Wednesday, June 2, 2010

Uses of Windows Events Command Line Utility in retrieving the information about event logs and publishers

If you’re looking for retrieving information about event logs and publishers, the Window Event Command Line Utility (Wevtutil.exe) is the perfect choice for you. Using this utility, you can install and uninstall event manifests; run queries; and export, archive, and clear logs from an elevated command prompt. You can use either the short (ep /uni) or long (enum-publishers /unicode) version of the command and option names, and all commands, options, and option values are case insensitive.

Following is the general syntax of the Wevtutil.exe
wevtutil command [argument [argument] ...] [/option:value [/option:value] ...]

Here command can be any of the following:
•    al (archive-log) Archives an exported log.
•   cl (clear-log) Clears a log.
•    el (enum-logs) Lists log names.
•    ep (enum-publishers) Lists event publishers.
•   epl (export-log) Exports a log.
•    gl (get-log) Gets log configuration information.
•    gli (get-log-info) Gets log status information.
•    gp (get-publisher) Gets publisher configuration information.
•    im (install-manifest) Installs event publishers and logs from manifest.
•   qe (query-events) Queries events from a log or log file.
•   sl (set-log) Modifies configuration of a log.
•    um (uninstall-manifest) Uninstalls event publishers and logs from manifest.

Then, following are the common options
•    /r:value (remote) If you specify this command, it will run on a remote Computer named value. You have to remember that im (install-manifest) and um (uninstall-manifest) do not support remote operation.
•    /u:value (username) This command specifies a different user to log on to the remote Computer. Moreover, here the value is a user name in the form of domain\user or user. Then, this option is only applicable when you specify the option /r (remote).
•    /p:value (password) This command specifies a password for the specified user. If you don’t specify or the value is "*", you will be prompted to enter a password.  Remember that this option is applicable only when you specify /u (username) option.
•    /a:value (authentication) This command is able to authenticate type for connecting to a remote Computer. The value can be default, Negotiate, Kerberos, or NTLM.
•    /uni:value (unicode) This command is able to display output in Unicode. Value can be true or false (if true, output is in Unicode).
•    If you want to know more about a specify command, just type wevtutil command /? at an elevated Command Prompt.
•    This will let you know more about the commands.