Windows event log querying from the command line: wevtutil (with XPath query parameters and XML output)
Posted by jpluimers on 2025/04/23
A while ago, I needed to investigate reboot events on some Windows 10 systems. I wanted to use the console instead of the eventvwr GUI Event Viewer.
There is a tool for that called wevtutil which – like eventvwr – uses XPath query parameters and produces XML output.
Postprocessing XML can be a thing, but since .NET has great XML support, you can use PowerShell for that (which for me often is way easier than going the XSLT route, for instance because Windows lacks built-in console XSLT tooling).
Based on the help and the below links, my query command then on these machines turned out to be this:
wevtutil query-events System /reversedirection:true "/query:*[System[EventID=6005 or EventID=6006]]" > reboot-events.xml
I expanded all options to their full form except reverseddirection, as despite the built-in help – see [Wayback/Archive] wevtuti built-in help: “wevtutil /?” and “wevtutil query-events /?” – it is not supported (bug alert!):
Invalid option reverseddirection. Option is not supported. The parameter is incorrect.
Some links for both my link archive and if you are interested to play around with this:
- [Wayback/Archive] How to find out the last time Windows rebooted and started up
- Event ID 6006: “The event log service was stopped.” This is synonymous to system shutdown.
- Event ID 6005: “The event log service was started.” This is synonymous to system startup.
- [Wayback/Archive] How to query logs in Event Viewer using the command line (which explains about
wevtutilwhich is available as of Windows Vista) - [Wayback/Archive] wevtutil | Microsoft Learn
Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.
- [Wayback/Archive] windows – Wevtutil\Event Viewer: Getting list of events with different event ids using XPath Filter – Stack Overflow (thanks [Wayback/Archive] Anthony J. and [Wayback/Archive] Eryk Sun):
Q
I need to get a list of events that have id of 6005 or 6006 using “wevtutil” tool. This command works fine:wevtutil qe system /rd:true /q:*[System[EventID=6005]]But I need to get both events with ID 6005 and 6006. I triedwevtutil qe system /rd:true /q:*[System[EventID=6005 or EventID=6006]]But it returnsToo many arguments are specified. The parameter is incorrect.How should I fix it?C
wevtutil.exeuses the C runtime’swmainentry point, which tokenizes the command line according to the rules documented in [Wayback/Archive] Parsing C++ Command-Line Arguments. So you need double quotes to prevent the query from getting split as separate arguments, e.g."/q:*[System[EventID=6005 or EventID=6006]]"or even odd-looking/q:*[System[EventID=6005" or "EventID=6006]]. - [Wayback/Archive] `main` function and command-line arguments (C++) | Microsoft Learn
- [Wayback/Archive] windows server 2008 – Parse wevtutil XML into a database? – Server Fault (thanks [Wayback/Archive] Skyhawk and [Wayback/Archive] sysadmin1138):
Q
I’m by no means an XML expert. Ergo, I’m having trouble importing Windows event XML from wevtutil into an SQL database.
…
(note: this would be a recurring process, so it can’t require GUI-only tools.)
A
I’m doing exactly this in a script by way of PowerShell.…
The command to get the event data is what you already know.wevtutil qe Security /r:$DC /q:"*[System[((EventID=$LogonID or EventID=$FLogonID or EventID=$LogoffID or EventID=$LockoutID) and TimeCreated[@SystemTime > '$LUFilterString'] and TimeCreated[@SystemTime < '$NowFilterString'] )]] " > $DC-events.xmlThe variables in that should be clear. I’m tracking login, logout, and lockout events. Generating the “NowFilterString” in the funny format wevtutil requires:$Now=get-date $Msec=$now.Millisecond $NowFilterString=$Now.AddSeconds(-1).AddMilliseconds(-$Msec).ToUniversalTime().ToString("O")I’m truncating the milliseconds down to zero to better handle edge cases.So now you have an XML file. Now what? To parse that XML file:get-content ".\$DC-events.xml" | foreach { $Event=[xml]$_ $DateTime=[datetime]$Event.event.System.TimeCreated.GetAttribute("SystemTime") codecodecodecode }Accessing individual elements is done by:foreach ($Data in $Event.event.EventData.get_childNodes()) { if ($Data.Name -eq "TargetUserName") { $User=$Data."#text"} elseif ($Data.Name -eq "IpAddress") {$IP=$Data."#text"} }Or another exampleforeach ($Data in $Event.event.EventData.get_childNodes()) { if ($Data.Name -eq "TargetUserName") {$User=$Data."#text"} elseif ($Data.Name -eq "WorkstationName") {$MachineName=$Data."#text"} elseif ($Data.Name -eq "IpAddress") {$IP=$Data."#text"} # Ensure only failed logins to the right domain are processed: elseif ($Data.Name -eq "TargetDomainName") {$Domain=$Data."#text"} }I hope this helps you figure out XML parsing. Since this is PowerShell, most of these are readily convertible to standard .NET calls.
In the search queries used, you can see that a some moments I was not exactly sure what to search for, but Google luckily gave relevant results nonetheless:
- [Wayback/Archive] eventvwr last reboots – Google Search
- [Wayback/Archive] query eventvwr from console – Google Search
- [Wayback/Archive] wevtutil “reboot” query – Google Search
- [Wayback/Archive] wevtutil 6005 – Recherche Google
- [Wayback/Archive] wevtutil parse – Google Search
--jeroen
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Read events from an event log, log file or using structured query. | |
| Usage: | |
| wevtutil { qe | query-events } <PATH> [/OPTION:VALUE [/OPTION:VALUE] …] | |
| <PATH> | |
| By default, you provide a log name for the <PATH> parameter. However, if you use | |
| the /lf option, you must provide the path to a log file for the <PATH> parameter. | |
| If you use the /sq parameter, you must provide the path to a file containing a | |
| structured query. | |
| Options: | |
| You can use either the short (for example, /f) or long (for example, /format) | |
| version of the option names. Options and their values are not case-sensitive. | |
| /{lf | logfile}:[true|false] | |
| If true, <PATH> is the full path to a log file. | |
| /{sq | structuredquery}:[true|false] | |
| If true, <PATH> is the full path to a file that contains a structured query. | |
| /{q | query}:VALUE | |
| VALUE is an XPath query to filter events read. If not specified, all events will | |
| be returned. This option is not available when /sq is true. | |
| /{bm | bookmark}:VALUE | |
| VALUE is the full path to a file that contains a bookmark from a previous query. | |
| /{sbm | savebookmark}:VALUE | |
| VALUE is the full path to a file in which to save a bookmark of this query. The | |
| file extension should be .xml. | |
| /{rd | reversedirection}:[true|false] | |
| Event read direction. If true, the most recent events are returned first. | |
| /{f | format}:[XML|Text|RenderedXml] | |
| The default value is XML. If Text is specified, prints events in an | |
| easy to read text format, rather than in XML format. If RenderedXml, prints | |
| events in XML format with rendering information. Note that printing events in | |
| Text or RenderedXml formats is slower than printing in XML format. | |
| /{l | locale}:VALUE | |
| VALUE is a locale string to print event text in a specific locale. Only available | |
| when printing events in text format using the /f option. | |
| /{c | count}:<n> | |
| Maximum number of events to read. | |
| /{e | element}:VALUE | |
| When outputting event XML, include a root element to produce well-formed XML. | |
| VALUE is the string you want within the root element. For example, specifying | |
| /e:root would result in output XML with the root element pair <root></root>. | |
| Example: | |
| The following example displays the three most recent events from the Application | |
| log in text format. | |
| wevtutil qe Application /c:3 /rd:true /f:text |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Events Command Line Utility. | |
| Enables you to retrieve information about event logs and publishers, install | |
| and uninstall event manifests, run queries, and export, archive, and clear logs. | |
| Usage: | |
| You can use either the short (for example, ep /uni) or long (for example, | |
| enum-publishers /unicode) version of the command and option names. Commands, | |
| options and option values are not case-sensitive. | |
| Variables are noted in all upper-case. | |
| wevtutil COMMAND [ARGUMENT [ARGUMENT] …] [/OPTION:VALUE [/OPTION:VALUE] …] | |
| Commands: | |
| el | enum-logs List log names. | |
| gl | get-log Get log configuration information. | |
| sl | set-log Modify configuration of a log. | |
| ep | enum-publishers List event publishers. | |
| gp | get-publisher Get publisher configuration information. | |
| im | install-manifest Install event publishers and logs from manifest. | |
| um | uninstall-manifest Uninstall event publishers and logs from manifest. | |
| qe | query-events Query events from a log or log file. | |
| gli | get-log-info Get log status information. | |
| epl | export-log Export a log. | |
| al | archive-log Archive an exported log. | |
| cl | clear-log Clear a log. | |
| Common options: | |
| /{r | remote}:VALUE | |
| If specified, run the command on a remote computer. VALUE is the remote computer | |
| name. Options /im and /um do not support remote operations. | |
| /{u | username}:VALUE | |
| Specify a different user to log on to the remote computer. VALUE is a user name | |
| in the form domain\user or user. Only applicable when option /r is specified. | |
| /{p | password}:VALUE | |
| Password for the specified user. If not specified, or if VALUE is "*", the user | |
| will be prompted to enter a password. Only applicable when the /u option is | |
| specified. | |
| /{a | authentication}:[Default|Negotiate|Kerberos|NTLM] | |
| Authentication type for connecting to remote computer. The default is Negotiate. | |
| /{uni | unicode}:[true|false] | |
| Display output in Unicode. If true, then output is in Unicode. | |
| To learn more about a specific command, type the following: | |
| wevtutil COMMAND /? |
The Wiert Corner - irregular stream of stuff 
Leave a comment