Useful WEvtUtil commands

Finding uptime (last 7 days)
wevtutil /r:COMPUTER.DOMAIN qe System /rd:true /f:text “/q:*[System[Provider[@Name=’eventlog’] and (EventID=6013) and TimeCreated[timediff(@SystemTime) <= 604800000]]]”

Who rebooted a computer last 2 days
wevtutil /r:COMPUTER.DOMAIN /f:text qe System “/q:*[System[Provider[@Name=’USER32′] and (EventID=1074) and TimeCreated[timediff(@SystemTime) <= 172800000]]]”

Finding a user logon attempt
wevtutil /r:COMPUTER.DOMAIN qe Security /q:”*[System[Provider[@Name=’Microsoft-Windows-Security-Auditing’] and Task=12544 and (EventID=4624)] and EventData[Data[@Name=’LogonType’]=’2′]]”

Finding Windows Power Event for a time change on computer
wevtutil /r:COMPUTER.DOMAIN qe System /c:5 /rd:true /f:text “/q:*[System[Provider[@Name=’Microsoft-Windows-Kernel-General’] and (EventID=1) and TimeCreated[timediff(@SystemTime) <= 604800000]]]”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s