How to query logs in Event Viewer using the command line

On Windows OS’s pre-Windows Vista:

Open the command line and browse to the directory containing the eventquery.vbs script:

cd C:\WINDOWS\system32

Then, you can specify which log you are trying to work with. For example, if you are using the Application log, you can use the Application argument.

cscript eventquery.vbs /L Application /V

You can further refine your search by including a search pattern. This can be done by piping the output of the query to the findstr command which will be able to pattern match the output. For instance, if you want to find the string “Performance counters for the WmiApRpl” in the output of the Application log, you can use:

cscript eventquery.vbs /L Application /V | findstr /C:"Performance counters for the WmiApRpl"

If you want to specify the level of the event, such as “Information,” you can include:

cscript eventquery.vbs /L Application /V /FI "Type eq Information"| findstr /C:"Performance counters for the WmiApRpl"

On Windows Vista or later:

Once you have determined which log you would like to query, type something such as:

wevtutil qe System

This will query the System log. If you have an archived .evt log file, you can find the text “license found” using:

wevtutil qe "C:\Directory\SubDirectory\logFile.evt" /lf:true | findstr /C:"license found"

If you want to restrict searches to only include a certain event level, you can query for them using their level number. Level 4 is Information, 3 is Warning, 2 is Error, and 1 is Critical.