We can open event viewer console from command prompt or from Run window by running the command eventvwr. To retrieve the events information from log files in command line we can use eventquery.vbs. This file can be found in the directory C:\Windows\System32.
Using eventquery.vbs we can dump the events selectively based on various parameters. These parameters include event source, event id, event date, event type(information, error , warning), event log file name(system, application, security, IE etc). Below are few examples on how to use this script file.
To list all the events that are created by a particular service/application.
cscript eventquery.vbs /FI "source eq source_name"
For example to list all the events that are created by DHCP you can run the below command.
cscript eventquery.vbs /FI "source eq dhcp"
To list all the events originated from Outlook:
cscript eventquery.vbs /FI "source eq outlook"
To list the events with a specific id.
cscript eventquery.vbs /FI "id eq id_number"
To list application events that have occurred after a specific time
cscript.exe eventquery.vbs /FI "DateTime gt 11/13/2010,01:00:00AM"
To print all warning events from application log file:
cscript eventquery.vbs /L application /FI "type eq warning"
To dump all the error events generated by a particular user:
cscript eventquery.vbs /FI "user eq domainname\username" /FI "type eq error"
This script is not supported in Windows 7.
very helpful.thanks
very useful :)
How to count number of files based on extension form cmd or bash script?
You said this script doesn’t support it on windows 7. How to implement it?
Don’t need to. Use Wevtutil in Win7:
“wevtutil epl [Application/System/Security/etc] [savepath&filename]”
save this content in c:\bullshit.bat(if you have difficulties to save it like .bat ask someone’s help that knows more than you)
____________________________
wevtutil.exe cl Application
wevtutil.exe cl Security
wevtutil.exe cl Setup
wevtutil.exe cl System
then go to Control Panel \ Administrative Tools \ Task Scheduler
right click on left to Task Scheduler Library then on Create Task ….
on the popup will apear General tab will be active and you should fill an name there ,put anything (i fill it bullshit)
then press Triggers then New from da left bottom then Begin a task ,then put it At log on option from that small popup …
un the bottom check repeat task every then click the box after this and put it 5 minutes then click the box after “for a duration of : ” set it Indefinitely..
click on top Actions then in da bottom New…
now in da box “Program/script” put this like is here
start “C:\bullshit.bat”
so is start ,blank space,comma,C:\bullshit.bat,comma again (i write this if the script of this forum will cancel commas or something inside this command you need to fill it right supposing you already save on c:\ the bullshit.bat batch command i explain you on top of my comment)
now the system will clean all windows event logs for you
not what i really wanted
Command Prompt window opens and closes by itself on Windows 10. If I know the time it happened, how can I look it up in Event Viewer? Thanks.
eventquery.vbs isn’t in my \windows\system32 nor in ..\syswow64. It sounds like a simple enough script that can be copied and pasted. Anyone got a copy?
Ah, answer my own query. It’s 2020 and this page was written a loooong time ago. For later OS’s, use “wevtutil” at the command line (and it will give you a help page). “eventquery.vbs” has long gone.
@Lloyd O’Day
Here is the old script in case your curious https://pastebin.com/S0RReDyg
@Lloyd O’Day
… you also need CmdLib.wsc (https://pastebin.com/iu779VQk) both go in system32 folder