wevtutil — Windows Event Log Manager#

What it is#

wevtutil (Windows Events Utility) is the built-in command-line tool for working with Windows Event Log channels. It can enumerate channels and publishers, query events with XPath or structured XML filters, export logs to .evtx files, clear channels, and install or uninstall event manifest files. It replaces older tools like eventquery.vbs and is the scripting equivalent of Event Viewer (eventvwr.msc). The PowerShell equivalent is Get-WinEvent / Clear-EventLog / wevtutil (often called directly from PowerShell as well). Most write operations require Administrator privileges.

Availability#

wevtutil ships as C:\Windows\System32\wevtutil.exe on Windows Vista and later.

wevtutil /?

Output:

Windows Events Command Line Utility.

Enables you to retrieve information about event logs and publishers, install
and uninstall event manifests, run queries, and export, archive, and clear logs.

Usage:

You can use either the short (for example, ep /uni) or long (for example,
enum-publishers /unicode) version of the command and option names.

wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]

Commands:

el | enum-logs          List log names.
gl | get-log            Get log configuration information.
sl | set-log            Modify configuration of a log.
ep | enum-publishers    List event publishers.
gp | get-publisher      Get publisher configuration information.
im | install-manifest   Install event publishers and logs from manifest.
um | uninstall-manifest Uninstall event publishers and logs from manifest.
qe | query-events       Query events from a log or log file.
gli | get-log-info      Get log status information.
epl | export-log        Export a log.
al | archive-log        Archive an exported log.
cl | clear-log          Clear a log.

Syntax#

wevtutil <command> [argument] [/option:value ...]

Output: (varies by command)

Essential commands#

Listing event log channels#

wevtutil el lists all registered event log channel names — there are usually hundreds. Pipe to findstr to filter.

wevtutil el | findstr /I "System\|Application\|Security"

Output:

Application
HardwareEvents
Security
System

Getting log information#

wevtutil gli shows the current record count, file size, oldest and newest record times for a channel — useful for checking log growth or confirming that events are being written.

wevtutil gli System

Output:

creationTime: 2026-01-01T00:00:00.000Z
lastAccessTime: 2026-04-28T12:34:56.789Z
lastWriteTime: 2026-04-28T12:34:45.123Z
fileSize: 20971520
attributes: 32
numberOfLogRecords: 15823
oldestRecordNumber: 1

Querying events#

wevtutil qe retrieves events matching an XPath filter expression. The /q: option takes an XPath 1.0 query; /c: limits the number of events returned; /rd:true reads from newest to oldest; /f:text renders human-readable text output.

wevtutil qe System /q:"*[System[(Level=1 or Level=2) and TimeCreated[timediff(@SystemTime) <= 86400000]]]" /c:5 /rd:true /f:text

Output:

Event[0]:
  Log Name: System
  Source: Service Control Manager
  Date: 2026-04-28T11:22:33.456Z
  Event ID: 7036
  Task: None
  Level: Information
  Opcode: Info
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: MYHOST
  Description:
  The Print Spooler service entered the stopped state.

Filtering by Event ID#

XPath queries can target specific Event IDs. Combine conditions with and/or.

wevtutil qe Security "/q:*[System[(EventID=4624)]]" /c:3 /rd:true /f:text

Output:

Event[0]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2026-04-28T09:15:00.000Z
  Event ID: 4624
  Level: Information
  Description:
  An account was successfully logged on.
  ...

Exporting a log to a file#

wevtutil epl copies a channel’s events to an .evtx file for archiving, transport, or offline analysis in Event Viewer. Requires Administrator for Security and System channels.

wevtutil epl System C:\Logs\System_%COMPUTERNAME%.evtx

Output:

(none — exits 0 on success)

Query the exported file:

wevtutil qe C:\Logs\System_MYHOST.evtx /lf:true /c:5 /rd:true /f:text

Output:

Event[0]:
  Log Name: System
  ...

Clearing a log#

wevtutil cl removes all events from a channel. Optionally save the current events to an .evtx archive first. This is irreversible — deleted events cannot be recovered.

rem Archive then clear
wevtutil epl Application C:\Logs\Application_before_clear.evtx
wevtutil cl Application

Output:

(none — exits 0 on success)
(none — exits 0 on success)

Changing log configuration#

wevtutil sl modifies channel properties — most commonly the maximum file size (in bytes) and what happens when the log fills (/rt:false = overwrite oldest, which is the default for most channels).

rem Set Application log to 100 MB max, overwrite when full
wevtutil sl Application /ms:104857600

Output:

(none — exits 0 on success)

Common pitfalls#

1. Security and System channels require elevation — querying these channels as a standard user returns Access is denied; right-click cmd.exe → Run as administrator.
2. XPath syntax is strict — malformed XPath produces The parameter is incorrect; test queries in Event Viewer’s Custom Views → Filter Current Log → XML tab first, then copy the <Select> body into wevtutil /q:.
3. /f:text needed for human-readable output — default format is XML; always add /f:text for scripting or human review.
4. /lf:true required to query .evtx files — when querying an exported file, add /lf:true (log file mode); omitting it causes a channel-not-found error.
5. cl is permanent — wevtutil cl has no undo; always export first with epl if the events might be needed for forensics or compliance.

Real-world recipes#

Find all error events in the last 24 hours across System log#

wevtutil qe System /q:"*[System[Level=2 and TimeCreated[timediff(@SystemTime) <= 86400000]]]" /rd:true /f:text /c:20

Output:

Event[0]:
  Log Name: System
  Event ID: 7034
  Level: Error
  Description: The XYZ service terminated unexpectedly.

Export and clear all classic logs in one batch#

@echo off
set LOGDIR=C:\LogArchive\%DATE:~-4,4%%DATE:~-7,2%%DATE:~-10,2%
mkdir %LOGDIR%
for %%L in (Application System) do (
    wevtutil epl %%L "%LOGDIR%\%%L.evtx"
    wevtutil cl %%L
    echo Archived and cleared: %%L
)

Output:

Archived and cleared: Application
Archived and cleared: System

Count failed logon events (4625) in the last hour#

wevtutil qe Security "/q:*[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) <= 3600000]]]" /rd:true /f:text | find /c "Event ID"

Output:

7

Channel taxonomy#

Windows ships hundreds of channels but they all fall into four categories. Understanding the taxonomy makes it easier to pick the right channel for a query and to predict permissions.

rem List all enabled channels
wevtutil el | findstr /V "Analytic\|Debug" > C:\Logs\enabled-channels.txt

Output: (one channel name per line written to file)

rem Find every Microsoft-Windows-PowerShell channel
wevtutil el | findstr /I "PowerShell"

Output:

Microsoft-Windows-PowerShell/Admin
Microsoft-Windows-PowerShell/Operational
PowerShellCore/Operational
Windows PowerShell

XPath query reference#

XPath is the filter language for wevtutil qe. The supported subset is XPath 1.0 with two custom functions — timediff() for time-based queries and band() for bitmask matching. Every query operates on the Event root, with three children: System (always present, with Provider, EventID, Level, TimeCreated, Computer, etc.), EventData (named data fields), and UserData (less common).

System-element queries#

System holds the well-known event metadata. These are the most common filter targets.

rem Single Event ID
wevtutil qe System /q:"*[System[EventID=7036]]" /c:5 /rd:true /f:text

Output:

Event[0]:
  Log Name: System
  Event ID: 7036
  Description: The Print Spooler service entered the running state.

rem Range of Event IDs (use or)
wevtutil qe System /q:"*[System[(EventID>=1000 and EventID<=1100)]]" /c:3 /f:text

Output:

Event[0]:
  Event ID: 1014
  Source: DNS Client Events
  ...

rem Filter by Level — 1=Critical, 2=Error, 3=Warning, 4=Information, 5=Verbose
wevtutil qe System /q:"*[System[(Level=1 or Level=2)]]" /c:5 /f:text

Output:

Event[0]:
  Level: Error
  Event ID: 7034
  Description: The XYZ service terminated unexpectedly.

rem Filter by Provider name
wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Kernel-Power']]]" /c:5 /f:text

Output:

Event[0]:
  Source: Microsoft-Windows-Kernel-Power
  Event ID: 41
  Description: The system has rebooted without cleanly shutting down first.

Time-based queries with timediff()#

timediff(@SystemTime) returns the number of milliseconds between the event time and the moment the query was evaluated. Always compare with <= for “last N ms” filters.

rem Last 15 minutes (900,000 ms)
wevtutil qe System /q:"*[System[TimeCreated[timediff(@SystemTime) <= 900000]]]" /c:5 /f:text

Output:

Event[0]:
  Log Name: System
  Source: Service Control Manager
  Date: 2026-05-25T09:10:14.812
  Event ID: 7036
  Description: The Windows Update service entered the running state.

rem Last 24 hours (86,400,000 ms)
wevtutil qe Application /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]" /c:10 /f:text

Output:

Event[0]:
  Log Name: Application
  Source: MsiInstaller
  Date: 2026-05-24T22:14:08.402
  Event ID: 1033
  Description: Windows Installer installed the product. Product Name: 7-Zip.

rem Absolute time window (UTC, ISO 8601)
wevtutil qe System /q:"*[System[TimeCreated[@SystemTime>='2026-05-24T00:00:00.000Z' and @SystemTime<='2026-05-24T23:59:59.999Z']]]" /f:text

Output:

Event[0]:
  Log Name: System
  Source: Microsoft-Windows-Kernel-General
  Date: 2026-05-24T07:30:01.118
  Event ID: 12
  Description: The operating system started at system time 2026-05-24T07:30:01.000000000Z.

EventData-element queries#

EventData holds per-event payload fields. Each Data child has a Name attribute identifying the field — use EventData[Data[@Name='Field']='Value'] to match.

rem 4624 logon by a specific account
wevtutil qe Security "/q:*[System[(EventID=4624)] and EventData[Data[@Name='TargetUserName']='alicedev']]" /c:5 /f:text

Output:

Event[0]:
  Event ID: 4624
  Description:
  An account was successfully logged on.
  Account Name: alicedev

rem 4625 failed logons from a specific source IP
wevtutil qe Security "/q:*[System[EventID=4625] and EventData[Data[@Name='IpAddress']='192.0.2.50']]" /c:5 /f:text

Output:

Event[0]:
  Event ID: 4625
  Description:
  An account failed to log on.
  Account Name: alicedev
  Source Network Address: 192.0.2.50
  Failure Reason: Unknown user name or bad password.

Bitmask filters with band()#

band(value, mask) returns the bitwise AND — useful for filtering keyword bitmasks like Security audit categories.

rem Security audit failures only (Keywords contains 0x10000000000000)
wevtutil qe Security /q:"*[System[band(Keywords,4503599627370496)]]" /c:5 /f:text

Output:

Event[0]:
  Event ID: 4625
  Description: An account failed to log on.
  Keywords: 0x8010000000000000

set-log: configuring channel behavior#

set-log (alias sl) changes channel-level settings — most often max size, retention behavior, enabled state, and log file path. Each option is passed as /<name>:<value>.

rem 250 MB log, archive on full
wevtutil sl Application /ms:262144000 /ab:true /rt:false

Output: (none — exits 0 on success)

rem Move a log to a faster disk
wevtutil sl Microsoft-Windows-Sysmon/Operational /lfn:D:\Logs\Sysmon.evtx

Output: (none — exits 0 on success)

rem Enable an Analytic channel that's off by default
wevtutil sl Microsoft-Windows-Kernel-Process/Analytic /e:true /q:true /ms:33554432

Output: (none — exits 0 on success)

rem Inspect current settings
wevtutil gl System

Output:

name: System
enabled: true
type: Admin
owningPublisher:
isolation: System
channelAccess: O:BAG:SYD:(A;;0x2;;;S-1-15-2-1) ...
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\System.evtx
  retention: false
  autoBackup: false
  maxSize: 20971520
publishing:
  fileMax: 1

Publishers and manifests#

A publisher is an event source — typically a binary that ships with an instrumentation manifest (.man). enum-publishers lists every registered publisher; get-publisher shows its channels, levels, keywords, and message strings. install-manifest / uninstall-manifest add or remove a publisher (used by application installers).

rem List all publishers (filter to find a vendor)
wevtutil ep | findstr /I "sysmon\|defender"

Output:

Microsoft-Windows-Sysmon
Microsoft-Windows-Windows Defender

rem Inspect a publisher's channels and events
wevtutil gp Microsoft-Windows-Sysmon

Output:

name: Microsoft-Windows-Sysmon
guid: 5770385f-c22a-43e0-bf4c-06f5698ffbd9
helpLink: ...
resourceFileName: C:\Windows\Sysmon64.exe
messageFileName: C:\Windows\Sysmon64.exe
channels:
  channel:
    name: Microsoft-Windows-Sysmon/Operational
    id: 16
    flags: 0
    enabled: true
events:
  event:
    value: 1
    version: 5
    opcode: win:Info
    template: ProcessCreate
    keywords: ...

rem Install / uninstall a manifest (typically run by setup scripts)
wevtutil im "C:\Program Files\MyApp\MyApp.man" /rf:"C:\Program Files\MyApp\MyApp.dll" /mf:"C:\Program Files\MyApp\MyApp.dll"
wevtutil um "C:\Program Files\MyApp\MyApp.man"

Output: (none — exits 0 on success)

archive-log: finalizing exported logs#

archive-log (alias al) embeds the publisher metadata into a .evtx file so it can be opened on a machine that doesn’t have the original publisher installed. Use this on exports going to forensic analysts or off-box investigators.

wevtutil epl Security C:\Logs\Security.evtx
wevtutil al C:\Logs\Security.evtx /l:en-US

Output: (none — exits 0 on success)

The archived file is roughly 10–30% larger than the raw export but is fully self-contained.

Remote queries with /r#

Most wevtutil verbs accept /r:<remote-host>, /u:<user>, and /p:<password> to operate against another machine. The Remote Event Log Management firewall rule must be enabled on the target.

rem Enable the firewall rule on the target first (run on target)
netsh advfirewall firewall set rule group="remote event log management" new enable=yes

Output:

Updated 3 rule(s).
Ok.

rem Query a remote channel
wevtutil qe System /r:myhost /u:DOMAIN\alicedev /p:s3cr3t /c:5 /f:text

Output:

Event[0]:
  Log Name: System
  Source: Service Control Manager
  Date: 2026-05-25T08:00:14.402
  Event ID: 7045
  Description: A service was installed in the system.

rem Export a remote log to a local share
wevtutil epl Application \\fileserver\evtx\app_%COMPUTERNAME%.evtx /r:myhost /u:DOMAIN\alicedev /p:s3cr3t

Output: (none — exits 0 on success)

rem Inspect a remote channel's settings
wevtutil gl Security /r:myhost

Output: (settings block for the remote channel)

Get-WinEvent — PowerShell equivalent#

PowerShell’s Get-WinEvent is the modern, object-returning counterpart to wevtutil qe. It accepts XPath via -FilterXPath, structured hash-tables via -FilterHashtable, and full XML via -FilterXml. The objects it returns expose .Properties, .Message, .TimeCreated, and .RecordId directly — far easier to chain into Where-Object and Select-Object than parsing wevtutil /f:text.

Basic queries with -FilterHashtable#

The hash-table form is the fastest filter — it pushes the predicate down into the Windows Event Log API.

# Last 50 errors from the System log
Get-WinEvent -FilterHashtable @{
    LogName  = 'System'
    Level    = 1, 2          # 1=Critical, 2=Error
} -MaxEvents 50 |
    Select-Object TimeCreated, Id, ProviderName, Message

Output:

TimeCreated         Id  ProviderName              Message
-----------         --  ------------              -------
5/24/2026 10:14:22  7034 Service Control Manager  The XYZ service terminated unexpectedly.
5/24/2026 10:10:11  41   Microsoft-Windows-Kernel The system has rebooted without cleanly shutting down first.

# Failed logons in the last hour
Get-WinEvent -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4625
    StartTime = (Get-Date).AddHours(-1)
}

# Events from a specific provider
Get-WinEvent -FilterHashtable @{
    LogName      = 'Application'
    ProviderName = 'Application Error'
}

XPath form#

When the hash-table form can’t express the filter (e.g. EventData field matching), fall back to XPath — same syntax as wevtutil.

Get-WinEvent -LogName Security -FilterXPath @'
    *[System[EventID=4624] and
      EventData[Data[@Name='TargetUserName']='alicedev']]
'@ -MaxEvents 10

Reading .evtx files#

# Same as wevtutil qe /lf:true
Get-WinEvent -Path C:\Logs\System.evtx -MaxEvents 20

Get-EventLog (legacy)#

Get-EventLog is the older cmdlet that pre-dates Get-WinEvent and only works against the classic channels (System, Application, Security, Setup). It’s faster for simple queries but cannot read the modern Microsoft-Windows-* channels.

Get-EventLog -LogName System -EntryType Error -Newest 20
Get-EventLog -LogName Application -After (Get-Date).AddDays(-1) -Source "Application Error"

Clear-EventLog#

# PowerShell equivalent of wevtutil cl
Clear-EventLog -LogName Application

Counting events#

# How many critical/error events in the last 24h?
(Get-WinEvent -FilterHashtable @{
    LogName   = 'System'
    Level     = 1, 2
    StartTime = (Get-Date).AddDays(-1)
}).Count

Output: 12

Common pitfalls#

1. Security and System channels require elevation — querying these channels as a standard user returns Access is denied; right-click cmd.exe → Run as administrator.
2. XPath syntax is strict — malformed XPath produces The parameter is incorrect; test queries in Event Viewer’s Custom Views → Filter Current Log → XML tab first, then copy the <Select> body into wevtutil /q:.
3. /f:text needed for human-readable output — default format is XML; always add /f:text for scripting or human review.
4. /lf:true required to query .evtx files — when querying an exported file, add /lf:true (log file mode); omitting it causes a channel-not-found error.
5. cl is permanent — wevtutil cl has no undo; always export first with epl if the events might be needed for forensics or compliance.
6. timediff() is millisecond-based, not seconds — a common bug is passing 3600 for “last hour” instead of 3600000. The query silently returns zero events.
7. Channel access SDDL can lock you out — wevtutil sl /ca: accepts an SDDL string; if you specify one without (A;;0xf;;;BA) granting Administrators full access you’ll be unable to read the channel even when elevated. Reset with wevtutil sl <channel> /ca:"".
8. Disabled Analytic / Debug channels return zero events — wevtutil qe Microsoft-Windows-Kernel-Process/Analytic silently returns nothing until you sl /e:true the channel first.
9. epl does not include the publisher manifest — exported .evtx files opened on a machine without the publisher show “the description for Event ID cannot be found”. Run wevtutil al after epl to embed the manifest.
10. wevtutil and Get-WinEvent use different caches — after toggling a channel with sl /e:true, run wevtutil queries within the same console; PowerShell’s Get-WinEvent may need a process restart to pick up the change.

Real-world recipes#

Find all error events in the last 24 hours across System log#

wevtutil qe System /q:"*[System[Level=2 and TimeCreated[timediff(@SystemTime) <= 86400000]]]" /rd:true /f:text /c:20

Output:

Event[0]:
  Log Name: System
  Event ID: 7034
  Level: Error
  Description: The XYZ service terminated unexpectedly.

Export and clear all classic logs in one batch#

@echo off
set LOGDIR=C:\LogArchive\%DATE:~-4,4%%DATE:~-7,2%%DATE:~-10,2%
mkdir %LOGDIR%
for %%L in (Application System) do (
    wevtutil epl %%L "%LOGDIR%\%%L.evtx"
    wevtutil cl %%L
    echo Archived and cleared: %%L
)

Output:

Archived and cleared: Application
Archived and cleared: System

Count failed logon events (4625) in the last hour#

wevtutil qe Security "/q:*[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) <= 3600000]]]" /rd:true /f:text | find /c "Event ID"

Output:

7

Unexpected reboot detection (Kernel-Power 41)#

Event ID 41 from Microsoft-Windows-Kernel-Power indicates an unclean shutdown — power loss, BSOD, or hard reset. Often the first thing to check after a server “reboots itself”.

wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (EventID=41)]]" /c:5 /rd:true /f:text

Output:

Event[0]:
  Log Name: System
  Source: Microsoft-Windows-Kernel-Power
  Date: 2026-05-23T03:14:22.000Z
  Event ID: 41
  Description:
  The system has rebooted without cleanly shutting down first.

Export the Security log every Sunday at 02:00#

A scheduled task that rolls the Security log weekly and keeps 52 weeks of archives.

@echo off
rem schtasks /create /sc weekly /d sun /st 02:00 /tn "Roll Security Log" /tr "C:\Scripts\roll-sec.cmd" /ru SYSTEM
set WEEK=%DATE:~-4,4%-W%DATE:~-7,2%
set OUT=D:\SecArchive\Security_%COMPUTERNAME%_%WEEK%.evtx
mkdir D:\SecArchive 2>NUL
wevtutil epl Security "%OUT%"
wevtutil al "%OUT%" /l:en-US
wevtutil cl Security
echo Rolled to %OUT%

Output:

Rolled to D:\SecArchive\Security_MYHOST_2026-W21.evtx

Detect bursts of 4625 (potential brute force)#

When more than 10 failed logons happen in five minutes, page the SOC.

$threshold = 10
$window    = (Get-Date).AddMinutes(-5)
$failures = Get-WinEvent -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4625
    StartTime = $window
} -ErrorAction SilentlyContinue

if ($failures.Count -gt $threshold) {
    $byIp = $failures |
        ForEach-Object { $_.Properties[19].Value } |
        Group-Object | Sort-Object Count -Descending
    Write-Warning "ALERT: $($failures.Count) failed logons in last 5min"
    $byIp | Format-Table Name, Count
}

Output:

WARNING: ALERT: 24 failed logons in last 5min

Name           Count
----           -----
192.0.2.50     18
198.51.100.7   6

Compare event volume between two machines#

A quick sanity check during a fleet roll-out — are the new build’s logs landing where expected?

$hosts = 'srv01','srv02','srv03'
$hosts | ForEach-Object {
    [PSCustomObject]@{
        Host        = $_
        SystemCount = (Get-WinEvent -ComputerName $_ -LogName System -MaxEvents 10000).Count
        SecCount    = (Get-WinEvent -ComputerName $_ -LogName Security -MaxEvents 10000).Count
    }
} | Format-Table -AutoSize

Output:

Host  SystemCount SecCount
----  ----------- --------
srv01        2843     8421
srv02        2901     8501
srv03         142      203   <-- investigate

Forward events to a central collector via Windows Event Forwarding#

WEF uses the Microsoft-Windows-Forwarding/* channels. Confirm a subscription is healthy by checking RuntimeStatus.

rem On the collector — list active subscriptions
wecutil es

Output:

SecurityForwarding
AppForwarding

rem Show subscription runtime status (events received, errors)
wecutil gr SecurityForwarding

Output:

Subscription: SecurityForwarding
RunTimeStatus:
    EventSources:
        myhost.contoso.local:
            RunTimeStatus: Active
            LastError: 0
            LastHeartbeatTime: 2026-05-24T10:13:00.000

rem On a source — verify it can reach the collector
wevtutil qe Microsoft-Windows-Forwarding/Operational /c:5 /rd:true /f:text

Output:

Event[0]:
  Log Name: Microsoft-Windows-Forwarding/Operational
  Source: Microsoft-Windows-EventCollector
  Date: 2026-05-25T08:00:14.402
  Event ID: 100
  Description: Subscription SecurityForwarding is created successfully.

Trim a runaway channel#

When an Analytic channel fills the disk, disable, archive, clear, then re-enable.

wevtutil sl Microsoft-Windows-Kernel-Process/Analytic /e:false
wevtutil epl Microsoft-Windows-Kernel-Process/Analytic D:\Archive\kproc.evtx /lf:false
wevtutil cl Microsoft-Windows-Kernel-Process/Analytic
wevtutil sl Microsoft-Windows-Kernel-Process/Analytic /ms:33554432 /rt:false /e:true

Output: (none — each command exits 0 on success)

Build a CSV of all error events from yesterday for a daily report#

$yesterday = (Get-Date).Date.AddDays(-1)
$today     = (Get-Date).Date

Get-WinEvent -FilterHashtable @{
    LogName   = 'System','Application'
    Level     = 1, 2
    StartTime = $yesterday
    EndTime   = $today
} -ErrorAction SilentlyContinue |
    Select-Object TimeCreated, LogName, Id, LevelDisplayName, ProviderName,
                  @{ N='Message'; E={ $_.Message -replace "`r?`n",' ' } } |
    Export-Csv -NoTypeInformation `
        -Path "C:\Reports\errors_$($yesterday.ToString('yyyy-MM-dd')).csv"

Output: (CSV file written; one row per error event)

Related tools#

• wecutil — Windows Event Collector utility, manages forwarded-event subscriptions (called out above).
• tracerpt — converts .etl traces (from logman create trace) to text or CSV.
• Get-WinEvent — the modern PowerShell cmdlet covered above.
• logman — adjacent tool for performance-counter and event-trace (ETL) collectors.
• systeminfo — first stop when correlating events with build, hotfix, and boot-time data.
• journalctl — the Linux analogue for structured log inspection.

Sources#

• wevtutil — Microsoft Learn — authoritative command reference for every verb (el, gl, qe, epl, cl, sl, im, um, al).
• Get-WinEvent — Microsoft Learn (PowerShell 7.6) — modern PowerShell cmdlet for -FilterXPath, -FilterHashtable, and -FilterXml.
• WEVTUTIL command — SS64 — switch matrix cross-checked against current Windows 11 24H2 behaviour.
• Filtering Windows Event Log using XPath — BackSlasher — practical XPath patterns including timediff() and band().
• Get-EnhancedWinEvent — counteractive — community wrapper that surfaces EventData fields without hand-parsing XML.