Windows: Export EventLog from command line

Hi,

Windows has a builtin command line utility to deal with Eventlogs: wevtutil

Some examples.

List all registered Eventlogs

D:\> wevtutil el

Export the System EventLog to a file

D:\> wevtutil epl System %temp%\%Computername%_System_log.evtx

Or the Remote Desktop EventLog to a file

D:\> wevtutil epl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational %temp%\%Computername%_rdp_log.evtx

Search the last 100 Entries in Application EventLog for an Event with ID 1704 as Text

D:\> wevtutil qe Application /q:"Event/System/EventID=1704" /c:100 /f:text

Michael

Advertisment to support michlstechblog.info

2 thoughts on “Windows: Export EventLog from command line”

  1. how can i export specific event id in Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational via using epl command?

    1. Hi Bab,

      really straightforward

      D:\> wevtutil  qe Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational /q:"Event/System/EventID=148"
      

      or to file

      D:\> wevtutil  epl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational /q:"Event/System/EventID=148"  %temp%\test.evtx
      

      Michael

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.