecifies that the output should be either XML or text format. If \u003cFormat\u003e is XML, the\r\noutput is displayed in XML format. If \u003cFormat\u003e is Text, the output is displayed without\r\nXML tags. The default is Text.\r\n/e:\u003cEnabled\u003e Enables or disables a log. \u003cEnabled\u003e can be true or false.\r\n/i:\u003cIsolation\u003e\r\nSets the log isolation mode. \u003cIsolation\u003e can be system, application or custom. The isolation\r\nmode of a log determines whether a log shares a session with other logs in the same\r\nisolation class. If you specify system isolation, the target log will share at least write\r\npermissions with the System log. If you specify application isolation, the target log will\r\nshare at least write permissions with the Application log. If you specify custom isolation,\r\nyou must also provide a security descriptor by using the /ca option.\r\n/lfn:\r\n\u003cLogpath\u003e\r\nDefines the log file name. \u003cLogpath\u003e is a full path to the file where the Event Log service\r\nstores events for this log.\r\n/rt:\r\n\u003cRetention\u003e\r\nSets the log retention mode. \u003cRetention\u003e can be true or false. The log retention mode\r\ndetermines the behavior of the Event Log service when a log reaches its maximum size. If\r\nan event log reaches its maximum size and the log retention mode is true, existing events\r\nare retained, and incoming events are discarded. If the log retention mode is false, incoming\r\nevents overwrite the oldest events in the log.\r\n/ab:\u003cAuto\u003e\r\nSpecifies the log auto-backup policy. \u003cAuto\u003e can be true or false. If this value is true, the\r\nlog will be backed up automatically when it reaches the maximum size. If this value is true,\r\nthe retention (specified with the /rt option) must also be set to true.\r\n/ms:\r\n\u003cMaxSize\u003e\r\nSets the maximum size of the log in bytes. The minimum log size is 1048576 bytes\r\n(1024KB) and log files are always multiples of 64KB, so the value you enter will be\r\nrounded off accordingly.\r\n/l:\u003cLevel\u003e\r\nDefines the level filter of the log. \u003cLevel\u003e can be any valid level value. This option is only\r\napplicable to logs with a dedicated session. You can remove a level filter by setting \u003cLevel\u003e\r\nto 0.\r\n/k:\r\n\u003cKeywords\u003e\r\nSpecifies the keywords filter of the log. \u003cKeywords\u003e can be any valid 64-bit keyword\r\nmask. This option is only applicable to logs with a dedicated session.\r\n/ca:\u003cChannel\u003e\r\nSets the access permission for an event log. \u003cChannel\u003e is a security descriptor that uses the\r\nSecurity Descriptor Definition Language (SDDL). For more information about SDDL\r\nformat, see the Microsoft Developers Network (MSDN) Web site\r\n(https://msdn.microsoft.com).\r\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\r\nPage 3 of 7\n\nOption Description\r\n/c:\u003cConfig\u003e\r\nSpecifies the path to a configuration file. This option will cause log properties to be read\r\nfrom the configuration file defined in \u003cConfig\u003e. If you use this option, you must not\r\nspecify a \u003cLogname\u003e parameter. The log name will be read from the configuration file.\r\n/ge:\r\n\u003cMetadata\u003e\r\nGets metadata information for events that can be raised by this publisher. \u003cMetadata\u003e can\r\nbe true or false.\r\n/gm:\r\n\u003cMessage\u003e\r\nDisplays the actual message instead of the numeric message ID. \u003cMessage\u003e can be true or\r\nfalse.\r\n/lf:\u003cLogfile\u003e\r\nSpecifies that the events should be read from a log or from a log file. \u003cLogfile\u003e can be true\r\nor false. If true, the parameter to the command is the path to a log file.\r\n/sq:\r\n\u003cStructquery\u003e\r\nSpecifies that events should be obtained with a structured query. \u003cStructquery\u003e can be true\r\nor false. If true, \u003cPath\u003e is the path to a file that contains a structured query.\r\n/q:\u003cQuery\u003e\r\nDefines the XPath query to filter the events that are read or exported. If this option is not\r\nspecified, all events will be returned or exported. This option is not available when /sq is\r\ntrue.\r\n/bm:\r\n\u003cBookmark\u003e\r\nSpecifies the path to a file that contains a bookmark from a previous query.\r\n/sbm:\r\n\u003cSavebm\u003e\r\nSpecifies the path to a file that is used to save a bookmark of this query. The file name\r\nextension should be .xml.\r\n/rd:\r\n\u003cDirection\u003e\r\nSpecifies the direction in which events are read. \u003cDirection\u003e can be true or false. If true, the\r\nmost recent events are returned first.\r\n/l:\u003cLocale\u003e\r\nDefines a locale string that is used to print event text in a specific locale. Only available\r\nwhen printing events in text format using the /f option.\r\n/c:\u003cCount\u003e Sets the maximum number of events to read.\r\n/e:\u003cElement\u003e\r\nIncludes a root element when displaying events in XML. \u003cElement\u003e is the string that you\r\nwant within the root element. For example, /e:root would result in XML that contains the\r\nroot element pair \u003croot\u003e\u003c/root\u003e.\r\n/ow:\r\n\u003cOverwrite\u003e\r\nSpecifies that the export file should be overwritten. \u003cOverwrite\u003e can be true or false. If\r\ntrue, and the export file specified in \u003cExportfile\u003e already exists, it will be overwritten\r\nwithout confirmation.\r\n/bu:\u003cBackup\u003e\r\nSpecifies the path to a file where the cleared events will be stored. Include the .evtx\r\nextension in the name of the backup file.\r\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\r\nPage 4 of 7\n\nOption Description\r\n/r:\u003cRemote\u003e\r\nRuns the command on a remote computer. \u003cRemote\u003e is the name of the remote computer.\r\nThe im and um parameters do not support remote operation.\r\n/u:\r\n\u003cUsername\u003e\r\nSpecifies a different user to log on to a remote computer. \u003cUsername\u003e is a user name in the\r\nform domain\\user or user. This option is only applicable when the /r option is specified.\r\n/p:\r\n\u003cPassword\u003e\r\nSpecifies the password for the user. If the /u option is used and this option is not specified\r\nor \u003cPassword\u003e is *, the user will be prompted to enter a password. This option is only\r\napplicable when the /u option is specified.\r\n/a:\u003cAuth\u003e\r\nDefines the authentication type for connecting to a remote computer. \u003cAuth\u003e can be\r\nDefault, Negotiate, Kerberos or NTLM. The default is Negotiate.\r\n/uni:\r\n\u003cUnicode\u003e\r\nDisplays the output in Unicode. \u003cUnicode\u003e can be true or false. If \u003cUnicode\u003e is true then\r\nthe output is in Unicode.\r\nUsing a configuration file with the sl parameter\r\nThe configuration file is an XML file with the same format as the output of wevtutil gl \u003cLogname\u003e /f:xml.\r\nTo shows the format of a configuration file that enables retention, enables autobackup, and sets the\r\nmaximum log size on the Application log:\r\n\u003c?xml version=1.0 encoding=UTF-8?\u003e\r\n\u003cchannel name=Application isolation=Application\r\nxmlns=https://schemas.microsoft.com/win/2004/08/events\u003e\r\n\u003clogging\u003e\r\n\u003cretention\u003etrue\u003c/retention\u003e\r\n\u003cautoBackup\u003etrue\u003c/autoBackup\u003e\r\n\u003cmaxSize\u003e9000000\u003c/maxSize\u003e\r\n\u003c/logging\u003e\r\n\u003cpublishing\u003e\r\n\u003c/publishing\u003e\r\n\u003c/channel\u003e\r\nExamples\r\nList the names of all logs:\r\nwevtutil el\r\nDisplay configuration information about the System log on the local computer in XML format:\r\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\r\nPage 5 of 7\n\nwevtutil gl System /f:xml\r\nUse a configuration file to set event log attributes (see Remarks for an example of a configuration file):\r\nwevtutil sl /c:config.xml\r\nDisplay information about the Microsoft-Windows-Eventlog event publisher, including metadata about the events\r\nthat the publisher can raise:\r\nwevtutil gp Microsoft-Windows-Eventlog /ge:true\r\nInstall publishers and logs from the myManifest.xml manifest file:\r\nwevtutil im myManifest.xml\r\nUninstall publishers and logs from the myManifest.xml manifest file:\r\nwevtutil um myManifest.xml\r\nDisplay the three most recent events from the Application log in textual format:\r\nwevtutil qe Application /c:3 /rd:true /f:text\r\nDisplay the status of the Application log:\r\nwevtutil gli Application\r\nExport events from System log to C:\\backup\\system0506.evtx:\r\nwevtutil epl System C:\\backup\\system0506.evtx\r\nClear all of the events from the Application log after saving them to C:\\admin\\backups\\a10306.evtx:\r\nwevtutil cl Application /bu:C:\\admin\\backups\\a10306.evtx\r\nArchive the specified (.evtx) log file in a self-contained format. A subdirectory (LocaleMetaData) is created and all\r\nlocale-specific information is saved in that subdirectory:\r\nwevtutil archive-log \"C:\\backup\\Application.evtx\" /locale:en-us\r\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\r\nPage 6 of 7\n\nCommand-Line Syntax Key\r\nSource: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\r\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil"
	],
	"report_names": [
		"wevtutil"
	],
	"threat_actors": [],
	"ts_created_at": 1775434701,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2074cca6b4a9934c8f837cd31d97321120b9e52.pdf",
		"text": "https://archive.orkl.eu/d2074cca6b4a9934c8f837cd31d97321120b9e52.txt",
		"img": "https://archive.orkl.eu/d2074cca6b4a9934c8f837cd31d97321120b9e52.jpg"
	}
}