The WEvtUtil utility is something I wrote about last year and up until recently I’ve just been using the qe command and piping the output.  However, I decided to use the epl (export-log) command to pull down the event log from a remote production server and discovered a significant gotcha.  I spun a quick console app to pull the logs down and was running into a problem where the command would execute but I was not seeing the file.   So I decided to try giving a different path, then it failed saying access was denied.  What I discovered was that it was in fact working but the output file was being created ON THE REMOTE SERVER!!  And no, I do not have permissions to access any of the drives on the remote computer but WEvtUtil was still able to create it!  I then created a local open share and WEvtUtil could not dump to that file.  It seems it can only dump locally to whatever server you’re hitting.  This utility has been out for a long time so there are bound to be a few shortcomings but this one is just outright dangerous.  Be safe and careful with it.

Happy (and safe) coding!