Halting Windows Event Logging With wevtutil.exe

Forums Operating Systems Windows Server 2008 R2 Miscellaneous Halting Windows Event Logging With wevtutil.exe

  • This topic has 12 replies, 4 voices, and was last updated 12 years ago by Anonymous.
Viewing 12 reply threads
  • Author
    Posts
    • #44027
      hoak
      Participant

        In my attempts to research Windows disk writes, and getting more granular control over them I’m trying to find means to halt Windows event logging; which appears to be supported via Windows own Wevtutil with the syntax:

        wevtutil.exe sl “log_name” /e:false

        As there are so many event logs to disable doing it manually is impractical, and my knowledge of Windows scripting limited, so I thought I’d try and edit an existing script:

        @echo off
        FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
        IF (%adminTest%)==(Access) goto noAdmin
        for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
        echo.
        echo Event Logs have been cleared! ^
        goto theEnd
        :do_clear
        echo clearing %1
        wevtutil.exe cl %1
        goto :eof
        :noAdmin
        echo You must run this script as an Administrator!
        echo ^

        :theEnd
        REM pause>NUL

        …which is used to enumerate all the logs into a variable and clear them… What I came up with though doesn’t appear to work:

        @echo off
        FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
        IF (%adminTest%)==(Access) goto noAdmin
        for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_halt "%%G")
        echo.
        echo Event Logs have been halted! ^
        goto theEnd
        :do_halt
        echo halting %1
        wevtutil.exe sl %1 /e:false
        goto :eof
        :noAdmin
        echo You must run this script as an Administrator!
        echo ^

        :theEnd
        pause>NUL

        …as events are still being logged… If anyone here with Sindows scripting talent can offer any help or advice, it would be much appreciated…

        ❓ :geek: 😕

      • #50535

        To clear a particular event log (application, system, security, etc)

        Open command prompt:

        wevtutil cl LOGNAME ; where LOGNAME is the name given to the log.

        For example under Windows Logs in Event Log if you wish to clear the Application portion.

        wevtutil cl Application

        To find the given name of the event log right click on it and choose Properties. It is listed under full name. For example the Microsoft Office Diagnostics log under Application and Service logs is listed as ODiag so to clear it i would type

        wevtutil cl ODiag

        You can go through the logs manually and build a a batch file that clears the entire Event Logs or just particular ones you care about. I have a logon script that clears all the “Windows logs” on startup.

        My script:

        wevtutil cl application
        wevtutil cl system
        wevtutil cl security
        wevtutil cl setup
        wevtutil cl forwardedevents
        wevtutil cl hardwareevents

        Save as clearwindowslogs.bat

      • #60354
        Anonymous

          To clear a particular event log (application, system, security, etc)

          Open command prompt:

          wevtutil cl LOGNAME ; where LOGNAME is the name given to the log.

          For example under Windows Logs in Event Log if you wish to clear the Application portion.

          wevtutil cl Application

          To find the given name of the event log right click on it and choose Properties. It is listed under full name. For example the Microsoft Office Diagnostics log under Application and Service logs is listed as ODiag so to clear it i would type

          wevtutil cl ODiag

          You can go through the logs manually and build a a batch file that clears the entire Event Logs or just particular ones you care about. I have a logon script that clears all the “Windows logs” on startup.

          My script:

          wevtutil cl application
          wevtutil cl system
          wevtutil cl security
          wevtutil cl setup
          wevtutil cl forwardedevents
          wevtutil cl hardwareevents

          Save as clearwindowslogs.bat

        • #50536
          hoak
          Participant

            WTH halladayrules? Did you even read my post? I don’t know how makes it clearer I both know how to clear the event log, how to use wevtutil’s syntax as my script for clearing works… The thread is not about clearing the event log, it’s about HALTING event logging…

            Your script doesn’t even work as there are over

            Please!?

            😕

          • #60355
            Anonymous

              WTH halladayrules? Did you even read my post? I don’t know how makes it clearer I both know how to clear the event log, how to use wevtutil’s syntax as my script for clearing works… The thread is not about clearing the event log, it’s about HALTING event logging…

              Your script doesn’t even work as there are over

              Please!?

              😕

            • #50537

              Sorry yesterday was a long day for me lol u know how that can be.

              Your script works fine.

              It disables all the logs that are able to be disabled.

              The wevtutil sl log_name /e:false is the same as right-clicking on the log and choosing “Disable log”

              As the same with wevutil sl log_name /e:true

              GUI version:

              If you notice when you try to right-click on any of the logs that fall under Windows Logs (i.e Application, System, etc) the Disable/Enable log option is not available which leads me to believe that it is not supported or not practical.

              Disabling all the event logs or “halting” as you call it renders the Windows Event Log service useless. If you are intending to halt or disable event logging why not just disable the Windows Event Log service altogether. As long as you don’t depend on or use the Task Scheduler service or Windows Event Collector service you are better off just disabling the service.

            • #60356
              Anonymous

                Sorry yesterday was a long day for me lol u know how that can be.

                Your script works fine.

                It disables all the logs that are able to be disabled.

                The wevtutil sl log_name /e:false is the same as right-clicking on the log and choosing “Disable log”

                As the same with wevutil sl log_name /e:true

                GUI version:

                If you notice when you try to right-click on any of the logs that fall under Windows Logs (i.e Application, System, etc) the Disable/Enable log option is not available which leads me to believe that it is not supported or not practical.

                Disabling all the event logs or “halting” as you call it renders the Windows Event Log service useless. If you are intending to halt or disable event logging why not just disable the Windows Event Log service altogether. As long as you don’t depend on or use the Task Scheduler service or Windows Event Collector service you are better off just disabling the service.

              • #50538
                hoak
                Participant

                  Yes, the NT 6.1 event system is somewhat FUBAR; ie. it doesn’t appear to behave at the kernel level the way Mark Russinovich describes. Disabling the Windows Event Log Service does not stop disk writes as the NT Kernel still attempts to write events, and though no event is stored, a disk write still takes place… I thought if the proper interface were used and logging were halted with /e:false in UNIX fashion this would stop, but this doesn’t appear to work either…

                  😐

                • #60357
                  Anonymous

                    Yes, the NT 6.1 event system is somewhat FUBAR; ie. it doesn’t appear to behave at the kernel level the way Mark Russinovich describes. Disabling the Windows Event Log Service does not stop disk writes as the NT Kernel still attempts to write events, and though no event is stored, a disk write still takes place… I thought if the proper interface were used and logging were halted with /e:false in UNIX fashion this would stop, but this doesn’t appear to work either…

                    😐

                  • #50539

                    I did some disk monitoring on my Windows Server 2008 32-bit box to see how it behaves on my machine. I used the DiskMon sysinternals utility. I have the Windows Event Log service disabled in this scenario.

                    Here’s the results I got:

                    Total Reads + Writes

                    0-10 mins: 15,570
                    11-20 mins: 689
                    21-30 mins: 1,191
                    31-40 mins: 52
                    41-50 mins: 0
                    51-60 mins: 0

                    Not a single disk write occurred for another 34 minutes when all of a sudden it went active for a second. Over 5,000 reads/writes occurred. I went into Resource Monitor (task manager) and I pinpointed that my antivirus was downloading a large signature update. During the first hour of up time on my machine 28,000,000 bytes were devoted to ESET Antivirus, the next closet was Eboostr with 300,000. The next closet was under 10,000.

                    Gotta love Server 2008.

                  • #60358
                    Anonymous

                      I did some disk monitoring on my Windows Server 2008 32-bit box to see how it behaves on my machine. I used the DiskMon sysinternals utility. I have the Windows Event Log service disabled in this scenario.

                      Here’s the results I got:

                      Total Reads + Writes

                      0-10 mins: 15,570
                      11-20 mins: 689
                      21-30 mins: 1,191
                      31-40 mins: 52
                      41-50 mins: 0
                      51-60 mins: 0

                      Not a single disk write occurred for another 34 minutes when all of a sudden it went active for a second. Over 5,000 reads/writes occurred. I went into Resource Monitor (task manager) and I pinpointed that my antivirus was downloading a large signature update. During the first hour of up time on my machine 28,000,000 bytes were devoted to ESET Antivirus, the next closet was Eboostr with 300,000. The next closet was under 10,000.

                      Gotta love Server 2008.

                    • #50540
                      hoak
                      Participant

                        Interesting, and thank you for posting halladayrules! While I did see a sort of (pretty ragged really) gradual slow down for about the first 20 minutes with my minimal service complement, it stayed at about 50 w/m for two hours at which point I gave up; perhaps this is hardware/driver specific…

                        Regardless, I found an interesting solution for SSD users that want to minimize writes to disk in the 64-bit edition of the Windows 7 Embedded Demo in the form of the Enhanced Write Filter.

                        It was a bit of a trick to port and install on Server 2008 R2, but I did get it to work, and as it caches all writes to RAM, it even offers some performance (and security) enhancemnt on HD systems. Pretty nifty driver/feature Microsoft has made with this as it can be disabled live flusing any changes to disk, and then reset at boot.

                        :ugeek:

                      • #60359
                        Anonymous

                          Interesting, and thank you for posting halladayrules! While I did see a sort of (pretty ragged really) gradual slow down for about the first 20 minutes with my minimal service complement, it stayed at about 50 w/m for two hours at which point I gave up; perhaps this is hardware/driver specific…

                          Regardless, I found an interesting solution for SSD users that want to minimize writes to disk in the 64-bit edition of the Windows 7 Embedded Demo in the form of the Enhanced Write Filter.

                          It was a bit of a trick to port and install on Server 2008 R2, but I did get it to work, and as it caches all writes to RAM, it even offers some performance (and security) enhancemnt on HD systems. Pretty nifty driver/feature Microsoft has made with this as it can be disabled live flusing any changes to disk, and then reset at boot.

                          :ugeek:

                      Viewing 12 reply threads
                      • You must be logged in to reply to this topic.