I got a question from Joe how to delete all administrative events in the Windows event log earlier today, there are actually (at least) two ways of doing this. PowerShell or with the built-in command for administrate Windows event log, lets start with PowerShell…

Just for the record I have tested this on Windows 10 and not on Windows 7, but these command is supported from PowerShell 3. Also make sure you have to run all commands with administrative permissions!

PowerShell

With the command Get-EventLog you can enumerate all old classic event logs, like Applications and System. If you are looking to get all event logs you need to use the command Get-WinEvent.

image

No for cleaning an event log use the PowerShell command Clear-EventLog. If you want to empty just one log, just type example: Clear-EventLog –LogName Application and the Application log will be emptied.

Since we are looking to empty all these logs we need to Pipe all log names to Clear-EventLog, but unfortunately that is not permitted. So we just need to create a foreach loop to handle this, like this

Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }

This will make sure all your classic EventLogs are emptied in one shot, and looks like this

image

Command WevtUtil.exe

If you rather want to use the command utility, this can be a bit tricky to understand. This is how the help looks like

image

So if you write WevtUtil enum-logs OR WevtUtil el you will enumerate all the event logs available on the system.

image

To get more information about the log you use the Get-Log or gl option WevtUtil gl Application

image

And finally if you want to empty a certain event log, you use the option Clear-Log or cl

WevtUtil cl Application

if you want to backup the eventlog as well, just add the parameter /bu

wevtutil cl Application /bu:AppBackup.evtx

So if there are certain logs you want to empty this is the command you want to use, if you want to empty all, all I would use a combination of PowerShell and the command probably, something like this:

$Logs = Get-WinEvent -ListLog * –Force

foreach ($Log in $Logs) {

Wevtutil.exe cl $Log.LogName

}

or maybe a one-liner something like this

Get-WinEvent -ListLog * -Force | % { Wevtutil.exe cl $_.LogName }

This is a super fast published post, so please excuse me for all the spelling errors or other mistakes!

Advertisements