{"id":50678,"date":"2023-06-01T15:43:33","date_gmt":"2023-06-01T10:13:33","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=50678"},"modified":"2023-09-18T20:03:15","modified_gmt":"2023-09-18T14:33:15","slug":"export-event-logs-event-viewer","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/export-event-logs-event-viewer\/","title":{"rendered":"How to Export Windows Event Logs from Event Viewer"},"content":{"rendered":"

The Windows Event logs provide very valuable information for diagnosing problems on the computer. Event logs store records of significant events on behalf of the system and applications running on the system.<\/p>\n

This article tells you how to export the event logs to a file using the Event Viewer or the wevtutil console tool. The exported .evtx log can be sent to a support technician for diagnosis.<\/p>\n

Export Windows Event Logs<\/h2>\n

To export the event logs to a file, follow one of the methods below.<\/p>\n

Option 1: Using the Event Viewer<\/h3>\n
    \n
  1. Start the Event Viewer. To do so, right-click Start, click Run, type eventvwr.msc and click OK.<\/li>\n
  2. The standard logs are “Application”, “Security”, and “System” which are listed under “Windows logs”. There are also other logs under a separate section named “Applications and Services Logs”. Select the log you want to export. For example, expand Windows Logs<\/strong>, and select System<\/strong>.<\/li>\n
  3. Right-click on the log and click “Save All Events As…<\/strong>“.\n

    \"export<\/li>\n

  4. Select the folder location where you want to save the .evtx file.<\/li>\n
  5. If you’re exporting the log from a system that uses a non-English locale, select “English (United States)” from the languages list in the “Display Information” dialog. When you use this option, a subdirectory (“LocaleMetaData<\/code>“) is created in the destination folder and all locale-specific information is saved in that subdirectory.\"export<\/li>\n
  6. Click OK.<\/li>\n<\/ol>\n
    \nTo send the logs to a support technician, zip all the files in the destination folder (i.e., the .evtx file(s) and the LocaleMetaData<\/strong><\/code> folder) and send the zip archive.<\/p>\n

    \"export\n<\/div>\n

    \n

    Option 2: Using Wevtutil.exe command-line<\/h3>\n

    The built-in wevtutil.exe console tool can be used to export event logs.<\/p>\n

    For example, to export “Application”, “Security”, and “System” logs to a folder (e.g., D:\\Temp), run the following commands from an admin Command Prompt window:<\/p>\n

    wevtutil epl Application D:\\temp\\application.evtx<\/pre>\n
    wevtutil epl Security D:\\temp\\security.evtx<\/pre>\n
    wevtutil epl System D:\\temp\\system.evtx<\/pre>\n
    \n
    Exporting a log under “Application and Services Logs”<\/h4>\n
    To export the “AppReadiness\/Admin” log under the “Application and Services Logs” node, run:<\/p>\n
    wevtutil epl \"Microsoft-Windows-AppReadiness\/Admin\" D:\\temp\\appreadiness-admin.evtx<\/pre>\n
    The log name in the above example is “Microsoft-Windows-AppReadiness\/Admin<\/code>“. The list of event logs can be obtained by running the command wevtutil el<\/strong><\/code>. If a log name contains spaces, enclose the log name within double-quotes when running the wevtutil.exe command-line.\n<\/div>\n
    Note:<\/strong> There doesn’t seem to be a way to export local information when exporting the logs using wevtutil.exe. For more information about wevtutil.exe, see wevtutil | Microsoft Learn<\/a><\/em><\/p>\n
    That’s it. Repeat the above steps to save the other logs if required.<\/p>\n
    RELATED:<\/strong> Wevtutil Error \u201cThe specified channel could not be found\u201d when clearing an Event Log File<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"
    The Windows Event logs provide very valuable information for diagnosing problems on the computer. Event logs store records of significant events on behalf of the system and applications running on the system. This article tells you how to export the event logs to a file using the Event Viewer or the wevtutil console tool. The … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8,869],"tags":[106,779],"class_list":["post-50678","post","type-post","status-publish","format-standard","hentry","category-windows-10","category-windows-11","tag-command-prompt","tag-event-viewer"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":31098,"url":"https:\/\/www.winhelponline.com\/blog\/collect-diagnostic-logs-windows\/","url_meta":{"origin":50678,"position":0},"title":"How to Collect Diagnostic Logs in Windows","author":"Ramesh","date":"December 21, 2022","format":false,"excerpt":"There are many different types of diagnostic logs in Windows. Each log is to diagnose a specific component. The Windows Update client creates the Windows Update ETL or Windows Update log files, the Component-Based Servicing uses \"cbs.log\", and the DISM tool writes to \"dism.log\", etc. Besides the native logs, you\u2026","rel":"","context":"In "Utilities"","block_context":{"text":"Utilities","link":"https:\/\/www.winhelponline.com\/blog\/category\/utilities\/"},"img":{"alt_text":"Farbar Recovery Scan Tool - FRST - FRST64.exe","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/farbar.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/farbar.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/farbar.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":893,"url":"https:\/\/www.winhelponline.com\/blog\/clear-task-scheduler-history-windows\/","url_meta":{"origin":50678,"position":1},"title":"How to Clear Task Scheduler History in Windows","author":"Ramesh","date":"April 23, 2009","format":false,"excerpt":"Task Scheduler in Windows tracks events for each scheduled task when the task history option is enabled for the task. The task history can be viewed by opening the task properties and clicking the History tab. The entries are stored in the Microsoft-Windows-TaskScheduler event log. Use the instructions in this\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"clear task scheduler history in event log","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2009\/04\/clear-scheduled-tasks-history.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2009\/04\/clear-scheduled-tasks-history.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2009\/04\/clear-scheduled-tasks-history.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2009\/04\/clear-scheduled-tasks-history.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":1814,"url":"https:\/\/www.winhelponline.com\/blog\/custom-view-system-restore-event-log-viewer\/","url_meta":{"origin":50678,"position":2},"title":"How to Create a Custom View for System Restore Events in Event Viewer?","author":"Ramesh","date":"March 4, 2016","format":false,"excerpt":"System Restore errors and informational events are logged in the Application event log. With hundreds of other entries added to the Application log every day, inspecting the System Restore events is time-consuming. Every time the user needs to use \"Filter the current log\" option to display only the System Restore\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/w10\/w10-custom-view-1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":19493,"url":"https:\/\/www.winhelponline.com\/blog\/jump-directly-to-specific-event-log-eventvwr\/","url_meta":{"origin":50678,"position":3},"title":"How to Jump to a Specific Event Log (Channel) Directly in Event Viewer","author":"Ramesh","date":"October 24, 2020","format":false,"excerpt":"The event logging service in Windows records important software and hardware events from various sources and stores them in a collection named event log. There are various event log channels in addition to the well-known built-in channels like Application, System, Security, etc.\u00a0The Event Viewer (eventvwr.msc or eventvwr.exe) enables you to\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"eventvwr command-line parameters list","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/eventvwr-commandline.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/eventvwr-commandline.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/eventvwr-commandline.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":75211,"url":"https:\/\/www.winhelponline.com\/blog\/how-to-read-chkdsk-log-event-viewer\/","url_meta":{"origin":50678,"position":4},"title":"How to Read Chkdsk Log in the Event Viewer","author":"Ramesh","date":"May 16, 2024","format":false,"excerpt":"The Chkdsk utility checks the file system and file system metadata of a volume for logical and physical errors and repairs them. When you run Chkdsk c: \/r and schedule it for the next boot, Chkdsk runs the scan during the next boot. The results of the Chkdsk operation is\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"windows event log - filter current log","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/05\/chkdsk-event-log-wininit-chkdsk.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/05\/chkdsk-event-log-wininit-chkdsk.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/05\/chkdsk-event-log-wininit-chkdsk.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/05\/chkdsk-event-log-wininit-chkdsk.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":570,"url":"https:\/\/www.winhelponline.com\/blog\/how-to-determine-the-last-shutdown-date-and-time-in-windows\/","url_meta":{"origin":50678,"position":5},"title":"How to Determine the Last Shutdown Time and Date in Windows","author":"Ramesh","date":"September 9, 2008","format":false,"excerpt":"The easiest way to determine the last shutdown date and time is to check the event logs. When you shut down a computer Event ID 1074 is written to the event log which denotes a clean shutdown. The following instructions apply all versions of Windows, including Windows 10. Determine the\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"find last shutdown time windows - wevtutil","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2008\/09\/filter-event-log-1074-id-3.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2008\/09\/filter-event-log-1074-id-3.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2008\/09\/filter-event-log-1074-id-3.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/50678","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/comments?post=50678"}],"version-history":[{"count":0,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/50678\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/media?parent=50678"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/categories?post=50678"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/tags?post=50678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}