DonatShell
Server IP : 180.180.241.3  /  Your IP : 216.73.216.252
Web Server : Microsoft-IIS/7.5
System : Windows NT NETWORK-NHRC 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586
User : IUSR ( 0)
PHP Version : 5.3.28
Disable Function : NONE
MySQL : ON  |  cURL : ON  |  WGET : OFF  |  Perl : OFF  |  Python : OFF  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /Windows/System32/en-US/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ HOME SHELL ]     

Current File : /Windows/System32/en-US/wevtutil.exe.mui
MZ@	!L!This program cannot be run in DOS mode.

$uEEELlDLl
DRichEPEL[J!	V)@4.rsrc@@(@Xp			MUI7,~E}aK{1@G3l5ckPoMUIen-USTTFailed to open config file: %1!s!.%0

8Invalid config file.%0

@Failed to initialize COM.%0

HFailed to get %1!s! property.%0

HFailed to set %1!s! property.%0

LCommand %1!s! is not supported.%0

tInvalid option %1!s!. Option name is not specified.%0

Invalid option %1!s!. Option is specified more than once.%0

Invalid option %1!s!. Option is specified more than once.%0

xInvalid option %1!s!. Option value is not specified.%0

hInvalid option %1!s!. Option is not Boolean.%0

lInvalid option %1!s!. Option is not supported.%0

LInvalid value for option %1!s!.%0

option %1!s! and %2!s! cannot be specified at the same time.%0

PToo many arguments are specified.%0

dRequired argument(s) is/are not specified.%0

,Internal error.%0

dFailed to open session to server: %1!s!.%0



@Failed to read password.%0

@Command is not specified.%0

hFailed to open metadata for publisher %1!s!.%0

XFailed to open publisher enumeration.%0

LFailed to enumerate publishers.%0

LFailed to load resource %1!s!.%0

tFailed to open event metadata for publisher %1!s!.%0

|Failed to enumerate event metadata for publisher %1!s!.%0

pFailed to render event. Event handle = 0x%1!08x!.%0

\Failed to register subscription %1!s!.%0

dFailed to read configuration for log %1!s!.%0

tFailed to save configuration or activate log %1!s!.%0

xFailed to read log status information for log %1!s!.%0

TFailed to load xml document %1!s!.%0

LFailed to read xml node %1!s!.%0

assembly/instrumentation/events:events or 

events:instrumentationManifest/events:instrumentation/events:events node

is not found in manifest file %1!s!.

xmlns:events="http://schemas.microsoft.com/win/2004/08/events"

%0

PInvalid value for property %1!s!.%0

DLCID %1!s! cannot be found.%0

Root node of config file is not Subscription or in correct namespace.%0

Windows Events Command Line Utility.



Enables you to retrieve information about event logs and publishers, install

and uninstall event manifests, run queries, and export, archive, and clear logs.



Usage:



You can use either the short (for example, ep /uni) or long (for example, 

enum-publishers /unicode) version of the command and option names. Commands, 

options and option values are not case-sensitive.



Variables are noted in all upper-case.



wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]



Commands:



el | enum-logs          List log names.

gl | get-log            Get log configuration information.

sl | set-log            Modify configuration of a log.

ep | enum-publishers    List event publishers.

gp | get-publisher      Get publisher configuration information.

im | install-manifest   Install event publishers and logs from manifest.

um | uninstall-manifest Uninstall event publishers and logs from manifest.

qe | query-events       Query events from a log or log file.

gli | get-log-info      Get log status information.

epl | export-log        Export a log.

al | archive-log        Archive an exported log.

cl | clear-log          Clear a log.



Common options:



/{r | remote}:VALUE

If specified, run the command on a remote computer. VALUE is the remote computer 

name. Options /im and /um do not support remote operations.



/{u | username}:VALUE

Specify a different user to log on to the remote computer. VALUE is a user name

in the form domain\user or user. Only applicable when option /r is specified.



/{p | password}:VALUE

Password for the specified user. If not specified, or if VALUE is "*", the user 

will be prompted to enter a password. Only applicable when the /u option is

specified.



/{a | authentication}:[Default|Negotiate|Kerberos|NTLM]

Authentication type for connecting to remote computer. The default is Negotiate.



/{uni | unicode}:[true|false]

Display output in Unicode. If true, then output is in Unicode. 



To learn more about a specific command, type the following:



wevtutil COMMAND /?

lvalue "%1!s!" is invalid for isolation option.%0

4List the names of all logs.



Usage:



wevtutil { el | enum-logs }



Example:



The following example lists the names of all logs.



wevtutil el

TFailed to open channel enumeration.%0

HFailed to enumerate channels.%0

Displays event log configuration information, including whether the log is

enabled, the current maximum size limit of the log and the path to the file

where the log is stored.



Usage:



wevtutil { gl | get-log } <LOG_NAME> [/OPTION:VALUE [/OPTION:VALUE] ...]



<LOG_NAME>

String that uniquely identifies a log. You can display a list of all the log

names by running wevtutil el.



Options:



You can use either the short (for example, /f) or long (for example, /format) 

version of the option names. Options and their values are not case-sensitive.



/{f | format}:[XML|Text]

Specify the log file format. The default is Text. If XML is specified, output is 

stored in XML format. If Text is specified, output is stored without XML tags. 



Example:



The following example displays configuration information about the local System 

log in XML format.



wevtutil gl System /f:xml

tModify the configuration of a log.



Usage:



wevtutil { sl | set-log } <LOG_NAME> [/OPTION:VALUE [/OPTION:VALUE] ...]



<LOG_NAME>

String that uniquely identifies a log. If option /c is specified, <LOG_NAME> 

should not be specified since it is read from the config file.



Options:



You can use either the short (for example, /e) or long (for example, /enable) 

version of the option names. Options and their values are not case-sensitive.



/{e | enabled}:[true|false]

Enable or disable a log.



/{q | quiet}:[true|false]

Quiet display option. No prompts or messages are displayed to the user. If not 

specified, the default is true. 



/{fm | filemax}:<n>

Set Maximum number of enablements across which to preserve events, where <n> is 

an integer between 1 and 16. One file is created for each enablement, so if this 

value is 2, events will be produced from the last two enablements. A reboot 

counts as disabling and then re-enabling the channel. 

  

/{i | isolation}:[system|application|custom]

Log isolation mode. The isolation mode of a log determines whether a log shares 

a session with other logs in the same isolation class. If you specify system 

isolation, the target log will share at least write permissions with the System 

log. If you specify application isolation, the target log will share at least 

write permissions with the Application log. If you specify custom isolation, you 

must also provide a security descriptor by using the /ca option.



/{lfn | logfilename}:VALUE

Log file name. VALUE is the full path to the file where the Event Log service 

stores events for this log.



/{rt | retention}:[true|false]

Log retention mode. The log retention mode determines the behavior of the Event 

Log service when a log reaches its maximum size. If an event log reaches its 

maximum size and the log retention mode is true, existing events are retained and 

incoming events are discarded. If the log retention mode is false, incoming 

events overwrite the oldest events in the log.



/{ab | autobackup}:[true|false]

Log autobackup policy. If autobackup is true, the log will be backed up 

automatically when it reaches the maximum size. In addition, if autobackup is 

true, retention (specified with the /rt option) must be set to true.



/{ms | maxsize}:<n>

Maximum size of log, where <n> is the number of bytes. Note that the minimum 

value for <n> is 1048576 (1024KB) and log files are always multiples of 64KB, so 

the specified value will be rounded accordingly.



/{l | level}:<n>

Level filter of log, where <n> is any valid level value. Only applicable to logs 

with a dedicated session. You can remove a level filter by setting <n> to 0.



/{k | keywords}:VALUE

Keywords filter of log. VALUE can be any valid 64 bit keyword mask. Only 

applicable to logs with a dedicated session.



/{ca | channelaccess}:VALUE

Access permission for an event log. VALUE is a security descriptor specified

using the Security Descriptor Definition Language (SDDL). Search MSDN

(http://msdn.microsoft.com) for information about SDDL format.



/{c | config}:VALUE

Path to the config file, where VALUE is the full file path. If specified, log 

properties will be read from this config file. If this option is specified, you 

must not specify the <LOG_NAME> command line parameter. The log name will be read 

from the config file.



Example:



The following example sets retention, autobackup and maximum log size on the 

Application log by using a config file. Note that the config file is an XML file 

with the same format as the output of wevtutil gl <LOG_NAME> /f:xml.



C:\config.xml

<?xml version="1.0" encoding="UTF-8"?>

<channel name="Application" isolation="Application"

         xmlns="http://schemas.microsoft.com/win/2004/08/events">

  <logging>

    <retention>true</retention>

    <autoBackup>true</autoBackup>

    <maxSize>9000000</maxSize>

  </logging>

  <publishing>

  </publishing>

</channel>



wevtutil sl /c:config.xml

dList event publishers.



Usage:



wevtutil { ep | enum-publishers }



Example:



The following example lists the event publishers on the current computer.



wevtutil ep

xGet configuration information for event publishers.



Usage:



wevtutil { gp | get-publisher } <PUBLISHER_NAME> [/OPTION:VALUE [/OPTION:VALUE] ...]



<PUBLISHER_NAME>

String that uniquely identifies an event publisher. You can obtain a list of

publisher names by typing wevtutil ep.



Options:



You can use either the short (for example, /f) or long (for example, /format) 

version of the option names. Options and their values are not case-sensitive.



/{ge | getevents}:[true|false]

Get metadata information for events that can be raised by this publisher.



/{gm | getmessage}:[true|false]

Display the actual message instead of the numeric message ID.



/{f | format}:[XML|Text]

Specify the log file format. The default is Text. If XML is specified, print

output in XML format. If Text is specified, print output without XML tags.



Example:



The following example displays information about the Microsoft-Windows-Eventlog 

event publisher including metadata about the events that the publisher can raise.



wevtutil gp Microsoft-Windows-Eventlog /ge:true

(Read events from an event log, log file or using structured query.



Usage:



wevtutil { qe | query-events } <PATH> [/OPTION:VALUE [/OPTION:VALUE] ...]



<PATH>

By default, you provide a log name for the <PATH> parameter. However, if you use

the /lf option, you must provide the path to a log file for the <PATH> parameter.

If you use the /sq parameter, you must provide the path to a file containing a

structured query. 



Options:



You can use either the short (for example, /f) or long (for example, /format) 

version of the option names. Options and their values are not case-sensitive.



/{lf | logfile}:[true|false]

If true, <PATH> is the full path to a log file.



/{sq | structuredquery}:[true|false]

If true, <PATH> is the full path to a file that contains a structured query.



/{q | query}:VALUE

VALUE is an XPath query to filter events read. If not specified, all events will 

be returned. This option is not available when /sq is true.



/{bm | bookmark}:VALUE

VALUE is the full path to a file that contains a bookmark from a previous query.



/{sbm | savebookmark}:VALUE

VALUE is the full path to a file in which to save a bookmark of this query. The 

file extension should be .xml.



/{rd | reversedirection}:[true|false]

Event read direction. If true, the most recent events are returned first.



/{f | format}:[XML|Text|RenderedXml]

The default value is XML. If Text is specified, prints events in an

easy to read text format, rather than in XML format. If RenderedXml, prints 

events in XML format with rendering information. Note that printing events in 

Text or RenderedXml formats is slower than printing in XML format.



/{l | locale}:VALUE

VALUE is a locale string to print event text in a specific locale. Only available 

when printing events in text format using the /f option.



/{c | count}:<n>

Maximum number of events to read.



/{e | element}:VALUE

When outputting event XML, include a root element to produce well-formed XML.

VALUE is the string you want within the root element. For example, specifying

/e:root would result in output XML with the root element pair <root></root>.





Example:



The following example displays the three most recent events from the Application 

log in text format.



wevtutil qe Application /c:3 /rd:true /f:text

Option query is only available for querytype Log and LogFile.%0

DFailed to open event query.%0

tFailed to seek to event at the specified bookmark.%0

|Failed to seek to event at the specified event record.%0

<Failed to read events.%0

`Failed to save bookmark to file "%1!s!".%0

<Get status information about an event log or log file.



Usage:



wevtutil { gli | get-loginfo } <LOG_NAME>



<LOG_NAME>

Log name or log file path. If option /lf is true, it is a log file path, and the 

path to the log file is required. If /lf is false, it is the log name. You can 

view a list of log names by typing wevtutil el.



Options:



You can use either the short (for example, /lf) or long (for example, /logfile) 

version of the option names. Options and their values are not case-sensitive.



/{lf | logfile}:[true|false]

Specify whether to create a log file. If true, <LOG_NAME> is the log file path.



Example:



wevtutil gli Application

8Clear events from an event log and, optionally, back up cleared events.



Usage:



wevtutil { cl | clear-log } <LOG_NAME> [/OPTION:VALUE]



<LOG_NAME>

Name of log to clear. You can retrieve a list of log names by typing

wevtutil el.



Options:



You can use either the short (for example, /bu) or long (for example, /backup) 

version of the option names. Options and their values are not case-sensitive.



/{bu | backup}:VALUE

Backup file for cleared events. If specified, the cleared events will be saved

to the backup file. Include the .evtx extension in the backup file name.



Example:

 

The following example clears all the events from the Application log after saving 

them to C:\admin\backups\al0306.evtx.



wevtutil.exe cl Application /bu:C:\admin\backups\al0306.evtx

DFailed to clear log %1!s!.%0

Export events from a log, log file, or using structured query to a file.



Usage:



wevtutil { epl | export-log } <PATH> <TARGETFILE>

  [/OPTION:VALUE [/OPTION:VALUE] ...]



<PATH>

By default, you provide a log name for <PATH>. However, if you

use the /lf option, then you provide the path to a log file for the <PATH>

value. If you use the /sq parameter, then you provide the path to a file

containing a structured query. 



<TARGETFILE>

Path to the file where the exported events are to be stored.



Options:



You can use either the short (for example, /l) or long (for example, /locale) 

version of the option names. Options and their values are not case-sensitive.



/{lf | logfile}:[true|false]

If true, <PATH> is the path to a log file.



/{sq | structuredquery}:[true|false]

If true, <PATH> is the path to a file that contains a structured query. The 

command might take a long time if selecting many, but not all, events.



/{q | query}:VALUE

VALUE is an XPath query to filter the events you want to export. If not 

specified, all events will be returned. This option is not available when /sq is 

true. The command might take a long time if selecting many, but not all, events.



/{ow | overwrite}:[true|false]

If true, and the destination file specified in <TARGETFILE> already exists, it 

will be overwritten without confirmation.



Example:



The following example exports events from System log to 

C:\backup\system0506.evtx.



wevtutil epl System C:\backup\system0506.evtx

DFailed to export log %1!s!.%0

Archive log file in a self-contained format. A subdirectory with the name

of the locale is created and all locale-specific information is saved in

that subdirectory. When the directory created by the archive-log command is

present along with the log file, events in the file can be read whether or

not the publisher is installed.



Usage:



wevtutil { al | archive-log } <LOG_FILE> [/OPTION:VALUE [/OPTION:VALUE] ...]



<LOG_FILE>

The log file to be archived. A log file can be generated using export-log or

clear-log command.



Options:



You can use either the short (for example, /l) or long (for example, /locale) 

version of the option names. Options and their values are not case-sensitive.



/{l | locale}:VALUE

VALUE is a locale string to archive a log in a specific locale. If not specified, 

the locale of the current console will be used. For a list of all supported 

locale strings, please refer to the Microsoft Developer Network (MSDN) 

documentation for the LocaleNameToLCID API.

HFailed to archive log %1!s!.%0

L
Install event publishers and logs from manifest.



Usage:



wevtutil { im | install-manifest  } <MANIFEST> [/OPTION:VALUE [/OPTION:VALUE] ...]



<MANIFEST>

File path to an event manifest. All publishers and logs defined in the manifest

will be installed. To learn more about event manifests and using this option,

consult the Windows Eventing SDK on Microsoft Developers Network (MSDN) at

http://msdn.microsoft.com.



Options:



You can use either the short (for example, /rf) or long (for example, 

/resourceFilePath) version of the option names. Options and their values are not 

case-sensitive.



/{rf | resourceFilePath}:VALUE

ResourceFileName attribute of the Provider Element in the manifest to be 

replaced.

The VALUE should be the full path to the resource file.



/{mf | messageFilePath}:VALUE

MessageFileName attribute of the Provider Element in the manifest to be replaced.

The VALUE should be the full path to the message file.



/{pf | parameterFilePath}:VALUE

ParameterFileName attribute of the Provider Element in the manifest to be replaced.

The VALUE should be the full path to the parameter file.



Example:



The following example installs publishers and logs from the myManifest.man 

manifest file.



wevtutil im myManifest.man /rf:^%systemroot^%/System32/wevtutil.exe

The publishers and channels are installed successfully. However, we can't enable one or more publishers and channels.%0

0Uninstall event publishers and logs from manifest.



Usage:



wevtutil { um | uninstall-manifest } <MANIFEST>



<MANIFEST>

File path to an event manifest. All publishers and logs defined in the manifest

will be uninstalled. To learn more about event manifests and using this option,

consult the Windows Eventing SDK on Microsoft Developers Network (MSDN) at

http://msdn.microsoft.com.



Example:



The following example uninstalls publishers and logs from the myManifest.man 

manifest file.



wevtutil um myManifest.man

HType the password for %1!s!:%0

DFailed to read file %1!s!.%0

The value for channel property %1!s! contains an invalid value.%0

Option %1!s! is not available if option %2!s! is not specified.%0

**** Warning: Enabling this type of log clears it.  Do you want to enable and 

clear this log? [y/n]: 

|**** Warning: Publisher %1 resources are not accessible.

L**** Warning: Publisher %1 is installed on

the system. Only new values would be added. If you want to update previous 

settings, uninstall the manifest first.

Provider %1 in the manifest is missing the channel name attribute.

Provider %1 in the manifest contains channel %2 that is missing the type attribute.

xProvider %1{%2} is missing the channel name attribute.

Provider %1 manifest has declared a channel %2 that uses a non-supported type %3

Provider %1 manifest has declared a channel %2 that uses a non-supported isolation %3

hProvider %1 is already installed with GUID %2.

xChannel %1 is declared by an existing provider %2{%3}.

hProvider has two channels with the same value.

XProvider is missing the GUID attribute.

lProvider %1 is missing the name in the registry.

dProvider %1{%2} has Registry value Count %3.

Provider %1{%2} is missing channels under the channelreferances registry key.

Provider %1{%2} is missing the channel name for the index key %3.

Provider %1{%2} has a channel indexed %3 that is missing the default registry 

value

4VS_VERSION_INFO@@?StringFileInfo040904B0LCompanyNameMicrosoft CorporationdFileDescriptionEventing Command Line Utilityl&FileVersion6.1.7600.16385 (win7_rtm.090713-1255):
InternalNamewevtutil.exe.LegalCopyright Microsoft Corporation. All rights reserved.JOriginalFilenamewevtutil.exe.muij%ProductNameMicrosoft Windows Operating SystemBProductVersion6.1.7600.16385DVarFileInfo$Translation	PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

Anon7 - 2022
AnonSec Team