eventquery[.vbs] [/s Computer [/u Domain\User [/p Password]]] [/fi FilterName] [/fo {TABLE|LIST|CSV}] [/r EventRange [/nh] [/v] [/l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] [DirectoryLogName] [*] ]
Parameters
/s Computer : Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
/u Domain\User : Runs the script with the account permissions of the user specified by User or Domain\User. The default is the permissions of the current logged on user on the computer issuing the command.
/p Password : Specifies the password of the user account that is specified in the /u parameter.
/fi FilterName : Specifies the types of events to include in or exclude from the query. To find events with either value, Type and ID can be used together in a single syntax statement by using the or operator.The following are valid filter names, operators, and values.
Name Operator Value
Datetime
eq, ne, ge, le, gt, lt
mm/dd/yy(yyyy), hh:mm:ssAM(/PM)
Type
eq, ne, or
ID
eq, ne, or, ge, le, gt, lt
Any valid positive integer.
User
eq, ne
Any valid string.
Computer
eq, ne
Any valid string.
Source
eq, ne
Any valid string.
Category
eq, ne
Any valid string
/fo {TABLE|LIST|CSV} : Specifies the format to use for the output. Valid values are table, list, and csv.
/r EventRange //N= Lists N most recent events, -N = Lists N oldest events, N1-N2 Lists the events from N1 to N2
/v //verbose
//GET HELP cscript c:\windows\system32\eventyquery.vbs /?
//the 10 most recent items in the log security (default is TABLE format) cscript c:\windows\system32\eventquery.vbs /l security /r 10
//the 10 oldest items in the log security in LIST format cscript c:\windows\system32\eventquery.vbs /r -10 /fo LIST /l security
cscript c:\windows\system32\eventquery.vbs /l security /r 10
Eventquery /v /l system /fi "type eq error" /fi "source eq eventlog" /fi "datetime eq mm\dd\yy" /fo csv >> c:\errors.csv
Cscript Eventquery.vbs /l system /fi "Datetime gt mm/dd/yy,12:00:00AM" /fi "Type eq Warning"