Remote EventLogs with WEvtUtil

The WEvtUtil utility is something I wrote about last year and up until recently I’ve just been using the qe command and piping the output.  However, I decided to use the epl (export-log) command to pull down the event log from a remote production server and discovered a significant gotcha.  I spun a quick console app to pull the logs down and was running into a problem where the command would execute but I was not seeing the file.   So I decided to try giving a different path, then it failed saying access was denied.  What I discovered was that it was in fact working but the output file was being created ON THE REMOTE SERVER!!  And no, I do not have permissions to access any of the drives on the remote computer but WEvtUtil was still able to create it!  I then created a local open share and WEvtUtil could not dump to that file.  It seems it can only dump locally to whatever server you’re hitting.  This utility has been out for a long time so there are bound to be a few shortcomings but this one is just outright dangerous.  Be safe and careful with it.

Happy (and safe) coding!


About JohnHowell

I am a professional software developer with over 20 years of experience. I currently specialize in Microsoft technologies such as VS, TFS, C#, VB.Net, WCF, WPF, WW, etc.
This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to Remote EventLogs with WEvtUtil

  1. Nick Roy says:

    What .. ? It still doesn’t save locally …. ! So Powershell it is then.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s