Eventquery command in Windows

Applies to : Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012.

Note: The eventquery command is not accepted and is not guaranteed to be supported in subsequent versions of Windows. This tool is integrated in Windows Server 2003.

The eventquery command lists events and event properties from one or more event logs.

Eventquery command syntax

 eventquery[.vbs][/s Computer [/u Domain**User [/p** Password]]][/fi FilterName][/fo {TABLE | LIST | CSV}][/r EventRange [/nh] [/v] [/l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] [DirectoryLogName] [*] ] 

Parameters

Parameter Description

/ s Computer

Specify the name or IP address of the computer (do not use a backslash). The default is the local computer. / u Domain User Run the script with the user account privileges specified by the User or Domain **** User. The default is the currently logged-in user rights on the computer that is issuing the command. / p Password Specifies the password of the user account specified in the / u parameter . / fi FilterName Specifies the type of event to be included or excluded from the query. The following is the valid filter name, operator and value. / fo { TABLE | LIST | CSV } Specifies the format to use for output. Valid values ​​are tables, lists and csv. / r EventRange Specifies the event range to list. / nh Remove the column headers in the output. Valid only for table format and csv. / v Specifies that detailed event information is displayed in the output. / l [ APPLICATION ] [SYSTEM] [ SECURITY ] ["DNS server"] [ UserDefinedLog ] [ DirectoryLogName ] [ * ] Specifies the log (s) to follow. Valid values ​​are Application , System , Security , "DNS server" , user defined log and Directory log. " DNS server " can only be used if the DNS service is running on the computer specified by the / s parameter . To specify more than one record to track, reuse the / l parameter . Wildcard ( * ) can be used and is the default. /? Show help at the command prompt.

Note

To run this script, you must be running CScript. If you have not set the default Windows Script Host to CScript, enter:

 cscript //h:cscript //s //nologo 

For example

The following examples show how you can use the eventquery command:

 eventquery / l system 
 eventquery / l mylog 
 eventquery / l application / l system 
 eventquery / s srvmain / u maindomhiropln / pp @ ssW23 / v / l * 
 eventquery / r 10 / l application / nh 
 eventquery / r-10 / fo LIST / l security 
 eventquery / r 5-10 / l "DNS server" 
 eventquery / fi "Type eq Error" / l application 
 eventquery / fi "Datetime eq 06/25 / 00.03: 15:00 AM/06/25/00.03: 15: 00PM" / l application 
 eventquery / fi "Datetime gt 08/03 / 00.06: 20: 00PM" / fi "id gt 700" / fi "Type eq warning" / l system 

See more:

• What is an IP address?
• Endlocal command in Windows
• Edit command in Windows