| 0x1 | 无法打开配置文件: %1!s!。%0 |
Failed to open config file: %1!s!.%0 |
| 0x2 | 配置文件无效。%0 |
Invalid config file.%0 |
| 0x3 | 无法初始化 COM。%0 |
Failed to initialize COM.%0 |
| 0x4 | 无法获取 %1!s! 属性。%0 |
Failed to get %1!s! property.%0 |
| 0x5 | 无法设置 %1!s! 属性。%0 |
Failed to set %1!s! property.%0 |
| 0x6 | 不支持命令 %1!s!。%0 |
Command %1!s! is not supported.%0 |
| 0x7 | 选项 %1!s! 无效。未指定选项名称。%0 |
Invalid option %1!s!. Option name is not specified.%0 |
| 0x8 | 选项 %1!s! 无效。将选项指定了多次。%0 |
Invalid option %1!s!. Option is specified more than once.%0 |
| 0xA | 选项 %1!s! 无效。未指定选项值。%0 |
Invalid option %1!s!. Option value is not specified.%0 |
| 0xB | 选项 %1!s! 无效。选项不是布尔值。%0 |
Invalid option %1!s!. Option is not Boolean.%0 |
| 0xC | 选项 %1!s! 无效。不支持选项。%0 |
Invalid option %1!s!. Option is not supported.%0 |
| 0xD | 选项 %1!s! 的值无效。%0 |
Invalid value for option %1!s!.%0 |
| 0xE | 不能同时指定选项 %1!s! 和 %2!s!。%0 |
option %1!s! and %2!s! cannot be specified at the same time.%0 |
| 0xF | 指定的参数太多。%0 |
Too many arguments are specified.%0 |
| 0x10 | 未指定必需的参数。%0 |
Required argument(s) is/are not specified.%0 |
| 0x11 | 内部错误。%0 |
Internal error.%0 |
| 0x12 | 无法打开到服务器的会话: %1!s!。%0 |
Failed to open session to server: %1!s!.%0 |
| 0x13 | 无法读取密码。%0 |
Failed to read password.%0 |
| 0x14 | 未指定命令。%0 |
Command is not specified.%0 |
| 0x15 | 无法打开发布者 %1!s! 的元数据。%0 |
Failed to open metadata for publisher %1!s!.%0 |
| 0x16 | 无法打开发布者枚举。%0 |
Failed to open publisher enumeration.%0 |
| 0x17 | 无法枚举发布者。%0 |
Failed to enumerate publishers.%0 |
| 0x18 | 无法加载资源 %1!s!。%0 |
Failed to load resource %1!s!.%0 |
| 0x19 | 无法打开发布者 %1!s! 的事件元数据。%0 |
Failed to open event metadata for publisher %1!s!.%0 |
| 0x1A | 无法枚举发布者 %1!s! 的事件元数据。%0 |
Failed to enumerate event metadata for publisher %1!s!.%0 |
| 0x1B | 无法呈现事件。事件句柄 = 0x%1!08x!。%0 |
Failed to render event. Event handle = 0x%1!08x!.%0 |
| 0x1C | 无法注册订阅 %1!s!。%0 |
Failed to register subscription %1!s!.%0 |
| 0x1D | 无法读取日志 %1!s! 的配置。%0 |
Failed to read configuration for log %1!s!.%0 |
| 0x1E | 无法保存配置或激活日志 %1!s!。%0 |
Failed to save configuration or activate log %1!s!.%0 |
| 0x1F | 无法读取日志 %1!s! 的日志状态信息。%0 |
Failed to read log status information for log %1!s!.%0 |
| 0x20 | 无法加载 xml 文档 %1!s!。%0 |
Failed to load xml document %1!s!.%0 |
| 0x21 | 无法读取 xml 节点 %1!s!。%0 |
Failed to read xml node %1!s!.%0 |
| 0x22 | 在清单文件 %1!s! 中找不到 assembly/instrumentation/events:events 或 events:instrumentationManifest/events:instrumentation/events:events 节点。xmlns:events=\"http://schemas.microsoft.com/win/2004/08/events\"%0 |
assembly/instrumentation/events:events or events:instrumentationManifest/events:instrumentation/events:events nodeis not found in manifest file %1!s!.xmlns:events=\"http://schemas.microsoft.com/win/2004/08/events\"%0 |
| 0x23 | 属性 %1!s! 的值无效。%0 |
Invalid value for property %1!s!.%0 |
| 0x24 | 找不到 LCID %1!s!。%0 |
LCID %1!s! cannot be found.%0 |
| 0x25 | 配置文件的根节点不是订阅或所处的命名空间不正确。%0 |
Root node of config file is not Subscription or in correct namespace.%0 |
| 0x26 | Windows 事件命令行实用程序。用于检索有关事件日志和发布者的信息,安装和卸载事件清单,运行查询以及导出、存档和清除日志。用法:你可以使用短(如 ep /uni)或长(如 enum-publishers /unicode)形式的命令和选项名称。命令、选项和选项值不区分大小写。变量均使用大写形式。wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]命令:el | enum-logs 列出日志名称。gl | get-log 获取日志配置信息。sl | set-log 修改日志配置。ep | enum-publishers 列出事件发布者。gp | get-publisher 获取发布者配置信息。im | install-manifest 从清单中安装事件发布者和日志。um | uninstall-manifest 从清单中卸载事件发布者和日志。qe | query-events 从日志或日志文件中查询事件。gli | get-log-info 获取日志状态信息。epl | export-log 导出日志。al | archive-log 存档导出的日志。cl | clear-log 清除日志。常用选项:/{r | remote}:VALUE如果指定,则在远程计算机上运行该命令。VALUE 是远程计算机名称。/im 和 /um 选项不支持远程操作。/{u | username}:VALUE指定一个不同的用户以登录到远程计算机。VALUE 是 domain\\user 或 user 形式的用户名。只有在指定 /r 选项时才适用。/{p | password}:VALUE指定的用户密码。如果未指定,或者 VALUE 为 \"*\",则会提示用户输入密码。只有在指定 /u 选项时才适用。/{a | authentication}:[Default|Negotiate|Kerberos|NTLM]用于连接到远程计算机的身份验证类型。默认值为 Negotiate。/{uni | unicode}:[true|false]使用 Unicode 显示输出。如果为 true,则使用 Unicode 显示输出。要了解特定命令的详细信息,请键入以下命令:wevtutil COMMAND /? |
Windows Events Command Line Utility.Enables you to retrieve information about event logs and publishers, installand uninstall event manifests, run queries, and export, archive, and clear logs.Usage:You can use either the short (for example, ep /uni) or long (for example, enum-publishers /unicode) version of the command and option names. Commands, options and option values are not case-sensitive.Variables are noted in all upper-case.wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]Commands:el | enum-logs List log names.gl | get-log Get log configuration information.sl | set-log Modify configuration of a log.ep | enum-publishers List event publishers.gp | get-publisher Get publisher configuration information.im | install-manifest Install event publishers and logs from manifest.um | uninstall-manifest Uninstall event publishers and logs from manifest.qe | query-events Query events from a log or log file.gli | get-log-info Get log status information.epl | export-log Export a log.al | archive-log Archive an exported log.cl | clear-log Clear a log.Common options:/{r | remote}:VALUEIf specified, run the command on a remote computer. VALUE is the remote computer name. Options /im and /um do not support remote operations./{u | username}:VALUESpecify a different user to log on to the remote computer. VALUE is a user namein the form domain\\user or user. Only applicable when option /r is specified./{p | password}:VALUEPassword for the specified user. If not specified, or if VALUE is \"*\", the user will be prompted to enter a password. Only applicable when the /u option isspecified./{a | authentication}:[Default|Negotiate|Kerberos|NTLM]Authentication type for connecting to remote computer. The default is Negotiate./{uni | unicode}:[true|false]Display output in Unicode. If true, then output is in Unicode. To learn more about a specific command, type the following:wevtutil COMMAND /? |
| 0x27 | 值 \"%1!s!\" 对于隔离选项无效。%0 |
value \"%1!s!\" is invalid for isolation option.%0 |
| 0x28 | 列出所有日志的名称。用法:wevtutil { el | enum-logs }示例:以下示例列出所有日志的名称。wevtutil el |
List the names of all logs.Usage:wevtutil { el | enum-logs }Example:The following example lists the names of all logs.wevtutil el |
| 0x29 | 无法打开通道枚举。%0 |
Failed to open channel enumeration.%0 |
| 0x2A | 无法枚举通道。%0 |
Failed to enumerate channels.%0 |
| 0x2B | 显示事件日志配置信息,包括是否启用日志、日志的当前最大大小限制以及存储日志的文件的路径。用法:wevtutil { gl | get-log } [/OPTION:VALUE [/OPTION:VALUE] ...]唯一地标识日志的字符串。你可以通过运行 wevtutil el,显示所有日志名称的列表。选项:你可以使用短(如 /f)或长(如 /format)形式的选项名称。选项及其值不区分大小写。/{f | format}:[XML|Text]指定日志文件格式。默认值为 Text。如果指定 XML,则使用 XML 格式存储输出。如果指定 Text,则不使用 XML 标记存储输出。示例:以下示例使用 XML 格式显示有关本地系统日志的配置信息。wevtutil gl System /f:xml |
Displays event log configuration information, including whether the log isenabled, the current maximum size limit of the log and the path to the filewhere the log is stored.Usage:wevtutil { gl | get-log } [/OPTION:VALUE [/OPTION:VALUE] ...]String that uniquely identifies a log. You can display a list of all the lognames by running wevtutil el.Options:You can use either the short (for example, /f) or long (for example, /format) version of the option names. Options and their values are not case-sensitive./{f | format}:[XML|Text]Specify the log file format. The default is Text. If XML is specified, output is stored in XML format. If Text is specified, output is stored without XML tags. Example:The following example displays configuration information about the local System log in XML format.wevtutil gl System /f:xml |
| 0x2C | 修改日志配置。用法:wevtutil { sl | set-log } [/OPTION:VALUE [/OPTION:VALUE] ...]唯一地标识日志的字符串。如果指定了 /ca 选项,则不应指定 ,因为它是从配置文件中读取的。选项:你可以使用短(如 /e)或长(如 /enable)形式的选项名称。选项及其值不区分大小写。/{e | enabled}:[true|false]启用或禁用日志。/{q | quiet}:[true|false]无提示显示选项。不向用户显示任何提示或消息。如果未指定,则默认值为 true。/{fm | filemax}:设置用于保留事件的最大启用数,其中, 是 1 到 16 之间的整数。将为每个启用创建一个文件,因此,如果该值为 2,则事件是从最后两个启用中生成的。重新启动先计为禁用通道,然后计为重新启用通道。 /{i | isolation}:[system|application|custom]日志隔离模式。日志隔离模式决定了日志是否与相同隔离级别的其他日志共享会话。如果指定系统隔离,则目标日志至少与系统日志共享写入权限。如果指定应用程序隔离,则目标日志至少与应用程序日志共享写入权限。如果指定自定义隔离,你还必须使用 /ca 选项提供安全描述符。/{lfn | logfilename}:VALUE日志文件名称。VALUE 是事件日志服务在其中存储此日志的事件的文件的完整路径。/{rt | retention}:[true|false]日志保留模式。日志保留模式决定了在日志达到其最大大小时的事件日志服务行为。如果事件日志达到其最大大小,并且日志保留模式为 true,则保留现有的事件并丢弃传入事件。如果日志保留模式为 false,传入事件将覆盖日志中的最早事件。/{ab | autobackup}:[true|false]日志自动备份策略。如果 autobackup 为 true,则在日志达到其最大大小时自动备份日志。此外,如果 autobackup 为 true,必须将 retention 设置为 true (使用 /rt 选项指定)。/{ms | maxsize}:最大日志大小,其中 是字节数。请注意, 的最小值为 1048576 (1024KB),而日志文件始终是 64KB 的倍数,因此,将相应地对指定的值进行四舍五入。/{l | level}:日志的级别筛选器,其中 是任何有效的级别值。仅适用于专用会话的日志。可通过将 设置为 0 来删除级别筛选器。/{k | keywords}:VALUE日志的关键字筛选器。VALUE 可以是任何有效的 64 位关键字掩码。仅适用于专用会话的日志。/{ca | channelaccess}:VALUE事件日志的访问权限。VALUE 是使用安全描述符定义语言(SDDL)指定的安全描述符。搜索 MSDN (http://msdn.microsoft.com) 以了解 SDDL 格式信息。/{c | config}:VALUE配置文件路径,其中 VALUE 是完整文件路径。如果指定,则从此配置文件中读取日志属性。如果指定此选项,则不能指定 命令行参数。将从此配置文件中读取日志名称。示例:以下示例通过使用配置文件,为应用程序日志设置保留、自动备份和最大日志大小。请注意,配置文件是一个 XML 文件,它使用与 wevtutil gl /f:xml 输出相同的格式。C:\\config.xml true true 9000000 wevtutil sl /c:config.xml |
Modify the configuration of a log.Usage:wevtutil { sl | set-log } [/OPTION:VALUE [/OPTION:VALUE] ...]String that uniquely identifies a log. If option /c is specified, should not be specified since it is read from the config file.Options:You can use either the short (for example, /e) or long (for example, /enable) version of the option names. Options and their values are not case-sensitive./{e | enabled}:[true|false]Enable or disable a log./{q | quiet}:[true|false]Quiet display option. No prompts or messages are displayed to the user. If not specified, the default is true. /{fm | filemax}:Set Maximum number of enablements across which to preserve events, where is an integer between 1 and 16. One file is created for each enablement, so if this value is 2, events will be produced from the last two enablements. A reboot counts as disabling and then re-enabling the channel. /{i | isolation}:[system|application|custom]Log isolation mode. The isolation mode of a log determines whether a log shares a session with other logs in the same isolation class. If you specify system isolation, the target log will share at least write permissions with the System log. If you specify application isolation, the target log will share at least write permissions with the Application log. If you specify custom isolation, you must also provide a security descriptor by using the /ca option./{lfn | logfilename}:VALUELog file name. VALUE is the full path to the file where the Event Log service stores events for this log./{rt | retention}:[true|false]Log retention mode. The log retention mode determines the behavior of the Event Log service when a log reaches its maximum size. If an event log reaches its maximum size and the log retention mode is true, existing events are retained and incoming events are discarded. If the log retention mode is false, incoming events overwrite the oldest events in the log./{ab | autobackup}:[true|false]Log autobackup policy. If autobackup is true, the log will be backed up automatically when it reaches the maximum size. In addition, if autobackup is true, retention (specified with the /rt option) must be set to true./{ms | maxsize}:Maximum size of log, where is the number of bytes. Note that the minimum value for is 1048576 (1024KB) and log files are always multiples of 64KB, so the specified value will be rounded accordingly./{l | level}:Level filter of log, where is any valid level value. Only applicable to logs with a dedicated session. You can remove a level filter by setting to 0./{k | keywords}:VALUEKeywords filter of log. VALUE can be any valid 64 bit keyword mask. Only applicable to logs with a dedicated session./{ca | channelaccess}:VALUEAccess permission for an event log. VALUE is a security descriptor specifiedusing the Security Descriptor Definition Language (SDDL). Search MSDN(http://msdn.microsoft.com) for information about SDDL format./{c | config}:VALUEPath to the config file, where VALUE is the full file path. If specified, log properties will be read from this config file. If this option is specified, you must not specify the command line parameter. The log name will be read from the config file.Example:The following example sets retention, autobackup and maximum log size on the Application log by using a config file. Note that the config file is an XML file with the same format as the output of wevtutil gl /f:xml.C:\\config.xml true true 9000000 wevtutil sl /c:config.xml |
| 0x2D | 列出事件发布者。用法:wevtutil { ep | enum-publishers }示例:以下示例列出当前计算机上的事件发布者。wevtutil ep |
List event publishers.Usage:wevtutil { ep | enum-publishers }Example:The following example lists the event publishers on the current computer.wevtutil ep |
| 0x2E | 获取事件发布者的配置信息。用法:wevtutil { gp | get-publisher } [/OPTION:VALUE [/OPTION:VALUE] ...]唯一地标识事件发布者的字符串。你可以通过键入 wevtutil ep,获取发布者名称的列表。选项:你可以使用短(如 /f)或长(如 /format)形式的选项名称。选项及其值不区分大小写。/{ge | getevents}:[true|false]获取此发布者可能引发的事件的元数据信息。/{gm | getmessage}:[true|false]显示实际消息,而不是数字消息 ID。/{f | format}:[XML|Text]指定日志文件格式。默认值为 Text。如果指定 XML,则使用 XML 格式打印输出。如果指定 Text,则不使用 XML 标记打印输出。示例:以下示例显示有关 Microsoft-Windows-Eventlog 事件发布者的信息,其中包括有关此发布者可能引发的事件的元数据。wevtutil gp Microsoft-Windows-Eventlog /ge:true |
Get configuration information for event publishers.Usage:wevtutil { gp | get-publisher } [/OPTION:VALUE [/OPTION:VALUE] ...]String that uniquely identifies an event publisher. You can obtain a list ofpublisher names by typing wevtutil ep.Options:You can use either the short (for example, /f) or long (for example, /format) version of the option names. Options and their values are not case-sensitive./{ge | getevents}:[true|false]Get metadata information for events that can be raised by this publisher./{gm | getmessage}:[true|false]Display the actual message instead of the numeric message ID./{f | format}:[XML|Text]Specify the log file format. The default is Text. If XML is specified, printoutput in XML format. If Text is specified, print output without XML tags.Example:The following example displays information about the Microsoft-Windows-Eventlog event publisher including metadata about the events that the publisher can raise.wevtutil gp Microsoft-Windows-Eventlog /ge:true |
| 0x2F | 从事件日志或日志文件中读取事件,或使用结构化查询读取事件。用法:wevtutil { qe | query-events } [/OPTION:VALUE [/OPTION:VALUE] ...]默认情况下,请为 参数提供日志名称。不过,如果你使用 /lf 选项,则必须为 参数提供日志文件路径。如果你使用 /sq 参数,则必须提供包含结构化查询的文件的路径。选项:你可以使用短(如 /f)或长(如 /format)形式的选项名称。选项及其值不区分大小写。/{lf | logfile}:[true|false]如果为 true,则 是日志文件的完整路径。/{sq | structuredquery}:[true|false]如果为 true,则 是包含结构化查询的文件的完整路径。/{q | query}:VALUEVALUE 是用于筛选读取的事件的 XPath 查询。如果未指定,则返回所有事件。如果 /sq 为 true,则不能使用此选项。/{bm | bookmark}:VALUEVALUE 是包含上一查询的书签的文件的完整路径。/{sbm | savebookmark}:VALUEVALUE 是用于保存此查询的书签的文件的完整路径。文件扩展名应为 .xml。/{rd | reversedirection}:[true|false]事件读取方向。如果为 true,则先返回最近的事件。/{f | format}:[XML|Text|RenderedXml]默认值为 XML。如果指定 Text,则使用易于读取的文本格式打印事件,而不是使用 XML 格式。如果指定 RenderedXml,则使用 XML 格式打印事件并包含呈现信息。请注意,使用 Text 或 RenderedXml 格式打印事件比使用 XML 格式打印慢。/{l | locale}:VALUEVALUE 是以特定区域设置打印事件文本的区域设置字符串。只有在使用 /f 选项以文本格式打印事件时,才能使用该字符串。/{c | count}:要读取的最大事件数。/{e | element}:VALUE在输出事件 XML 时,包含一个根元素以生成正确格式的 XML。VALUE 是要包含在根元素中的字符串。例如,指定 /e:root 将导致使用根元素对 输出 XML。示例:以下示例使用文本格式显示应用程序日志中的三个最近的事件。wevtutil qe Application /c:3 /rd:true /f:text |
Read events from an event log, log file or using structured query.Usage:wevtutil { qe | query-events } [/OPTION:VALUE [/OPTION:VALUE] ...]By default, you provide a log name for the parameter. However, if you usethe /lf option, you must provide the path to a log file for the parameter.If you use the /sq parameter, you must provide the path to a file containing astructured query. Options:You can use either the short (for example, /f) or long (for example, /format) version of the option names. Options and their values are not case-sensitive./{lf | logfile}:[true|false]If true, is the full path to a log file./{sq | structuredquery}:[true|false]If true, is the full path to a file that contains a structured query./{q | query}:VALUEVALUE is an XPath query to filter events read. If not specified, all events will be returned. This option is not available when /sq is true./{bm | bookmark}:VALUEVALUE is the full path to a file that contains a bookmark from a previous query./{sbm | savebookmark}:VALUEVALUE is the full path to a file in which to save a bookmark of this query. The file extension should be .xml./{rd | reversedirection}:[true|false]Event read direction. If true, the most recent events are returned first./{f | format}:[XML|Text|RenderedXml]The default value is XML. If Text is specified, prints events in aneasy to read text format, rather than in XML format. If RenderedXml, prints events in XML format with rendering information. Note that printing events in Text or RenderedXml formats is slower than printing in XML format./{l | locale}:VALUEVALUE is a locale string to print event text in a specific locale. Only available when printing events in text format using the /f option./{c | count}:Maximum number of events to read./{e | element}:VALUEWhen outputting event XML, include a root element to produce well-formed XML.VALUE is the string you want within the root element. For example, specifying/e:root would result in output XML with the root element pair .Example:The following example displays the three most recent events from the Application log in text format.wevtutil qe Application /c:3 /rd:true /f:text |
| 0x30 | 选项查询仅适用于查询类型日志和日志文件。%0 |
Option query is only available for querytype Log and LogFile.%0 |
| 0x31 | 无法打开事件查询。%0 |
Failed to open event query.%0 |
| 0x32 | 无法在指定的书签中查找事件。%0 |
Failed to seek to event at the specified bookmark.%0 |
| 0x33 | 无法在指定的事件记录中查找事件。%0 |
Failed to seek to event at the specified event record.%0 |
| 0x34 | 无法读取事件。%0 |
Failed to read events.%0 |
| 0x35 | 无法将书签保存到文件 \"%1!s!\" 中。%0 |
Failed to save bookmark to file \"%1!s!\".%0 |
| 0x36 | 获取有关事件日志或日志文件的状态信息。用法:wevtutil { gli | get-loginfo } 日志名称或日志文件路径。如果 /lf 选项为 true,则它是日志文件路径,并且需要提供日志文件路径。如果 /lf 为 false,则它是日志名称。你可以通过键入 wevtutil el,查看日志名称的列表。选项:你可以使用短(如 /lf)或长(如 /logfile)形式的选项名称。选项及其值不区分大小写。/{lf | logfile}:[true|false]指定是否创建日志文件。如果为 true,则 是日志文件路径。示例:wevtutil gli Application |
Get status information about an event log or log file.Usage:wevtutil { gli | get-loginfo } Log name or log file path. If option /lf is true, it is a log file path, and the path to the log file is required. If /lf is false, it is the log name. You can view a list of log names by typing wevtutil el.Options:You can use either the short (for example, /lf) or long (for example, /logfile) version of the option names. Options and their values are not case-sensitive./{lf | logfile}:[true|false]Specify whether to create a log file. If true, is the log file path.Example:wevtutil gli Application |
| 0x37 | 从事件日志中清除事件,以及备份清除的事件(可选)。用法:wevtutil { cl | clear-log } [/OPTION:VALUE]要清除的日志的名称。你可以通过键入 wevtutil el,检索日志名称的列表。选项:你可以使用短(如 /bu)或长(如 /backup)形式的选项名称。选项及其值不区分大小写。/{bu | backup}:VALUE清除的事件的备份文件。如果指定,则将清除的事件保存到备份文件中。请在备份文件名中包括 .evtx 扩展名。示例: 以下示例在将事件保存到 C:\\admin\\backups\\al0306.evtx 后,从应用程序日志中清除所有事件。wevtutil.exe cl Application /bu:C:\\admin\\backups\\al0306.evtx |
Clear events from an event log and, optionally, back up cleared events.Usage:wevtutil { cl | clear-log } [/OPTION:VALUE]Name of log to clear. You can retrieve a list of log names by typingwevtutil el.Options:You can use either the short (for example, /bu) or long (for example, /backup) version of the option names. Options and their values are not case-sensitive./{bu | backup}:VALUEBackup file for cleared events. If specified, the cleared events will be savedto the backup file. Include the .evtx extension in the backup file name.Example: The following example clears all the events from the Application log after saving them to C:\\admin\\backups\\al0306.evtx.wevtutil.exe cl Application /bu:C:\\admin\\backups\\al0306.evtx |
| 0x38 | 无法清除日志 %1!s!。%0 |
Failed to clear log %1!s!.%0 |
| 0x39 | 将日志或日志文件中的事件导出到一个文件,或者使用结构化查询进行导出。用法:wevtutil { epl | export-log } [/OPTION:VALUE [/OPTION:VALUE] ...]默认情况下,请为 提供日志名称。不过,如果你使用 /lf 选项,请为 值提供日志文件路径。如果你使用 /sq 参数,请提供包含结构化查询的文件的路径。要将导出的事件存储到的文件的路径。选项:你可以使用短(如 /l)或长(如 /locale)形式的选项名称。选项及其值不区分大小写。/{lf | logfile}:[true|false]如果为 true,则 是日志文件的路径。/{sq | structuredquery}:[true|false]如果为 true,则 是包含结构化查询的文件的路径。如果选择多个事件(但不是全部),该命令可能需要很长的时间。/{q | query}:VALUEVALUE 是用于筛选要导出的事件的 XPath 查询。如果未指定,则返回所有事件。如果 /sq 为 true,则不能使用此选项。如果选择多个事件(但不是全部),该命令可能需要很长的时间。/{ow | overwrite}:[true|false]如果为 true,并且 中指定的目标文件已存在,则会覆盖该文件而不进行确认。示例:以下示例将系统日志中的事件导出到 C:\\backup\\system0506.evtx。wevtutil epl System C:\\backup\\system0506.evtx |
Export events from a log, log file, or using structured query to a file.Usage:wevtutil { epl | export-log } [/OPTION:VALUE [/OPTION:VALUE] ...]By default, you provide a log name for . However, if youuse the /lf option, then you provide the path to a log file for the value. If you use the /sq parameter, then you provide the path to a filecontaining a structured query. Path to the file where the exported events are to be stored.Options:You can use either the short (for example, /l) or long (for example, /locale) version of the option names. Options and their values are not case-sensitive./{lf | logfile}:[true|false]If true, is the path to a log file./{sq | structuredquery}:[true|false]If true, is the path to a file that contains a structured query. The command might take a long time if selecting many, but not all, events./{q | query}:VALUEVALUE is an XPath query to filter the events you want to export. If not specified, all events will be returned. This option is not available when /sq is true. The command might take a long time if selecting many, but not all, events./{ow | overwrite}:[true|false]If true, and the destination file specified in already exists, it will be overwritten without confirmation.Example:The following example exports events from System log to C:\\backup\\system0506.evtx.wevtutil epl System C:\\backup\\system0506.evtx |
| 0x3A | 无法导出日志 %1!s!。%0 |
Failed to export log %1!s!.%0 |
| 0x3B | 使用自包含格式存档日志文件。使用区域设置名称创建一个子目录,并将区域设置特定的所有信息保存在该子目录中。如果使用 archive-log 命令创建的目录以及日志文件都存在,无论是否安装了发布者,都可以读取该文件中的事件。用法:wevtutil { al | archive-log } [/OPTION:VALUE [/OPTION:VALUE] ...]要存档的日志文件。可以使用 export-log 或 clear-log 命令生成日志文件。选项:你可以使用短(如 /l)或长(如 /locale)形式的选项名称。选项及其值不区分大小写。/{l | locale}:VALUEVALUE 是以特定区域设置存档日志的区域设置字符串。如果未指定,则使用当前控制台的区域设置。有关所有支持的区域设置字符串列表,请参阅 Microsoft Developer Network (MSDN) 文档中的 LocaleNameToLCID API。 |
Archive log file in a self-contained format. A subdirectory with the nameof the locale is created and all locale-specific information is saved inthat subdirectory. When the directory created by the archive-log command ispresent along with the log file, events in the file can be read whether ornot the publisher is installed.Usage:wevtutil { al | archive-log } [/OPTION:VALUE [/OPTION:VALUE] ...]The log file to be archived. A log file can be generated using export-log orclear-log command.Options:You can use either the short (for example, /l) or long (for example, /locale) version of the option names. Options and their values are not case-sensitive./{l | locale}:VALUEVALUE is a locale string to archive a log in a specific locale. If not specified, the locale of the current console will be used. For a list of all supported locale strings, please refer to the Microsoft Developer Network (MSDN) documentation for the LocaleNameToLCID API. |
| 0x3C | 无法存档日志 %1!s!。%0 |
Failed to archive log %1!s!.%0 |
| 0x3D | 从清单中安装事件发布者和日志。用法:wevtutil { im | install-manifest } [/OPTION:VALUE [/OPTION:VALUE] ...]事件清单的文件路径。将安装清单中定义的所有发布者和日志。要了解事件清单以及使用此选项的详细信息,请参阅 Microsoft Developers Network (MSDN)中的 Windows Eventing SDK,网址为 http://msdn.microsoft.com。选项:你可以使用短(如 /rf)或长(如 /resourceFilePath)形式的选项名称。选项及其值不区分大小写。/{rf | resourceFilePath}:VALUE要替换的清单中的提供程序元素的ResourceFileName 属性。VALUE 应该是资源文件的完整路径。/{mf | messageFilePath}:VALUE要替换的清单中的提供程序元素的 MessageFileName 属性。VALUE 应该是消息文件的完整路径。/{pf | parameterFilePath}:VALUE要替换的清单中的提供程序元素的 ParameterFileName 属性。VALUE 应该是参数文件的完整路径。示例:以下示例从 myManifest.man 清单文件中安装发布者和日志。wevtutil im myManifest.man /rf:^%systemroot^%/System32/wevtutil.exe |
Install event publishers and logs from manifest.Usage:wevtutil { im | install-manifest } [/OPTION:VALUE [/OPTION:VALUE] ...]File path to an event manifest. All publishers and logs defined in the manifestwill be installed. To learn more about event manifests and using this option,consult the Windows Eventing SDK on Microsoft Developers Network (MSDN) athttp://msdn.microsoft.com.Options:You can use either the short (for example, /rf) or long (for example, /resourceFilePath) version of the option names. Options and their values are not case-sensitive./{rf | resourceFilePath}:VALUEResourceFileName attribute of the Provider Element in the manifest to be replaced.The VALUE should be the full path to the resource file./{mf | messageFilePath}:VALUEMessageFileName attribute of the Provider Element in the manifest to be replaced.The VALUE should be the full path to the message file./{pf | parameterFilePath}:VALUEParameterFileName attribute of the Provider Element in the manifest to be replaced.The VALUE should be the full path to the parameter file.Example:The following example installs publishers and logs from the myManifest.man manifest file.wevtutil im myManifest.man /rf:^%systemroot^%/System32/wevtutil.exe |
| 0x3E | 已成功安装发布者和通道,但我们无法启用一个或多个发布者和通道。%0 |
The publishers and channels were installed successfully, but we can't enable one or more publishers and channels.%0 |
| 0x3F | 从清单中卸载事件发布者和日志。用法:wevtutil { um | uninstall-manifest } 事件清单的文件路径。将卸载清单中定义的所有发布者和日志。要了解事件清单以及使用此选项的详细信息,请参阅 Microsoft Developers Network (MSDN)上的 Windows Eventing SDK,网址为 http://msdn.microsoft.com。示例:以下示例从 myManifest.man 清单文件中卸载发布者和日志。wevtutil um myManifest.man |
Uninstall event publishers and logs from manifest.Usage:wevtutil { um | uninstall-manifest } File path to an event manifest. All publishers and logs defined in the manifestwill be uninstalled. To learn more about event manifests and using this option,consult the Windows Eventing SDK on Microsoft Developers Network (MSDN) athttp://msdn.microsoft.com.Example:The following example uninstalls publishers and logs from the myManifest.man manifest file.wevtutil um myManifest.man |
| 0x40 | 为 %1!s! 键入密码: %0 |
Type the password for %1!s!:%0 |
| 0x41 | 无法读取文件 %1!s!。%0 |
Failed to read file %1!s!.%0 |
| 0x42 | 通道属性 %1!s! 的值包含无效的值。%0 |
The value for channel property %1!s! contains an invalid value.%0 |
| 0x43 | 如果未指定选项 %2!s!,则无法使用选项 %1!s!。%0 |
Option %1!s! is not available if option %2!s! is not specified.%0 |
| 0x44 | **** 警告: 启用这种类型的日志会将其清除。是否要启用并清除此日志? [y/n]: |
**** Warning: Enabling this type of log clears it. Do you want to enable and clear this log? [y/n]: |
| 0x45 | ****警告: 找不到发布者 %1 资源,或者无法通过本地服务帐户访问这些资源。 |
**** Warning: Publisher %1 resources could not be found or are not accessibleto the Local Service account. |
| 0x46 | **** 警告: 系统上安装了发布者 %1。仅添加新的值。如果要更新以前的设置,请先卸载清单。 |
**** Warning: Publisher %1 is installed onthe system. Only new values would be added. If you want to update previous settings, uninstall the manifest first. |
| 0x47 | 清单中的提供程序 %1 缺少通道名称属性。 |
Provider %1 in the manifest is missing the channel name attribute. |
| 0x48 | 清单中的提供程序 %1 包含的通道 %2 缺少类型属性。 |
Provider %1 in the manifest contains channel %2 that is missing the type attribute. |
| 0x49 | 提供程序 %1{%2} 缺少通道名称属性。 |
Provider %1{%2} is missing the channel name attribute. |
| 0x4A | 提供程序 %1 清单检测到通道 %2 使用不支持的类型 %3 |
Provider %1 manifest has declared a channel %2 that uses a non-supported type %3 |
| 0x4B | 提供程序 %1 清单检测到通道 %2 使用不支持的隔离 %3 |
Provider %1 manifest has declared a channel %2 that uses a non-supported isolation %3 |
| 0x4C | 已安装具有 GUID %2 的提供程序 %1。 |
Provider %1 is already installed with GUID %2. |
| 0x4D | 通道 %1 是通过现有的提供程序 %2{%3} 声明的。 |
Channel %1 is declared by an existing provider %2{%3}. |
| 0x4E | 提供程序包含两个具有相同值的通道。 |
Provider has two channels with the same value. |
| 0x4F | 提供程序缺少 GUID 属性。 |
Provider is missing the GUID attribute. |
| 0x50 | 注册表中的提供程序 %1 缺少名称。 |
Provider %1 is missing the name in the registry. |
| 0x51 | 提供程序 %1{%2} 具有注册表值计数 %3。 |
Provider %1{%2} has Registry value Count %3. |
| 0x52 | 提供程序 %1{%2} 在 channelreferences 注册表项下面缺少通道。 |
Provider %1{%2} is missing channels under the channelreferences registry key. |
| 0x53 | 提供程序 %1{%2} 缺少索引项 %3 的通道名称。 |
Provider %1{%2} is missing the channel name for the index key %3. |
| 0x54 | 提供程序 %1{%2} 包含的索引通道 %3 缺少默认注册表值。 |
Provider %1{%2} has a channel indexed %3 that is missing the default registry value. |
| 0x55 | ****警告: 在资源文件中找不到发布者 %1。resourceFileName: %2 |
**** Warning: Publisher %1 was not found in the resource file.resourceFileName: %2 |
| 0x56 | ****警告: 找不到发布者 %1 的资源文件,或者无法打开该文件。resourceFileName: %2 |
**** Warning: The resource file for publisher %1 was not found or could not be opened.resourceFileName: %2 |
| 0x57 | ****警告: 发布者 %1 的资源文件不包含元数据资源。请确保将消息编译器生成的 .bin 文件链接到指定的二进制文件。resourceFileName: %2 |
**** Warning: The resource file for publisher %1 does not contain the metadata resource.Make sure to link the .bin file generated by the Message Compiler into thespecified binary.resourceFileName: %2 |
| 0x58 | 安全密码输入在此版本的 Windows 上不可用。%0 |
Secure password input is not available on this version of Windows.%0 |
| 0x59 | “事件日志”服务在此版本的 Windows 上不可用。命令 %1!s! 不受支持。 |
The Event Log service is not available on this version of Windows. Command %1!s! is not supported. |
| 0x5A | **** 警告: “事件日志”服务在此版本的 Windows 上不可用。发布者和通道已成功安装,但没有该服务我们无法验证 %1!s! 的发布者资源。 |
**** Warning: The Event Log service is not available on this version of Windows.The publishers and channels were installed successfully, but we can't validate the publisher resources for %1!s! without the service. |