Petri Newsletter Sign-up
Office 365 Insider

Here at, we get IT — and so can you. Subscribe today to stay informed and knowledgeable regarding the latest on IT.

    See All Petri Newsletters

    Command Line Event Logs - Part 1

    Posted on by Jeff Hicks in Windows Client OS with 4 Comments


    Don’t get me wrong, graphical tools are just fine. However, I tend to spend a lot of time at the command line and can often type commands faster than I can navigate through a GUI. Plus, if I’m looking for ways to build an automated administrative task, command line tools are essential. You might think all I care about is Windows PowerShell. And while PowerShell is indeed an incredible tool, I realize some IT Pros aren’t ready for it or for one reason or another can’t use it. But all is not lost.

    Let me show you a command line tool you have on your Windows 7 desktop that you can use to manage event logs. Actually, this tool has been around since Windows Vista, but since command line tools rarely get the love they deserve I’m expecting many of you have never seen this.

    Managing Event Logs with the Command Line

    Open a command prompt and look at help for WEVTUTIL.EXE

    There’s much more to the help than what I’ve shown here. But as you can see this is a pretty feature rich tool. In this part we’ll look at using it to query event logs.

    The default behavior is that the command queries logs on the local computer. But we can use the /r parameter and specify a remote computer. Unfortunately, you can only query one computer at a time. But let’s not get ahead of ourselves. The basic way to use WEVTUTIL is like this:

    Table 1 shows you the parameters you are most likely to use:

    Table 1

    Parameter Description Example
    /c:<count> Return a specified count of event log entries. If omitted, you’ll get everything. /c:5
    /rd:<True|False> Reverse Direction. By default entries are returned oldest first. When set to True you’ll get newest entries first. /rd:true
    /f:<Text|XML|RenderedXML> The default output format is XML. Set this to Text; easier to read output. /f:text
    /r:<computername> Specify the name of a remote computer. /r:server01


    When connecting remotely, the utility will use your current credentials. But you can use /u:domain\username and /p:<password>

    So to put this all together, let’s say I want to get the last 5 entries in the System event log on CHI-FP01.

    I didn’t want to type the password in clear text, so I used an asterisk for the password which leads to a prompt, as you see in Figure 1.

    Manage Event Logs From Command Line

    Figure 1 Remote Query

    I expect most of the time you will be searching for specific entries. This is where it gets tricky because Windows event logs now require a fair bit of XML knowledge. To find specific event log entries you need to use the /q parameter which requires a XPath query. Don’t worry if you don’t know XPath. For most IT Pros, I think you can use this template:

    The XML value is the name of the XML node. Grab an entry to see what one looks like.

    Now you see why I prefer to format as text. Let’s say we want to query on EventID 7036. I will run a command like this, using my current credentials.

    You can see the results in Figure 2.

    Manage Event Logs From Command Line

    Figure 2 EventID Query

    Another common task is to get entries by type, such as Error or Warning. You can still do this, but you’ll need to correlate them to a Level.

    Table 2

    Level Description
    Level 1 Critical
    Level 2 Error
    Level 3 Warning
    Level 4 Information


    Thus, to get the 5 most recent errors in the System event log from CHI-DC01, I would run this command:

    I’m piping to MORE  to page through the output. Or you can always send to a text file using console redirection.

    You can even build a more complex query.

    But be careful. Some of this is case sensitive and it isn’t always readily apparent where or why unless you are an XML expert. If you try the above using OR, it will fail as an invalid query.

    Advanced Queries with Event Viewer Management Console

    For more complex queries, the best thing to do is open the Event Viewer Management console and use the GUI to build your query. You can then look at the XML and copy and paste it into your command. Or if you have something you like to use often, save it to a text file and then “import” the query. For example, I built this XML query in the GUI:

    I copied and pasted it into a text file. Now I can use this query in a command line.

    Instead of a log name I specified the path to the XML query and set the /sq parameter to True. If there are no matching events, nothing will be returned.

    That’s all the time I have for now. Next time we’ll look at using this utility to manage the event log itself.


    Don't have a login but want to join the conversation? Sign up for a Petri Account