Using Wevtutil on Longhorn server core servers to scan the event logs...

  • Article

In some cases you might find that you need to scan the event logs locally on a server core machine because you cant access the server remotely for whatever reason.  Wevtutil.exe is built into the OS to  allow you to do just that.  You can use it on regular SKUS as well like Vista and full server as well.

 

Here is the syntax I use regularly.

wevtutil qe System -rd:true -f:text | more

Broken down that's:

qe == query-events

System == System log (you can choose whichever log you like)

-rd:true == Tells wevtutil to reverse direction, basically start at the top of the log with the most recent events.

-f:text == Tells wevtutil to print out the data in text format, the default is xml.

|more == Tells the command window to stop at the end of the screen so you can scroll through the events as they generate.

 

Here is an example of how to scan the Task scheduler and the output:

C:\localbin>wevtutil qe Microsoft-Windows-TaskScheduler/Operational -rd:true -f:text | more
Event[0]:
Log Name: Microsoft-Windows-TaskScheduler/Operational
Source: Microsoft-Windows-TaskScheduler
Date: 2007-03-24T12:10:05.867
Event ID: 201
Task: Action completed
Level: Information
Opcode: Stop
Keyword: N/A
User: S-1-1-11
User Name: NT AUTHORITY\SYSTEM
Computer: SK8ORDIE.bradforest.test
Description:
Task Scheduler successfully completed task "\audit" , instance "{FFA86ACF-5DBF-4524-8760-3E2E0996301B}" , action "C:\Windows\SYSTEM32\cmd.exe" .

Event[1]:
Log Name: Microsoft-Windows-TaskScheduler/Operational
Source: Microsoft-Windows-TaskScheduler
Date: 2007-03-24T12:10:05.867
Event ID: 102
Task: Task completed
Level: Information
Opcode: Stop
Keyword: N/A
User: S-1-1-11
User Name: NT AUTHORITY\SYSTEM
Computer: SK8ORDIE.bradforest.test
Description:
Task Scheduler successfully finished "{FFA86ACF-5DBF-4524-8760-3E2E0996301B}" instance of the "\audit" task for user "bradforest\SK8ORDIE$".

Event[2]:
Log Name: Microsoft-Windows-TaskScheduler/Operational
Source: Microsoft-Windows-TaskScheduler
Date: 2007-03-24T12:09:59.994
Event ID: 129
Task: Created Task Process
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-1-11
User Name: NT AUTHORITY\SYSTEM
Computer: SK8ORDIE.bradforest.test
Description:
Task Scheduler launch task "\audit" , instance "C:\Windows\SYSTEM32\cmd.exe" with process ID 5436.

Event[3]:
Log Name: Microsoft-Windows-TaskScheduler/Operational
Source: Microsoft-Windows-TaskScheduler
Date: 2007-03-24T12:09:59.983
Event ID: 200
Task: Action started
Level: Information
Opcode: Start
Keyword: N/A
User: S-1-1-11
User Name: NT AUTHORITY\SYSTEM
Computer: SK8ORDIE.bradforest.test
Description:
Task Scheduler launched action "C:\Windows\temp\ApplyAuditPolicy.cmd" in instance "{FFA86ACF-5DBF-4524-8760-3E2E0996301B}" of task "\audit".

Event[4]:
Log Name: Microsoft-Windows-TaskScheduler/Operational
Source: Microsoft-Windows-TaskScheduler
Date: 2007-03-24T12:09:59.983
Event ID: 100
Task: Task Started
Level: Information
Opcode: Start
Keyword: N/A
User: S-1-1-11

 

Technorati tags: windows, vista, longhorn, event viewer