Wevtutil.exe Process – What is it & Command Line

Wevtutil.exe is an executable file that is used typically to register a provider on the system, allowing users to get access to its metadata, its events, and information about the channels it uses to log events. Additionally, it enables users to install and uninstall instrumentation manifests, run requests, etc.

Many system administrators use WEvtUtil.exe to delete the logs located in the Windows system. Wevtutil.exe is also identified as the Eventing Command Line Utility and it is a component of the Windows Operating System.

File Size and Location

An original Wevtutil.exe file is located under the C:\Windows\System32\ folder. The average file size of Wevtutil.exe is about 254 KB. The same process might also be located under C:\Windows\SysWOW64\ folder.

wevtutil.exe

Quick Overview

Filename:Wevtutil.exe
File description:Eventing Command Line Utility
File version:6.1.7600.16385
File Size:267 KB
Product name:Microsoft@Windows@Operating System
File type:Application
Copyright:Microsoft Corporation
Language:English

Syntax

This wevtutil.exe command tool can be launched using two ways:

1) Press the Windows+R button

2) Type wevtutil.exe

3) Press Enter button and the Even Log and Publishers command tool will be open

wevtutil.exe event viewer command line

Another option to open the command tool of wevtutil.exe is to go to the C:\Windows\System32\  folder, locate and double click on wevtutil.exe.

Here are the parameter that can be used with this command line:

Wevtutil [Parameter][Option]

  1. {el | enum-logs}: The names of each log is displayed.
  2. {gl | get-log} <Logname> [OPTION]: Shows the log configuration of the selected log, includes information about its maximum size limit, the path to its file, etc.
  3. {al | archive – logs} [/l: locale]: Annals an exported log.
  4. {im | install – manifest} <Manifest>: Connects event publishers as well as logs from a manifest.
  5. {um | uninstall – manifest} <Manifest>: Detaches event distributors as well as logs from a patent.
  6. {gp | get – publishers} <Publishername> [/ge: <Metadata>] [/gm: <Message>] [OPTION]: Shows the configuration material for the selected event publisher.
  7. {gli | get – loginfo} <Logname> [OPTION]: Shows categorical information about an event file or log. In the case of the /If option being used, <Logname> is a path to a log file.
  8. {epl | export – log} <Path><Exportfile>[/lf:<Logfile>] [/sq:<Structquery>] [/q:<Query>] [/ow:<Overwrite>]: Events are exported from event logs, file logs or with the help of an organized query to the specified file. <Path> has to be a path to a file that includes a structured request.
  9. {qe | query-events} <Path> [/lf:<Logfile>] [/sq:<Structquery>] [/q:<Query>] [/bm:<Bookmark>] [/sbm:<Savebm>] [OPTION]: Scans events as of an event record.

Options

  1. /f:<Format>: Stipulates whether or not the output should be in XML or text format (default).
  2. /e:<Enabled>: Can either be true or false and can enable or disable a log.
  3. /i:<Isolation>: Enables the log isolation mode and can be classified into 3 sorts; system, application, or custom, and this mode chooses if a log must impart an assembly with other logs of an indistinguishable isolation class.
  4. /rt:<Retention>: Enables the log retention mode, which means that the behavior of the Event log service can be regulated when its maximum size is reached.
  5. /ge:<Metadata>: Receives metadata for events.
  6. /ab:<Auto>: Sets the auto-log backup policy.
  7. /uni:<Unicode>: Output is shown in Unicode.
  8. /a:<Auth>: Indicates the type of verification for the linkage with a remote system and its users can selectbetweenNegotiate, Kerberos or NTLM.
  9. /rd:<Direction>: Stipulates the directions in which the reading of events must occur.
  10. /c:<Config>: Details the path to a configuration file and it will warrant the perusing of the log properties from the configuration document characterized in <Config>.

Common Errors

  1. Wevtutil.exe – Application error.

It is possible that the program is outdated, or there simply isn’t enough memory for its operation. Either update the program, or delete some simultaneous processes to free up some space.

The other instance of this error message popping up may also indicate that your wevtutil.exe program is using an illegal instruction set, unsupported by your CPU. It is recommended that you install a program that is suited to your system.

  1. Wevtutil.exe – Access denied.

You may need to alter the permissions of the file, as this error message implies that you don’t have the required permissions to run the program. Another cause could also be that the antivirus software might have restricted access to the wevtutil.exe file. Inspect your antivirus’ log.

 Also read:

nv-author-image

Ankita

Founder and Writer @ WinOSBite. Future plan is to make this platform open to community to resolve and discuss various issues, usage related to Operating System.

Related Posts

iCacls.exe Process Detail, Syntax Info

icacls.exe is a useful command line tool that can be used to change the NTFS file system permission in older versions of Operating systems like… Read More »iCacls.exe Process Detail, Syntax Info

What is LogiOptions.exe, Uses & How to Remove it?

Well in case you have seen a process named LogiOptions.exe running in the background, then you could ponder: LogiOptions.exe is a genuine process or a… Read More »What is LogiOptions.exe, Uses & How to Remove it?

What is MMC.exe, Uses and Why its Running?

In short, Mmc.exe is a genuine Microsoft Management Console that is used to create admin tools to manage a wide range of existing software on… Read More »What is MMC.exe, Uses and Why its Running?

Leave a Reply

Your email address will not be published. Required fields are marked *