Halting Windows Event Logging With wevtutil.exe

Forums Operating Systems Windows Server 2008 R2 Miscellaneous Halting Windows Event Logging With wevtutil.exe

Viewing 12 reply threads
  • Author
    Posts
    • #44027
      hoak
      Participant

      In my attempts to research Windows disk writes, and getting more granular control over them I’m trying to find means to halt Windows event logging; which appears to be supported via Windows own Wevtutil with the syntax:

      wevtutil.exe sl “log_name” /e:false

      As there are so many event logs to disable doing it manually is impractical, and my knowledge of Windows scripting limited, so I thought I’d try and edit an existing script:

      @echo off
      FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
      IF (%adminTest%)==(Access) goto noAdmin
      for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
      echo.
      echo Event Logs have been cleared! ^
      goto theEnd
      :do_clear
      echo clearing %1
      wevtutil.exe cl %1
      goto :eof
      :noAdmin
      echo You must run this script as an Administrator!
      echo ^

      :theEnd
      REM pause>NUL

      …which is used to enumerate all the logs into a variable and clear them… What I came up with though doesn’t appear to work:

      @echo off
      FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
      IF (%adminTest%)==(Access) goto noAdmin
      for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_halt "%%G")
      echo.
      echo Event Logs have been halted! ^
      goto theEnd
      :do_halt
      echo halting %1
      wevtutil.exe sl %1 /e:false
      goto :eof
      :noAdmin
      echo You must run this script as an Administrator!
      echo ^

      :theEnd
      pause>NUL

      …as events are still being logged… If anyone here with Sindows scripting talent can offer any help or advice, it would be much appreciated…

      ❓ :geek: 😕

    • #50535

      To clear a particular event log (application, system, security, etc)

      Open command prompt:

      wevtutil cl LOGNAME ; where LOGNAME is the name given to the log.

      For example under Windows Logs in Event Log if you wish to clear the Application portion.

      wevtutil cl Application

      To find the given name of the event log right click on it and choose Properties. It is listed under full name. For example the Microsoft Office Diagnostics log under Application and Service logs is listed as ODiag so to clear it i would type

      wevtutil cl ODiag

      You can go through the logs manually and build a a batch file that clears the entire Event Logs or just particular ones you care about. I have a logon script that clears all the “Windows logs” on startup.

      My script:

      wevtutil cl application
      wevtutil cl system
      wevtutil cl security
      wevtutil cl setup
      wevtutil cl forwardedevents
      wevtutil cl hardwareevents

      Save as clearwindowslogs.bat

    • #60354
      Anonymous

      To clear a particular event log (application, system, security, etc)

      Open command prompt:

      wevtutil cl LOGNAME ; where LOGNAME is the name given to the log.

      For example under Windows Logs in Event Log if you wish to clear the Application portion.

      wevtutil cl Application

      To find the given name of the event log right click on it and choose Properties. It is listed under full name. For example the Microsoft Office Diagnostics log under Application and Service logs is listed as ODiag so to clear it i would type

      wevtutil cl ODiag

      You can go through the logs manually and build a a batch file that clears the entire Event Logs or just particular ones you care about. I have a logon script that clears all the “Windows logs” on startup.

      My script:

      wevtutil cl application
      wevtutil cl system
      wevtutil cl security
      wevtutil cl setup
      wevtutil cl forwardedevents
      wevtutil cl hardwareevents

      Save as clearwindowslogs.bat

    • #50536
      hoak
      Participant

      WTH halladayrules? Did you even read my post? I don’t know how makes it clearer I both know how to clear the event log, how to use wevtutil’s syntax as my script for clearing works… The thread is not about clearing the event log, it’s about HALTING event logging…

      Your script doesn’t even work as there are over

      Please!?

      😕

    • #60355
      Anonymous

      WTH halladayrules? Did you even read my post? I don’t know how makes it clearer I both know how to clear the event log, how to use wevtutil’s syntax as my script for clearing works… The thread is not about clearing the event log, it’s about HALTING event logging…

      Your script doesn’t even work as there are over

      Please!?

      😕

    • #50537

      Sorry yesterday was a long day for me lol u know how that can be.

      Your script works fine.

      It disables all the logs that are able to be disabled.

      The wevtutil sl log_name /e:false is the same as right-clicking on the log and choosing “Disable log”

      As the same with wevutil sl log_name /e:true

      GUI version:

      If you notice when you try to right-click on any of the logs that fall under Windows Logs (i.e Application, System, etc) the Disable/Enable log option is not available which leads me to believe that it is not supported or not practical.

      Disabling all the event logs or “halting” as you call it renders the Windows Event Log service useless. If you are intending to halt or disable event logging why not just disable the Windows Event Log service altogether. As long as you don’t depend on or use the Task Scheduler service or Windows Event Collector service you are better off just disabling the service.

    • #60356
      Anonymous

      Sorry yesterday was a long day for me lol u know how that can be.

      Your script works fine.

      It disables all the logs that are able to be disabled.

      The wevtutil sl log_name /e:false is the same as right-clicking on the log and choosing “Disable log”

      As the same with wevutil sl log_name /e:true

      GUI version:

      If you notice when you try to right-click on any of the logs that fall under Windows Logs (i.e Application, System, etc) the Disable/Enable log option is not available which leads me to believe that it is not supported or not practical.

      Disabling all the event logs or “halting” as you call it renders the Windows Event Log service useless. If you are intending to halt or disable event logging why not just disable the Windows Event Log service altogether. As long as you don’t depend on or use the Task Scheduler service or Windows Event Collector service you are better off just disabling the service.

    • #50538
      hoak
      Participant

      Yes, the NT 6.1 event system is somewhat FUBAR; ie. it doesn’t appear to behave at the kernel level the way Mark Russinovich describes. Disabling the Windows Event Log Service does not stop disk writes as the NT Kernel still attempts to write events, and though no event is stored, a disk write still takes place… I thought if the proper interface were used and logging were halted with /e:false in UNIX fashion this would stop, but this doesn’t appear to work either…

      😐

    • #60357
      Anonymous

      Yes, the NT 6.1 event system is somewhat FUBAR; ie. it doesn’t appear to behave at the kernel level the way Mark Russinovich describes. Disabling the Windows Event Log Service does not stop disk writes as the NT Kernel still attempts to write events, and though no event is stored, a disk write still takes place… I thought if the proper interface were used and logging were halted with /e:false in UNIX fashion this would stop, but this doesn’t appear to work either…

      😐

    • #50539

      I did some disk monitoring on my Windows Server 2008 32-bit box to see how it behaves on my machine. I used the DiskMon sysinternals utility. I have the Windows Event Log service disabled in this scenario.

      Here’s the results I got:

      Total Reads + Writes

      0-10 mins: 15,570
      11-20 mins: 689
      21-30 mins: 1,191
      31-40 mins: 52
      41-50 mins: 0
      51-60 mins: 0

      Not a single disk write occurred for another 34 minutes when all of a sudden it went active for a second. Over 5,000 reads/writes occurred. I went into Resource Monitor (task manager) and I pinpointed that my antivirus was downloading a large signature update. During the first hour of up time on my machine 28,000,000 bytes were devoted to ESET Antivirus, the next closet was Eboostr with 300,000. The next closet was under 10,000.

      Gotta love Server 2008.

    • #60358
      Anonymous

      I did some disk monitoring on my Windows Server 2008 32-bit box to see how it behaves on my machine. I used the DiskMon sysinternals utility. I have the Windows Event Log service disabled in this scenario.

      Here’s the results I got:

      Total Reads + Writes

      0-10 mins: 15,570
      11-20 mins: 689
      21-30 mins: 1,191
      31-40 mins: 52
      41-50 mins: 0
      51-60 mins: 0

      Not a single disk write occurred for another 34 minutes when all of a sudden it went active for a second. Over 5,000 reads/writes occurred. I went into Resource Monitor (task manager) and I pinpointed that my antivirus was downloading a large signature update. During the first hour of up time on my machine 28,000,000 bytes were devoted to ESET Antivirus, the next closet was Eboostr with 300,000. The next closet was under 10,000.

      Gotta love Server 2008.

    • #50540
      hoak
      Participant

      Interesting, and thank you for posting halladayrules! While I did see a sort of (pretty ragged really) gradual slow down for about the first 20 minutes with my minimal service complement, it stayed at about 50 w/m for two hours at which point I gave up; perhaps this is hardware/driver specific…

      Regardless, I found an interesting solution for SSD users that want to minimize writes to disk in the 64-bit edition of the Windows 7 Embedded Demo in the form of the Enhanced Write Filter.

      It was a bit of a trick to port and install on Server 2008 R2, but I did get it to work, and as it caches all writes to RAM, it even offers some performance (and security) enhancemnt on HD systems. Pretty nifty driver/feature Microsoft has made with this as it can be disabled live flusing any changes to disk, and then reset at boot.

      :ugeek:

    • #60359
      Anonymous

      Interesting, and thank you for posting halladayrules! While I did see a sort of (pretty ragged really) gradual slow down for about the first 20 minutes with my minimal service complement, it stayed at about 50 w/m for two hours at which point I gave up; perhaps this is hardware/driver specific…

      Regardless, I found an interesting solution for SSD users that want to minimize writes to disk in the 64-bit edition of the Windows 7 Embedded Demo in the form of the Enhanced Write Filter.

      It was a bit of a trick to port and install on Server 2008 R2, but I did get it to work, and as it caches all writes to RAM, it even offers some performance (and security) enhancemnt on HD systems. Pretty nifty driver/feature Microsoft has made with this as it can be disabled live flusing any changes to disk, and then reset at boot.

      :ugeek:

Viewing 12 reply threads
  • You must be logged in to reply to this topic.