How can I view information in the Event Log from the command line?

John Savill

March 4, 1999

1 Min Read
ITPro Today logo in a gray background | ITPro Today

A. A. A utility called DUMPEL.EXE is supplied with the Windows NT Resource Kit which outputs a comma or tab separated file. It allows the events from all 3 logs to be dumped on the local or remote computer. For full information see the NT Resource Kit Tools help however below is the basic syntax.

dumpel -f [-s \]  [-l ] -c
e.g., dumpel -f applog.txt -l application -c

This would dump out the application log as a comma separated file (alternatively use -t instead of -c for a tab separated file).

Another useful switch is -e which allows you to only output a given event, e.g.

dumpel -f winlogon.txt -l application -c -m "winlogon"

Would display all information re winlogon (you don't need the quotes if the event is one word).

Another application is NTLast which can be downloaded from http://www.ntobjectives.com. This utility does two major things that event viewer does not. It can distinguish remote/interactive logons and it matches logon times with logoff times. Example uses:

ntlast - gets a default list of last 10 successful logons against local machine
ntlast /f - gets last 10 failed logon attempts
ntlast /f /i - gets last 10 failed interactive logon attempts
ntlast /f /r - gets last 10 failed remote logon attempts
ntlast /i - gets last 10 successful logons
ntlast /r - gets last 10 successful remote logons
ntlast /n 6 - gets last 6 logons

And most useful
ntlast /m machinename /f /r - gets last 10 failed remote attempts against machinename

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like