≡ Menu

Event viewer command line (CMD)

We can open event viewer console from command prompt or from Run window by running the command eventvwr.  To retrieve the events information from log files in command line we can use eventquery.vbs. This file can be found in the directory C:\Windows\System32.

Using eventquery.vbs we can dump the events selectively based on various parameters. These parameters include event source, event id, event date, event type(information, error , warning), event log file name(system, application, security, IE etc). Below are few examples on how to use this script file.

To list all the events that are created by a particular service/application.

cscript eventquery.vbs /FI "source eq source_name"

For example to list all the events that are created by DHCP you can run the below command.

cscript eventquery.vbs /FI "source eq dhcp"

To list all the events originated from Outlook:

cscript eventquery.vbs /FI "source eq outlook"

To list the events with a specific id.

cscript eventquery.vbs /FI "id eq id_number"

To list application events that have occurred after a specific time

cscript.exe eventquery.vbs /FI "DateTime gt 11/13/2010,01:00:00AM"

To print all warning events from application log file:

cscript eventquery.vbs /L application /FI "type eq warning"

To dump all the error events generated by a particular user:

cscript eventquery.vbs /FI "user eq domainname\username" /FI "type eq error"

This script is not supported in Windows 7.

12 comments… add one
  • chic

    very helpful.thanks

  • kaushlendra

    very useful :)

  • NJ

    How to count number of files based on extension form cmd or bash script?

  • noob

    You said this script doesn’t support it on windows 7. How to implement it?

    • Randall

      Don’t need to. Use Wevtutil in Win7:
      “wevtutil epl [Application/System/Security/etc] [savepath&filename]”

  • nnnqw

    save this content in c:\bullshit.bat(if you have difficulties to save it like .bat ask someone’s help that knows more than you)

    wevtutil.exe cl Application
    wevtutil.exe cl Security
    wevtutil.exe cl Setup
    wevtutil.exe cl System

    then go to Control Panel \ Administrative Tools \ Task Scheduler

    right click on left to Task Scheduler Library then on Create Task ….
    on the popup will apear General tab will be active and you should fill an name there ,put anything (i fill it bullshit)
    then press Triggers then New from da left bottom then Begin a task ,then put it At log on option from that small popup …
    un the bottom check repeat task every then click the box after this and put it 5 minutes then click the box after “for a duration of : ” set it Indefinitely..

    click on top Actions then in da bottom New…
    now in da box “Program/script” put this like is here
    start “C:\bullshit.bat”
    so is start ,blank space,comma,C:\bullshit.bat,comma again (i write this if the script of this forum will cancel commas or something inside this command you need to fill it right supposing you already save on c:\ the bullshit.bat batch command i explain you on top of my comment)
    now the system will clean all windows event logs for you

  • kingdom ike

    not what i really wanted

  • mike

    Command Prompt window opens and closes by itself on Windows 10. If I know the time it happened, how can I look it up in Event Viewer? Thanks.

  • Lloyd O'Day

    eventquery.vbs isn’t in my \windows\system32 nor in ..\syswow64. It sounds like a simple enough script that can be copied and pasted. Anyone got a copy?

  • Lloyd O'Day

    Ah, answer my own query. It’s 2020 and this page was written a loooong time ago. For later OS’s, use “wevtutil” at the command line (and it will give you a help page). “eventquery.vbs” has long gone.

  • Scott Q

    @Lloyd O’Day
    Here is the old script in case your curious https://pastebin.com/S0RReDyg

  • Scott Q

    @Lloyd O’Day
    … you also need CmdLib.wsc (https://pastebin.com/iu779VQk) both go in system32 folder

Leave a Comment