| 0x1 | Failed to open config file: %1!s!.%0 |
Failed to open config file: %1!s!.%0 |
| 0x2 | Invalid config file.%0 |
Invalid config file.%0 |
| 0x3 | Failed to initialize COM.%0 |
Failed to initialize COM.%0 |
| 0x4 | Failed to get %1!s! property.%0 |
Failed to get %1!s! property.%0 |
| 0x5 | Failed to set %1!s! property.%0 |
Failed to set %1!s! property.%0 |
| 0x6 | Command %1!s! is not supported.%0 |
Command %1!s! is not supported.%0 |
| 0x7 | Invalid option %1!s!. Option name is not specified.%0 |
Invalid option %1!s!. Option name is not specified.%0 |
| 0x8 | Invalid option %1!s!. Option is specified more than once.%0 |
Invalid option %1!s!. Option is specified more than once.%0 |
| 0xA | Invalid option %1!s!. Option value is not specified.%0 |
Invalid option %1!s!. Option value is not specified.%0 |
| 0xB | Invalid option %1!s!. Option is not Boolean.%0 |
Invalid option %1!s!. Option is not Boolean.%0 |
| 0xC | Invalid option %1!s!. Option is not supported.%0 |
Invalid option %1!s!. Option is not supported.%0 |
| 0xD | Invalid value for option %1!s!.%0 |
Invalid value for option %1!s!.%0 |
| 0xE | option %1!s! and %2!s! cannot be specified at the same time.%0 |
option %1!s! and %2!s! cannot be specified at the same time.%0 |
| 0xF | Too many arguments are specified.%0 |
Too many arguments are specified.%0 |
| 0x10 | Required argument(s) is/are not specified.%0 |
Required argument(s) is/are not specified.%0 |
| 0x11 | Internal error.%0 |
Internal error.%0 |
| 0x12 | Failed to open session to server: %1!s!.%0 |
Failed to open session to server: %1!s!.%0 |
| 0x13 | Failed to read password.%0 |
Failed to read password.%0 |
| 0x14 | Command is not specified.%0 |
Command is not specified.%0 |
| 0x15 | Failed to open metadata for publisher %1!s!.%0 |
Failed to open metadata for publisher %1!s!.%0 |
| 0x16 | Failed to open publisher enumeration.%0 |
Failed to open publisher enumeration.%0 |
| 0x17 | Failed to enumerate publishers.%0 |
Failed to enumerate publishers.%0 |
| 0x18 | Failed to load resource %1!s!.%0 |
Failed to load resource %1!s!.%0 |
| 0x19 | Failed to open event metadata for publisher %1!s!.%0 |
Failed to open event metadata for publisher %1!s!.%0 |
| 0x1A | Failed to enumerate event metadata for publisher %1!s!.%0 |
Failed to enumerate event metadata for publisher %1!s!.%0 |
| 0x1B | Failed to render event. Event handle = 0x%1!08x!.%0 |
Failed to render event. Event handle = 0x%1!08x!.%0 |
| 0x1C | Failed to register subscription %1!s!.%0 |
Failed to register subscription %1!s!.%0 |
| 0x1D | Failed to read configuration for log %1!s!.%0 |
Failed to read configuration for log %1!s!.%0 |
| 0x1E | Failed to save configuration or activate log %1!s!.%0 |
Failed to save configuration or activate log %1!s!.%0 |
| 0x1F | Failed to read log status information for log %1!s!.%0 |
Failed to read log status information for log %1!s!.%0 |
| 0x20 | Failed to load xml document %1!s!.%0 |
Failed to load xml document %1!s!.%0 |
| 0x21 | Failed to read xml node %1!s!.%0 |
Failed to read xml node %1!s!.%0 |
| 0x22 | assembly/instrumentation/events:events or events:instrumentationManifest/events:instrumentation/events:events nodeis not found in manifest file %1!s!.xmlns:events=\"http://schemas.microsoft.com/win/2004/08/events\"%0 |
assembly/instrumentation/events:events or events:instrumentationManifest/events:instrumentation/events:events nodeis not found in manifest file %1!s!.xmlns:events=\"http://schemas.microsoft.com/win/2004/08/events\"%0 |
| 0x23 | Invalid value for property %1!s!.%0 |
Invalid value for property %1!s!.%0 |
| 0x24 | LCID %1!s! cannot be found.%0 |
LCID %1!s! cannot be found.%0 |
| 0x25 | Root node of config file is not Subscription or in correct namespace.%0 |
Root node of config file is not Subscription or in correct namespace.%0 |
| 0x26 | Windows Events Command Line Utility.Enables you to retrieve information about event logs and publishers, installand uninstall event manifests, run queries, and export, archive, and clear logs.Usage:You can use either the short (for example, ep /uni) or long (for example, enum-publishers /unicode) version of the command and option names. Commands, options and option values are not case-sensitive.Variables are noted in all upper-case.wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]Commands:el | enum-logs List log names.gl | get-log Get log configuration information.sl | set-log Modify configuration of a log.ep | enum-publishers List event publishers.gp | get-publisher Get publisher configuration information.im | install-manifest Install event publishers and logs from manifest.um | uninstall-manifest Uninstall event publishers and logs from manifest.qe | query-events Query events from a log or log file.gli | get-log-info Get log status information.epl | export-log Export a log.al | archive-log Archive an exported log.cl | clear-log Clear a log.Common options:/{r | remote}:VALUEIf specified, run the command on a remote computer. VALUE is the remote computer name. Options /im and /um do not support remote operations./{u | username}:VALUESpecify a different user to log on to the remote computer. VALUE is a user namein the form domain\\user or user. Only applicable when option /r is specified./{p | password}:VALUEPassword for the specified user. If not specified, or if VALUE is \"*\", the user will be prompted to enter a password. Only applicable when the /u option isspecified./{a | authentication}:[Default|Negotiate|Kerberos|NTLM]Authentication type for connecting to remote computer. The default is Negotiate./{uni | unicode}:[true|false]Display output in Unicode. If true, then output is in Unicode. To learn more about a specific command, type the following:wevtutil COMMAND /? |
Windows Events Command Line Utility.Enables you to retrieve information about event logs and publishers, installand uninstall event manifests, run queries, and export, archive, and clear logs.Usage:You can use either the short (for example, ep /uni) or long (for example, enum-publishers /unicode) version of the command and option names. Commands, options and option values are not case-sensitive.Variables are noted in all upper-case.wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]Commands:el | enum-logs List log names.gl | get-log Get log configuration information.sl | set-log Modify configuration of a log.ep | enum-publishers List event publishers.gp | get-publisher Get publisher configuration information.im | install-manifest Install event publishers and logs from manifest.um | uninstall-manifest Uninstall event publishers and logs from manifest.qe | query-events Query events from a log or log file.gli | get-log-info Get log status information.epl | export-log Export a log.al | archive-log Archive an exported log.cl | clear-log Clear a log.Common options:/{r | remote}:VALUEIf specified, run the command on a remote computer. VALUE is the remote computer name. Options /im and /um do not support remote operations./{u | username}:VALUESpecify a different user to log on to the remote computer. VALUE is a user namein the form domain\\user or user. Only applicable when option /r is specified./{p | password}:VALUEPassword for the specified user. If not specified, or if VALUE is \"*\", the user will be prompted to enter a password. Only applicable when the /u option isspecified./{a | authentication}:[Default|Negotiate|Kerberos|NTLM]Authentication type for connecting to remote computer. The default is Negotiate./{uni | unicode}:[true|false]Display output in Unicode. If true, then output is in Unicode. To learn more about a specific command, type the following:wevtutil COMMAND /? |
| 0x27 | value \"%1!s!\" is invalid for isolation option.%0 |
value \"%1!s!\" is invalid for isolation option.%0 |
| 0x28 | List the names of all logs.Usage:wevtutil { el | enum-logs }Example:The following example lists the names of all logs.wevtutil el |
List the names of all logs.Usage:wevtutil { el | enum-logs }Example:The following example lists the names of all logs.wevtutil el |
| 0x29 | Failed to open channel enumeration.%0 |
Failed to open channel enumeration.%0 |
| 0x2A | Failed to enumerate channels.%0 |
Failed to enumerate channels.%0 |
| 0x2B | Displays event log configuration information, including whether the log isenabled, the current maximum size limit of the log and the path to the filewhere the log is stored.Usage:wevtutil { gl | get-log } [/OPTION:VALUE [/OPTION:VALUE] ...]String that uniquely identifies a log. You can display a list of all the lognames by running wevtutil el.Options:You can use either the short (for example, /f) or long (for example, /format) version of the option names. Options and their values are not case-sensitive./{f | format}:[XML|Text]Specify the log file format. The default is Text. If XML is specified, output is stored in XML format. If Text is specified, output is stored without XML tags. Example:The following example displays configuration information about the local System log in XML format.wevtutil gl System /f:xml |
Displays event log configuration information, including whether the log isenabled, the current maximum size limit of the log and the path to the filewhere the log is stored.Usage:wevtutil { gl | get-log } [/OPTION:VALUE [/OPTION:VALUE] ...]String that uniquely identifies a log. You can display a list of all the lognames by running wevtutil el.Options:You can use either the short (for example, /f) or long (for example, /format) version of the option names. Options and their values are not case-sensitive./{f | format}:[XML|Text]Specify the log file format. The default is Text. If XML is specified, output is stored in XML format. If Text is specified, output is stored without XML tags. Example:The following example displays configuration information about the local System log in XML format.wevtutil gl System /f:xml |
| 0x2C | Modify the configuration of a log.Usage:wevtutil { sl | set-log } [/OPTION:VALUE [/OPTION:VALUE] ...]String that uniquely identifies a log. If option /c is specified, should not be specified since it is read from the config file.Options:You can use either the short (for example, /e) or long (for example, /enable) version of the option names. Options and their values are not case-sensitive./{e | enabled}:[true|false]Enable or disable a log./{q | quiet}:[true|false]Quiet display option. No prompts or messages are displayed to the user. If not specified, the default is true. /{fm | filemax}:Set Maximum number of enablements across which to preserve events, where is an integer between 1 and 16. One file is created for each enablement, so if this value is 2, events will be produced from the last two enablements. A reboot counts as disabling and then re-enabling the channel. /{i | isolation}:[system|application|custom]Log isolation mode. The isolation mode of a log determines whether a log shares a session with other logs in the same isolation class. If you specify system isolation, the target log will share at least write permissions with the System log. If you specify application isolation, the target log will share at least write permissions with the Application log. If you specify custom isolation, you must also provide a security descriptor by using the /ca option./{lfn | logfilename}:VALUELog file name. VALUE is the full path to the file where the Event Log service stores events for this log./{rt | retention}:[true|false]Log retention mode. The log retention mode determines the behavior of the Event Log service when a log reaches its maximum size. If an event log reaches its maximum size and the log retention mode is true, existing events are retained and incoming events are discarded. If the log retention mode is false, incoming events overwrite the oldest events in the log./{ab | autobackup}:[true|false]Log autobackup policy. If autobackup is true, the log will be backed up automatically when it reaches the maximum size. In addition, if autobackup is true, retention (specified with the /rt option) must be set to true./{ms | maxsize}:Maximum size of log, where is the number of bytes. Note that the minimum value for is 1048576 (1024KB) and log files are always multiples of 64KB, so the specified value will be rounded accordingly./{l | level}:Level filter of log, where is any valid level value. Only applicable to logs with a dedicated session. You can remove a level filter by setting to 0./{k | keywords}:VALUEKeywords filter of log. VALUE can be any valid 64 bit keyword mask. Only applicable to logs with a dedicated session./{ca | channelaccess}:VALUEAccess permission for an event log. VALUE is a security descriptor specifiedusing the Security Descriptor Definition Language (SDDL). Search MSDN(http://msdn.microsoft.com) for information about SDDL format./{c | config}:VALUEPath to the config file, where VALUE is the full file path. If specified, log properties will be read from this config file. If this option is specified, you must not specify the command line parameter. The log name will be read from the config file.Example:The following example sets retention, autobackup and maximum log size on the Application log by using a config file. Note that the config file is an XML file with the same format as the output of wevtutil gl /f:xml.C:\\config.xml true true 9000000 wevtutil sl /c:config.xml |
Modify the configuration of a log.Usage:wevtutil { sl | set-log } [/OPTION:VALUE [/OPTION:VALUE] ...]String that uniquely identifies a log. If option /c is specified, should not be specified since it is read from the config file.Options:You can use either the short (for example, /e) or long (for example, /enable) version of the option names. Options and their values are not case-sensitive./{e | enabled}:[true|false]Enable or disable a log./{q | quiet}:[true|false]Quiet display option. No prompts or messages are displayed to the user. If not specified, the default is true. /{fm | filemax}:Set Maximum number of enablements across which to preserve events, where is an integer between 1 and 16. One file is created for each enablement, so if this value is 2, events will be produced from the last two enablements. A reboot counts as disabling and then re-enabling the channel. /{i | isolation}:[system|application|custom]Log isolation mode. The isolation mode of a log determines whether a log shares a session with other logs in the same isolation class. If you specify system isolation, the target log will share at least write permissions with the System log. If you specify application isolation, the target log will share at least write permissions with the Application log. If you specify custom isolation, you must also provide a security descriptor by using the /ca option./{lfn | logfilename}:VALUELog file name. VALUE is the full path to the file where the Event Log service stores events for this log./{rt | retention}:[true|false]Log retention mode. The log retention mode determines the behavior of the Event Log service when a log reaches its maximum size. If an event log reaches its maximum size and the log retention mode is true, existing events are retained and incoming events are discarded. If the log retention mode is false, incoming events overwrite the oldest events in the log./{ab | autobackup}:[true|false]Log autobackup policy. If autobackup is true, the log will be backed up automatically when it reaches the maximum size. In addition, if autobackup is true, retention (specified with the /rt option) must be set to true./{ms | maxsize}:Maximum size of log, where is the number of bytes. Note that the minimum value for is 1048576 (1024KB) and log files are always multiples of 64KB, so the specified value will be rounded accordingly./{l | level}:Level filter of log, where is any valid level value. Only applicable to logs with a dedicated session. You can remove a level filter by setting to 0./{k | keywords}:VALUEKeywords filter of log. VALUE can be any valid 64 bit keyword mask. Only applicable to logs with a dedicated session./{ca | channelaccess}:VALUEAccess permission for an event log. VALUE is a security descriptor specifiedusing the Security Descriptor Definition Language (SDDL). Search MSDN(http://msdn.microsoft.com) for information about SDDL format./{c | config}:VALUEPath to the config file, where VALUE is the full file path. If specified, log properties will be read from this config file. If this option is specified, you must not specify the command line parameter. The log name will be read from the config file.Example:The following example sets retention, autobackup and maximum log size on the Application log by using a config file. Note that the config file is an XML file with the same format as the output of wevtutil gl /f:xml.C:\\config.xml true true 9000000 wevtutil sl /c:config.xml |
| 0x2D | List event publishers.Usage:wevtutil { ep | enum-publishers }Example:The following example lists the event publishers on the current computer.wevtutil ep |
List event publishers.Usage:wevtutil { ep | enum-publishers }Example:The following example lists the event publishers on the current computer.wevtutil ep |
| 0x2E | Get configuration information for event publishers.Usage:wevtutil { gp | get-publisher } [/OPTION:VALUE [/OPTION:VALUE] ...]String that uniquely identifies an event publisher. You can obtain a list ofpublisher names by typing wevtutil ep.Options:You can use either the short (for example, /f) or long (for example, /format) version of the option names. Options and their values are not case-sensitive./{ge | getevents}:[true|false]Get metadata information for events that can be raised by this publisher./{gm | getmessage}:[true|false]Display the actual message instead of the numeric message ID./{f | format}:[XML|Text]Specify the log file format. The default is Text. If XML is specified, printoutput in XML format. If Text is specified, print output without XML tags.Example:The following example displays information about the Microsoft-Windows-Eventlog event publisher including metadata about the events that the publisher can raise.wevtutil gp Microsoft-Windows-Eventlog /ge:true |
Get configuration information for event publishers.Usage:wevtutil { gp | get-publisher } [/OPTION:VALUE [/OPTION:VALUE] ...]String that uniquely identifies an event publisher. You can obtain a list ofpublisher names by typing wevtutil ep.Options:You can use either the short (for example, /f) or long (for example, /format) version of the option names. Options and their values are not case-sensitive./{ge | getevents}:[true|false]Get metadata information for events that can be raised by this publisher./{gm | getmessage}:[true|false]Display the actual message instead of the numeric message ID./{f | format}:[XML|Text]Specify the log file format. The default is Text. If XML is specified, printoutput in XML format. If Text is specified, print output without XML tags.Example:The following example displays information about the Microsoft-Windows-Eventlog event publisher including metadata about the events that the publisher can raise.wevtutil gp Microsoft-Windows-Eventlog /ge:true |
| 0x2F | Read events from an event log, log file or using structured query.Usage:wevtutil { qe | query-events } [/OPTION:VALUE [/OPTION:VALUE] ...]By default, you provide a log name for the parameter. However, if you usethe /lf option, you must provide the path to a log file for the parameter.If you use the /sq parameter, you must provide the path to a file containing astructured query. Options:You can use either the short (for example, /f) or long (for example, /format) version of the option names. Options and their values are not case-sensitive./{lf | logfile}:[true|false]If true, is the full path to a log file./{sq | structuredquery}:[true|false]If true, is the full path to a file that contains a structured query./{q | query}:VALUEVALUE is an XPath query to filter events read. If not specified, all events will be returned. This option is not available when /sq is true./{bm | bookmark}:VALUEVALUE is the full path to a file that contains a bookmark from a previous query./{sbm | savebookmark}:VALUEVALUE is the full path to a file in which to save a bookmark of this query. The file extension should be .xml./{rd | reversedirection}:[true|false]Event read direction. If true, the most recent events are returned first./{f | format}:[XML|Text|RenderedXml]The default value is XML. If Text is specified, prints events in aneasy to read text format, rather than in XML format. If RenderedXml, prints events in XML format with rendering information. Note that printing events in Text or RenderedXml formats is slower than printing in XML format./{l | locale}:VALUEVALUE is a locale string to print event text in a specific locale. Only available when printing events in text format using the /f option./{c | count}:Maximum number of events to read./{e | element}:VALUEWhen outputting event XML, include a root element to produce well-formed XML.VALUE is the string you want within the root element. For example, specifying/e:root would result in output XML with the root element pair .Example:The following example displays the three most recent events from the Application log in text format.wevtutil qe Application /c:3 /rd:true /f:text |
Read events from an event log, log file or using structured query.Usage:wevtutil { qe | query-events } [/OPTION:VALUE [/OPTION:VALUE] ...]By default, you provide a log name for the parameter. However, if you usethe /lf option, you must provide the path to a log file for the parameter.If you use the /sq parameter, you must provide the path to a file containing astructured query. Options:You can use either the short (for example, /f) or long (for example, /format) version of the option names. Options and their values are not case-sensitive./{lf | logfile}:[true|false]If true, is the full path to a log file./{sq | structuredquery}:[true|false]If true, is the full path to a file that contains a structured query./{q | query}:VALUEVALUE is an XPath query to filter events read. If not specified, all events will be returned. This option is not available when /sq is true./{bm | bookmark}:VALUEVALUE is the full path to a file that contains a bookmark from a previous query./{sbm | savebookmark}:VALUEVALUE is the full path to a file in which to save a bookmark of this query. The file extension should be .xml./{rd | reversedirection}:[true|false]Event read direction. If true, the most recent events are returned first./{f | format}:[XML|Text|RenderedXml]The default value is XML. If Text is specified, prints events in aneasy to read text format, rather than in XML format. If RenderedXml, prints events in XML format with rendering information. Note that printing events in Text or RenderedXml formats is slower than printing in XML format./{l | locale}:VALUEVALUE is a locale string to print event text in a specific locale. Only available when printing events in text format using the /f option./{c | count}:Maximum number of events to read./{e | element}:VALUEWhen outputting event XML, include a root element to produce well-formed XML.VALUE is the string you want within the root element. For example, specifying/e:root would result in output XML with the root element pair .Example:The following example displays the three most recent events from the Application log in text format.wevtutil qe Application /c:3 /rd:true /f:text |
| 0x30 | Option query is only available for querytype Log and LogFile.%0 |
Option query is only available for querytype Log and LogFile.%0 |
| 0x31 | Failed to open event query.%0 |
Failed to open event query.%0 |
| 0x32 | Failed to seek to event at the specified bookmark.%0 |
Failed to seek to event at the specified bookmark.%0 |
| 0x33 | Failed to seek to event at the specified event record.%0 |
Failed to seek to event at the specified event record.%0 |
| 0x34 | Failed to read events.%0 |
Failed to read events.%0 |
| 0x35 | Failed to save bookmark to file \"%1!s!\".%0 |
Failed to save bookmark to file \"%1!s!\".%0 |
| 0x36 | Get status information about an event log or log file.Usage:wevtutil { gli | get-loginfo } Log name or log file path. If option /lf is true, it is a log file path, and the path to the log file is required. If /lf is false, it is the log name. You can view a list of log names by typing wevtutil el.Options:You can use either the short (for example, /lf) or long (for example, /logfile) version of the option names. Options and their values are not case-sensitive./{lf | logfile}:[true|false]Specify whether to create a log file. If true, is the log file path.Example:wevtutil gli Application |
Get status information about an event log or log file.Usage:wevtutil { gli | get-loginfo } Log name or log file path. If option /lf is true, it is a log file path, and the path to the log file is required. If /lf is false, it is the log name. You can view a list of log names by typing wevtutil el.Options:You can use either the short (for example, /lf) or long (for example, /logfile) version of the option names. Options and their values are not case-sensitive./{lf | logfile}:[true|false]Specify whether to create a log file. If true, is the log file path.Example:wevtutil gli Application |
| 0x37 | Clear events from an event log and, optionally, back up cleared events.Usage:wevtutil { cl | clear-log } [/OPTION:VALUE]Name of log to clear. You can retrieve a list of log names by typingwevtutil el.Options:You can use either the short (for example, /bu) or long (for example, /backup) version of the option names. Options and their values are not case-sensitive./{bu | backup}:VALUEBackup file for cleared events. If specified, the cleared events will be savedto the backup file. Include the .evtx extension in the backup file name.Example: The following example clears all the events from the Application log after saving them to C:\\admin\\backups\\al0306.evtx.wevtutil.exe cl Application /bu:C:\\admin\\backups\\al0306.evtx |
Clear events from an event log and, optionally, back up cleared events.Usage:wevtutil { cl | clear-log } [/OPTION:VALUE]Name of log to clear. You can retrieve a list of log names by typingwevtutil el.Options:You can use either the short (for example, /bu) or long (for example, /backup) version of the option names. Options and their values are not case-sensitive./{bu | backup}:VALUEBackup file for cleared events. If specified, the cleared events will be savedto the backup file. Include the .evtx extension in the backup file name.Example: The following example clears all the events from the Application log after saving them to C:\\admin\\backups\\al0306.evtx.wevtutil.exe cl Application /bu:C:\\admin\\backups\\al0306.evtx |
| 0x38 | Failed to clear log %1!s!.%0 |
Failed to clear log %1!s!.%0 |
| 0x39 | Export events from a log, log file, or using structured query to a file.Usage:wevtutil { epl | export-log } [/OPTION:VALUE [/OPTION:VALUE] ...]By default, you provide a log name for . However, if youuse the /lf option, then you provide the path to a log file for the value. If you use the /sq parameter, then you provide the path to a filecontaining a structured query. Path to the file where the exported events are to be stored.Options:You can use either the short (for example, /l) or long (for example, /locale) version of the option names. Options and their values are not case-sensitive./{lf | logfile}:[true|false]If true, is the path to a log file./{sq | structuredquery}:[true|false]If true, is the path to a file that contains a structured query. The command might take a long time if selecting many, but not all, events./{q | query}:VALUEVALUE is an XPath query to filter the events you want to export. If not specified, all events will be returned. This option is not available when /sq is true. The command might take a long time if selecting many, but not all, events./{ow | overwrite}:[true|false]If true, and the destination file specified in already exists, it will be overwritten without confirmation.Example:The following example exports events from System log to C:\\backup\\system0506.evtx.wevtutil epl System C:\\backup\\system0506.evtx |
Export events from a log, log file, or using structured query to a file.Usage:wevtutil { epl | export-log } [/OPTION:VALUE [/OPTION:VALUE] ...]By default, you provide a log name for . However, if youuse the /lf option, then you provide the path to a log file for the value. If you use the /sq parameter, then you provide the path to a filecontaining a structured query. Path to the file where the exported events are to be stored.Options:You can use either the short (for example, /l) or long (for example, /locale) version of the option names. Options and their values are not case-sensitive./{lf | logfile}:[true|false]If true, is the path to a log file./{sq | structuredquery}:[true|false]If true, is the path to a file that contains a structured query. The command might take a long time if selecting many, but not all, events./{q | query}:VALUEVALUE is an XPath query to filter the events you want to export. If not specified, all events will be returned. This option is not available when /sq is true. The command might take a long time if selecting many, but not all, events./{ow | overwrite}:[true|false]If true, and the destination file specified in already exists, it will be overwritten without confirmation.Example:The following example exports events from System log to C:\\backup\\system0506.evtx.wevtutil epl System C:\\backup\\system0506.evtx |
| 0x3A | Failed to export log %1!s!.%0 |
Failed to export log %1!s!.%0 |
| 0x3B | Archive log file in a self-contained format. A subdirectory with the nameof the locale is created and all locale-specific information is saved inthat subdirectory. When the directory created by the archive-log command ispresent along with the log file, events in the file can be read whether ornot the publisher is installed.Usage:wevtutil { al | archive-log } [/OPTION:VALUE [/OPTION:VALUE] ...]The log file to be archived. A log file can be generated using export-log orclear-log command.Options:You can use either the short (for example, /l) or long (for example, /locale) version of the option names. Options and their values are not case-sensitive./{l | locale}:VALUEVALUE is a locale string to archive a log in a specific locale. If not specified, the locale of the current console will be used. For a list of all supported locale strings, please refer to the Microsoft Developer Network (MSDN) documentation for the LocaleNameToLCID API. |
Archive log file in a self-contained format. A subdirectory with the nameof the locale is created and all locale-specific information is saved inthat subdirectory. When the directory created by the archive-log command ispresent along with the log file, events in the file can be read whether ornot the publisher is installed.Usage:wevtutil { al | archive-log } [/OPTION:VALUE [/OPTION:VALUE] ...]The log file to be archived. A log file can be generated using export-log orclear-log command.Options:You can use either the short (for example, /l) or long (for example, /locale) version of the option names. Options and their values are not case-sensitive./{l | locale}:VALUEVALUE is a locale string to archive a log in a specific locale. If not specified, the locale of the current console will be used. For a list of all supported locale strings, please refer to the Microsoft Developer Network (MSDN) documentation for the LocaleNameToLCID API. |
| 0x3C | Failed to archive log %1!s!.%0 |
Failed to archive log %1!s!.%0 |
| 0x3D | Install event publishers and logs from manifest.Usage:wevtutil { im | install-manifest } [/OPTION:VALUE [/OPTION:VALUE] ...]File path to an event manifest. All publishers and logs defined in the manifestwill be installed. To learn more about event manifests and using this option,consult the Windows Eventing SDK on Microsoft Developers Network (MSDN) athttp://msdn.microsoft.com.Options:You can use either the short (for example, /rf) or long (for example, /resourceFilePath) version of the option names. Options and their values are not case-sensitive./{rf | resourceFilePath}:VALUEResourceFileName attribute of the Provider Element in the manifest to be replaced.The VALUE should be the full path to the resource file./{mf | messageFilePath}:VALUEMessageFileName attribute of the Provider Element in the manifest to be replaced.The VALUE should be the full path to the message file./{pf | parameterFilePath}:VALUEParameterFileName attribute of the Provider Element in the manifest to be replaced.The VALUE should be the full path to the parameter file.Example:The following example installs publishers and logs from the myManifest.man manifest file.wevtutil im myManifest.man /rf:^%systemroot^%/System32/wevtutil.exe |
Install event publishers and logs from manifest.Usage:wevtutil { im | install-manifest } [/OPTION:VALUE [/OPTION:VALUE] ...]File path to an event manifest. All publishers and logs defined in the manifestwill be installed. To learn more about event manifests and using this option,consult the Windows Eventing SDK on Microsoft Developers Network (MSDN) athttp://msdn.microsoft.com.Options:You can use either the short (for example, /rf) or long (for example, /resourceFilePath) version of the option names. Options and their values are not case-sensitive./{rf | resourceFilePath}:VALUEResourceFileName attribute of the Provider Element in the manifest to be replaced.The VALUE should be the full path to the resource file./{mf | messageFilePath}:VALUEMessageFileName attribute of the Provider Element in the manifest to be replaced.The VALUE should be the full path to the message file./{pf | parameterFilePath}:VALUEParameterFileName attribute of the Provider Element in the manifest to be replaced.The VALUE should be the full path to the parameter file.Example:The following example installs publishers and logs from the myManifest.man manifest file.wevtutil im myManifest.man /rf:^%systemroot^%/System32/wevtutil.exe |
| 0x3E | The publishers and channels were installed successfully, but we can't enable one or more publishers and channels.%0 |
The publishers and channels were installed successfully, but we can't enable one or more publishers and channels.%0 |
| 0x3F | Uninstall event publishers and logs from manifest.Usage:wevtutil { um | uninstall-manifest } File path to an event manifest. All publishers and logs defined in the manifestwill be uninstalled. To learn more about event manifests and using this option,consult the Windows Eventing SDK on Microsoft Developers Network (MSDN) athttp://msdn.microsoft.com.Example:The following example uninstalls publishers and logs from the myManifest.man manifest file.wevtutil um myManifest.man |
Uninstall event publishers and logs from manifest.Usage:wevtutil { um | uninstall-manifest } File path to an event manifest. All publishers and logs defined in the manifestwill be uninstalled. To learn more about event manifests and using this option,consult the Windows Eventing SDK on Microsoft Developers Network (MSDN) athttp://msdn.microsoft.com.Example:The following example uninstalls publishers and logs from the myManifest.man manifest file.wevtutil um myManifest.man |
| 0x40 | Type the password for %1!s!:%0 |
Type the password for %1!s!:%0 |
| 0x41 | Failed to read file %1!s!.%0 |
Failed to read file %1!s!.%0 |
| 0x42 | The value for channel property %1!s! contains an invalid value.%0 |
The value for channel property %1!s! contains an invalid value.%0 |
| 0x43 | Option %1!s! is not available if option %2!s! is not specified.%0 |
Option %1!s! is not available if option %2!s! is not specified.%0 |
| 0x44 | **** Warning: Enabling this type of log clears it. Do you want to enable and clear this log? [y/n]: |
**** Warning: Enabling this type of log clears it. Do you want to enable and clear this log? [y/n]: |
| 0x45 | **** Warning: Publisher %1 resources could not be found or are not accessibleto the Local Service account. |
**** Warning: Publisher %1 resources could not be found or are not accessibleto the Local Service account. |
| 0x46 | **** Warning: Publisher %1 is installed onthe system. Only new values would be added. If you want to update previous settings, uninstall the manifest first. |
**** Warning: Publisher %1 is installed onthe system. Only new values would be added. If you want to update previous settings, uninstall the manifest first. |
| 0x47 | Provider %1 in the manifest is missing the channel name attribute. |
Provider %1 in the manifest is missing the channel name attribute. |
| 0x48 | Provider %1 in the manifest contains channel %2 that is missing the type attribute. |
Provider %1 in the manifest contains channel %2 that is missing the type attribute. |
| 0x49 | Provider %1{%2} is missing the channel name attribute. |
Provider %1{%2} is missing the channel name attribute. |
| 0x4A | Provider %1 manifest has declared a channel %2 that uses a non-supported type %3 |
Provider %1 manifest has declared a channel %2 that uses a non-supported type %3 |
| 0x4B | Provider %1 manifest has declared a channel %2 that uses a non-supported isolation %3 |
Provider %1 manifest has declared a channel %2 that uses a non-supported isolation %3 |
| 0x4C | Provider %1 is already installed with GUID %2. |
Provider %1 is already installed with GUID %2. |
| 0x4D | Channel %1 is declared by an existing provider %2{%3}. |
Channel %1 is declared by an existing provider %2{%3}. |
| 0x4E | Provider has two channels with the same value. |
Provider has two channels with the same value. |
| 0x4F | Provider is missing the GUID attribute. |
Provider is missing the GUID attribute. |
| 0x50 | Provider %1 is missing the name in the registry. |
Provider %1 is missing the name in the registry. |
| 0x51 | Provider %1{%2} has Registry value Count %3. |
Provider %1{%2} has Registry value Count %3. |
| 0x52 | Provider %1{%2} is missing channels under the channelreferences registry key. |
Provider %1{%2} is missing channels under the channelreferences registry key. |
| 0x53 | Provider %1{%2} is missing the channel name for the index key %3. |
Provider %1{%2} is missing the channel name for the index key %3. |
| 0x54 | Provider %1{%2} has a channel indexed %3 that is missing the default registry value. |
Provider %1{%2} has a channel indexed %3 that is missing the default registry value. |
| 0x55 | **** Warning: Publisher %1 was not found in the resource file.resourceFileName: %2 |
**** Warning: Publisher %1 was not found in the resource file.resourceFileName: %2 |
| 0x56 | **** Warning: The resource file for publisher %1 was not found or could not be opened.resourceFileName: %2 |
**** Warning: The resource file for publisher %1 was not found or could not be opened.resourceFileName: %2 |
| 0x57 | **** Warning: The resource file for publisher %1 does not contain the metadata resource.Make sure to link the .bin file generated by the Message Compiler into thespecified binary.resourceFileName: %2 |
**** Warning: The resource file for publisher %1 does not contain the metadata resource.Make sure to link the .bin file generated by the Message Compiler into thespecified binary.resourceFileName: %2 |
| 0x58 | Secure password input is not available on this version of Windows.%0 |
Secure password input is not available on this version of Windows.%0 |
| 0x59 | The Event Log service is not available on this version of Windows. Command %1!s! is not supported. |
The Event Log service is not available on this version of Windows. Command %1!s! is not supported. |
| 0x5A | **** Warning: The Event Log service is not available on this version of Windows.The publishers and channels were installed successfully, but we can't validate the publisher resources for %1!s! without the service. |
**** Warning: The Event Log service is not available on this version of Windows.The publishers and channels were installed successfully, but we can't validate the publisher resources for %1!s! without the service. |