wevtutilWevtutil Command Guide - Query and Manage Windows Event Logs
Master the wevtutil command to query, export, clear, and archive Windows Event Logs from CMD with practical examples, troubleshooting, and admin workflows.
The wevtutil command is the native Windows command-line utility for querying, exporting, clearing, and archiving Event Logs. It gives administrators scriptable access to logs like System, Application, and Security without opening Event Viewer, making it ideal for automation, incident response, and enterprise troubleshooting.
For support engineers and system administrators, wevtutil is faster than manual GUI steps and easier to standardize across many hosts. You can filter events, collect logs for SIEM workflows, and automate cleanup or export jobs for audit and forensic use.
This guide covers syntax, options, practical examples, troubleshooting, related commands, FAQs, and a quick reference card.
What Is the Wevtutil Command?
wevtutil (Windows Events Utility) manages Event Log channels and entries from CLI. It supports reading recent events, exporting complete channels, and clearing logs after retention operations. It is available in modern Windows client and server versions and works in both CMD and PowerShell.
Use it when you need repeatable diagnostics, remote-ready scripts, and predictable export formats for incident handling, compliance, and monitoring pipelines.
Wevtutil Command Syntax
wevtutil <subcommand> [options]
| Subcommand | Purpose | Example |
|---|---|---|
el | Enumerate log names | wevtutil el |
gl | Get log configuration | wevtutil gl System |
qe | Query events | wevtutil qe System /c:20 /f:text |
epl | Export log to file | wevtutil epl System C:\Temp\system.evtx |
cl | Clear log | wevtutil cl Application |
sl | Set log configuration | wevtutil sl System /ms:20971520 |
Parameters and Options
Query Events (qe)
Reads events from a channel with filters, count limits, and output format controls.
Export Log (epl)
Saves a channel to .evtx for backup, analysis, or transfer.
Clear Log (cl)
Removes events from a channel after retention/export. Use carefully in regulated environments.
Get/Set Log Config (gl/sl)
Inspect and update properties like max size and retention flags.
Practical Wevtutil Examples
1) List all event log channels
wevtutil el
Use this to discover exact channel names before query or export scripts.
2) Query latest 20 System events
wevtutil qe System /c:20 /rd:true /f:text
/rd:true reads newest-first, useful during active incident triage.
3) Query Application errors only
wevtutil qe Application /q:"*[System[(Level=2)]]" /c:50 /f:text
Level 2 typically indicates error events and helps reduce noise quickly.
4) Export Security log for audit
wevtutil epl Security C:\Logs\Security-Archive.evtx
Archive before log rollover to preserve evidence and compliance history.
5) Clear Application log after export
wevtutil cl Application
Run only when retention policy allows clearing and backup is complete.
6) Show current System log settings
wevtutil gl System
Returns max size, retention mode, and access information for diagnostics.
7) Increase System log size to 20 MB
wevtutil sl System /ms:20971520
Prevents fast rollover on noisy endpoints.
8) Export and include display metadata
wevtutil epl System C:\Logs\System.evtx /ow:true
Use overwrite mode in scheduled jobs where output path is fixed.
9) Query by event ID
wevtutil qe System /q:"*[System[(EventID=6005)]]" /f:text
Targets specific startup/shutdown or service-state events.
10) Build a scheduled export routine
schtasks /Create /SC DAILY /TN ExportSystemLog /TR "wevtutil epl System C:\Logs\System-Daily.evtx /ow:true" /ST 23:00
Automates log archival before maintenance windows.
Common Use Cases
- Incident response - Pull recent critical events quickly without opening Event Viewer.
- Audit retention - Export Security logs on schedule for governance requirements.
- SIEM ingestion prep - Create predictable archives for downstream analysis.
- Server troubleshooting - Isolate errors and warnings in service outages.
- Post-change validation - Compare event patterns before and after patching.
- Remote support scripts - Collect logs with standardized commands for helpdesk teams.
- Rollover prevention - Increase max size on busy systems to avoid losing evidence.
- Golden image hardening - Validate logging defaults in deployment templates.
- Compliance operations - Keep documented export and clear workflows.
- Forensic collection - Preserve relevant logs before remediation.
Tips and Best Practices
- Always export before clearing channels.
- Use explicit output paths and naming conventions with timestamps.
- Prefer targeted queries to reduce triage noise.
- Run elevated shell for Security log operations.
- Validate output files after automation jobs.
- Keep retention policy documented in runbooks.
- Combine with
schtasksfor repeatable archive timing. - Standardize filters for common incident types.
- Store exports on protected volumes with access control.
- Review log size settings quarterly on critical hosts.
Troubleshooting Common Issues
Access denied on Security log
Run CMD as Administrator and ensure account has rights to read/export Security channel.
Query returns no results
Validate channel name and query syntax. Start with a broad query, then narrow filters.
Export file missing or empty
Check output directory permissions and ensure destination exists before command execution.
Command syntax errors
Small quoting mistakes break XPath-like filters. Recheck quote pairing and parentheses.
Logs roll over too quickly
Increase max size with sl /ms:<bytes> and monitor event volume trends.
Related Commands
systeminfo - Environment context
Use before log analysis to capture OS version and patch context.
tasklist - Process verification
Correlate event timestamps with active services and processes.
driverquery - Driver diagnostics
Helpful for kernel or device event investigations.
schtasks - Scheduled log exports
Automate event archival with predictable execution windows.
Frequently Asked Questions
What does wevtutil do in Windows?
Wevtutil manages Event Logs from command line. It can list channels, query entries, export logs to files, clear channels, and change log settings such as max size and retention-related behavior.
Is wevtutil better than Event Viewer?
For automation and repeatability, yes. Event Viewer is useful for manual inspection, while wevtutil is better for scripts, standard triage workflows, and bulk operations across many systems.
How do I export Security logs?
Use wevtutil epl Security C:\Logs\Security.evtx from an elevated shell, then verify the file exists and archive it according to policy.
Can I clear logs with wevtutil?
Yes, using wevtutil cl <LogName>. Export first if retention, legal, or audit requirements apply.
Why does my filter return nothing?
Channel mismatch, strict query filters, or quoting errors are common causes. Start with qe <LogName> /c:10 /f:text first, then add filters incrementally.
Does wevtutil work in PowerShell?
Yes, the command runs directly in PowerShell with the same core syntax and options.
How do I get recent events first?
Use /rd:true with qe so results are read in reverse direction (newest-first).
Can I automate log exports daily?
Yes. Combine wevtutil with schtasks to export logs on a schedule and overwrite or timestamp output files as needed.
Quick Reference Card
| Command | Purpose | Example |
|---|---|---|
wevtutil el | List channels | Discover available logs |
wevtutil qe System /c:20 /f:text | Query events | Recent system triage |
wevtutil qe Application /q:"*[System[(Level=2)]]" | Filter errors | Focused app diagnostics |
wevtutil epl Security C:\Logs\Security.evtx | Export channel | Audit archive |
wevtutil cl Application | Clear log | Post-export cleanup |
wevtutil gl System | Get config | Inspect size/retention |
wevtutil sl System /ms:20971520 | Set max size | Reduce rollover risk |
wevtutil qe System /q:"*[System[(EventID=6005)]]" | Query by EventID | Startup event checks |
Try It in the Simulator
Use the Windows Command Simulator to practice command syntax safely, then explore neighboring tooling in the Commands Reference. Pair this guide with related blog tutorials to build complete troubleshooting runbooks.
Summary
The wevtutil command is a core Windows admin tool for log querying, exporting, clearing, and channel configuration. It is essential for scripted diagnostics, audit workflows, and enterprise incident response.
Use qe for targeted event retrieval, epl for preservation, and gl/sl for channel tuning. This combination supports faster troubleshooting and better compliance posture.
When paired with scheduling, strict naming conventions, and policy-aware retention, wevtutil becomes a dependable foundation for operational monitoring and forensic readiness.