› Forums › Operating Systems › Windows Server 2008 R2 › Miscellaneous › Halting Windows Event Logging With wevtutil.exe
- This topic has 12 replies, 4 voices, and was last updated 13 years, 3 months ago by Anonymous.
- AuthorPosts
-
- 8th January 2011 at 12:43 #44027
In my attempts to research Windows disk writes, and getting more granular control over them I’m trying to find means to halt Windows event logging; which appears to be supported via Windows own Wevtutil with the syntax:
wevtutil.exe sl “log_name” /e:false
As there are so many event logs to disable doing it manually is impractical, and my knowledge of Windows scripting limited, so I thought I’d try and edit an existing script:
@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared! ^
goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
echo ^
:theEnd
REM pause>NUL…which is used to enumerate all the logs into a variable and clear them… What I came up with though doesn’t appear to work:
@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_halt "%%G")
echo.
echo Event Logs have been halted! ^
goto theEnd
:do_halt
echo halting %1
wevtutil.exe sl %1 /e:false
goto :eof
:noAdmin
echo You must run this script as an Administrator!
echo ^
:theEnd
pause>NUL…as events are still being logged… If anyone here with Sindows scripting talent can offer any help or advice, it would be much appreciated…
❓ :geek: 😕
- 8th January 2011 at 13:20 #50535
To clear a particular event log (application, system, security, etc)
Open command prompt:
wevtutil cl LOGNAME ; where LOGNAME is the name given to the log.
For example under Windows Logs in Event Log if you wish to clear the Application portion.
wevtutil cl Application
To find the given name of the event log right click on it and choose Properties. It is listed under full name. For example the Microsoft Office Diagnostics log under Application and Service logs is listed as ODiag so to clear it i would type
wevtutil cl ODiag
You can go through the logs manually and build a a batch file that clears the entire Event Logs or just particular ones you care about. I have a logon script that clears all the “Windows logs” on startup.
My script:
wevtutil cl application
wevtutil cl system
wevtutil cl security
wevtutil cl setup
wevtutil cl forwardedevents
wevtutil cl hardwareeventsSave as clearwindowslogs.bat
- 8th January 2011 at 13:20 #60354Anonymous
To clear a particular event log (application, system, security, etc)
Open command prompt:
wevtutil cl LOGNAME ; where LOGNAME is the name given to the log.
For example under Windows Logs in Event Log if you wish to clear the Application portion.
wevtutil cl Application
To find the given name of the event log right click on it and choose Properties. It is listed under full name. For example the Microsoft Office Diagnostics log under Application and Service logs is listed as ODiag so to clear it i would type
wevtutil cl ODiag
You can go through the logs manually and build a a batch file that clears the entire Event Logs or just particular ones you care about. I have a logon script that clears all the “Windows logs” on startup.
My script:
wevtutil cl application
wevtutil cl system
wevtutil cl security
wevtutil cl setup
wevtutil cl forwardedevents
wevtutil cl hardwareeventsSave as clearwindowslogs.bat
- 8th January 2011 at 15:22 #50536
WTH halladayrules? Did you even read my post? I don’t know how makes it clearer I both know how to clear the event log, how to use wevtutil’s syntax as my script for clearing works… The thread is not about clearing the event log, it’s about HALTING event logging…
Your script doesn’t even work as there are over
Please!?
😕
- 8th January 2011 at 15:22 #60355Anonymous
WTH halladayrules? Did you even read my post? I don’t know how makes it clearer I both know how to clear the event log, how to use wevtutil’s syntax as my script for clearing works… The thread is not about clearing the event log, it’s about HALTING event logging…
Your script doesn’t even work as there are over
Please!?
😕
- 8th January 2011 at 17:29 #50537
Sorry yesterday was a long day for me lol u know how that can be.
Your script works fine.
It disables all the logs that are able to be disabled.
The wevtutil sl log_name /e:false is the same as right-clicking on the log and choosing “Disable log”
As the same with wevutil sl log_name /e:true
GUI version:
If you notice when you try to right-click on any of the logs that fall under Windows Logs (i.e Application, System, etc) the Disable/Enable log option is not available which leads me to believe that it is not supported or not practical.
Disabling all the event logs or “halting” as you call it renders the Windows Event Log service useless. If you are intending to halt or disable event logging why not just disable the Windows Event Log service altogether. As long as you don’t depend on or use the Task Scheduler service or Windows Event Collector service you are better off just disabling the service.
- 8th January 2011 at 17:29 #60356Anonymous
Sorry yesterday was a long day for me lol u know how that can be.
Your script works fine.
It disables all the logs that are able to be disabled.
The wevtutil sl log_name /e:false is the same as right-clicking on the log and choosing “Disable log”
As the same with wevutil sl log_name /e:true
GUI version:
If you notice when you try to right-click on any of the logs that fall under Windows Logs (i.e Application, System, etc) the Disable/Enable log option is not available which leads me to believe that it is not supported or not practical.
Disabling all the event logs or “halting” as you call it renders the Windows Event Log service useless. If you are intending to halt or disable event logging why not just disable the Windows Event Log service altogether. As long as you don’t depend on or use the Task Scheduler service or Windows Event Collector service you are better off just disabling the service.
- 8th January 2011 at 20:18 #50538
Yes, the NT 6.1 event system is somewhat FUBAR; ie. it doesn’t appear to behave at the kernel level the way Mark Russinovich describes. Disabling the Windows Event Log Service does not stop disk writes as the NT Kernel still attempts to write events, and though no event is stored, a disk write still takes place… I thought if the proper interface were used and logging were halted with /e:false in UNIX fashion this would stop, but this doesn’t appear to work either…
😐
- 8th January 2011 at 20:18 #60357Anonymous
Yes, the NT 6.1 event system is somewhat FUBAR; ie. it doesn’t appear to behave at the kernel level the way Mark Russinovich describes. Disabling the Windows Event Log Service does not stop disk writes as the NT Kernel still attempts to write events, and though no event is stored, a disk write still takes place… I thought if the proper interface were used and logging were halted with /e:false in UNIX fashion this would stop, but this doesn’t appear to work either…
😐
- 9th January 2011 at 19:44 #50539
I did some disk monitoring on my Windows Server 2008 32-bit box to see how it behaves on my machine. I used the DiskMon sysinternals utility. I have the Windows Event Log service disabled in this scenario.
Here’s the results I got:
Total Reads + Writes
0-10 mins: 15,570
11-20 mins: 689
21-30 mins: 1,191
31-40 mins: 52
41-50 mins: 0
51-60 mins: 0Not a single disk write occurred for another 34 minutes when all of a sudden it went active for a second. Over 5,000 reads/writes occurred. I went into Resource Monitor (task manager) and I pinpointed that my antivirus was downloading a large signature update. During the first hour of up time on my machine 28,000,000 bytes were devoted to ESET Antivirus, the next closet was Eboostr with 300,000. The next closet was under 10,000.
Gotta love Server 2008.
- 9th January 2011 at 19:44 #60358Anonymous
I did some disk monitoring on my Windows Server 2008 32-bit box to see how it behaves on my machine. I used the DiskMon sysinternals utility. I have the Windows Event Log service disabled in this scenario.
Here’s the results I got:
Total Reads + Writes
0-10 mins: 15,570
11-20 mins: 689
21-30 mins: 1,191
31-40 mins: 52
41-50 mins: 0
51-60 mins: 0Not a single disk write occurred for another 34 minutes when all of a sudden it went active for a second. Over 5,000 reads/writes occurred. I went into Resource Monitor (task manager) and I pinpointed that my antivirus was downloading a large signature update. During the first hour of up time on my machine 28,000,000 bytes were devoted to ESET Antivirus, the next closet was Eboostr with 300,000. The next closet was under 10,000.
Gotta love Server 2008.
- 16th January 2011 at 08:39 #50540
Interesting, and thank you for posting halladayrules! While I did see a sort of (pretty ragged really) gradual slow down for about the first 20 minutes with my minimal service complement, it stayed at about 50 w/m for two hours at which point I gave up; perhaps this is hardware/driver specific…
Regardless, I found an interesting solution for SSD users that want to minimize writes to disk in the 64-bit edition of the Windows 7 Embedded Demo in the form of the Enhanced Write Filter.
It was a bit of a trick to port and install on Server 2008 R2, but I did get it to work, and as it caches all writes to RAM, it even offers some performance (and security) enhancemnt on HD systems. Pretty nifty driver/feature Microsoft has made with this as it can be disabled live flusing any changes to disk, and then reset at boot.
:ugeek:
- 16th January 2011 at 08:39 #60359Anonymous
Interesting, and thank you for posting halladayrules! While I did see a sort of (pretty ragged really) gradual slow down for about the first 20 minutes with my minimal service complement, it stayed at about 50 w/m for two hours at which point I gave up; perhaps this is hardware/driver specific…
Regardless, I found an interesting solution for SSD users that want to minimize writes to disk in the 64-bit edition of the Windows 7 Embedded Demo in the form of the Enhanced Write Filter.
It was a bit of a trick to port and install on Server 2008 R2, but I did get it to work, and as it caches all writes to RAM, it even offers some performance (and security) enhancemnt on HD systems. Pretty nifty driver/feature Microsoft has made with this as it can be disabled live flusing any changes to disk, and then reset at boot.
:ugeek:
- AuthorPosts
- You must be logged in to reply to this topic.