Clear all event logs on Windows using PowerShell

I was bored with the vast amount of data in the eventlogs which were really not useful for me. So, in order to improve readability on my machine I decided to look for something to clear all of the eventlogs. Easy.

Since I always use the Administrative Events filter to view every warning and error I get a lot of junk (who cares for Kernel-Power warnings?)

Administrative Events

Since I didn’t feel like doing the following steps for each frigging event log there is on my machine. You would need to go to the following steps:

Step 1

Step 2

Now this is an excerpt  from the eventlogs I have on this machine:

Analytic
Application
DirectShowFilterGraph
DirectShowPluginControl
EndpointMapper
ForwardedEvents
HardwareEvents
Internet Explorer
Key Management Service
MF_MediaFoundationDeviceProxy
MediaFoundationDeviceProxy
MediaFoundationPerformance
MediaFoundationPipeline
MediaFoundationPlatform
Microsoft-IE/Diagnostic
Microsoft-IEDVTOOL/Diagnostic
Microsoft-IEFRAME/Diagnostic
Microsoft-IIS-Configuration/Administrative
Microsoft-IIS-Configuration/Analytic
Microsoft-IIS-Configuration/Debug
Microsoft-IIS-Configuration/Operational
Microsoft-PerfTrack-IEFRAME/Diagnostic
Microsoft-PerfTrack-MSHTML/Diagnostic
Microsoft-Windows-ADSI/Debug
Microsoft-Windows-API-Tracing/Operational
Microsoft-Windows-ATAPort/General
Microsoft-Windows-ATAPort/SATA-LPM
Microsoft-Windows-ActionQueue/Analytic
Microsoft-Windows-AltTab/Diagnostic
Microsoft-Windows-AppID/Operational
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-Application Server-Applications/Admin
Microsoft-Windows-Application Server-Applications/Analytic
Microsoft-Windows-Application Server-Applications/Debug

And so on (for about 10 times as large). I’m not going to clear them by hand.

So let’s call Powershell to the rescue! (Play Thunderbirds theme song!)

First of all (and nothing to do with Powershell): wevtutil

We’re going to use this tool to display every available event source on this machine:

wevtutil el

The help states:

el | enum-logs          List log names.

Good, that’s what we need. Next up, we pass every line of this list to a command using a pipe and the Powershell Foreach-Object cmdlet

wevtutil el | Foreach-Object { … commands go here … }

The commands are going to be

wevtutil cl “$_”

The help states:

cl | clear-log          Clear a log.

And $_ is the current variable in the enumeration of Foreach-Object. I added the quotes since there are event sources with spaces and we need to have the full name in order to have wevtutil to be able to clear that log.

Now let’s add some diagnostics output to see which one we’re currently clearing:

wevtutil el | Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"}

Now just run it through Powershell, and bam, a clean event log.

Result

Cheers!

19 thoughts on “Clear all event logs on Windows using PowerShell”

  1. for /F “tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl “%1”
    or
    for /f %x in (‘wevtutil el’) do wevtutil cl “%x”

  2. In PowerShell, if I just run:
    wevtutil el

    … I get output. But if I run:
    wevtutil el | ForEach-Object { Write-Host “Clearing $_”; wevutil cl “$_” }

    …I get
    Clearing DirectShowPluginControl
    The term ‘wevutil’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if
    a path was included, verify that the path is correct and try again.
    At line:1 char:65
    + wevtutil el | ForEach-Object { Write-Host “Clearing $_”; wevutil <<<< cl "$_" }
    + CategoryInfo : ObjectNotFound: (wevutil:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    etc.etc.etc.etc….

  3. Dear Krist, I am having some issues and questions. Do we have to executing the Windows Power Shell as the Administrator, if so we are not in the directory you show; cuser “name of user” so do we need to clear directory by cd and then cd to the users directory that has admin security? I’ve tried it both ways and it didn’t clear any log or come up with an error. Secondly you display the command line

    c:userkristof mattie> wevtutil el | Foreach-Object
    {Write-Host “clearing $_”; wevtutil cl “$_”}

    which doesn’t work for me then lower under comments from a person named André Verwijs he states this command works for him

    C:Windowssystem32> wevtutil el Foreach-Object
    {Write-Host “clearing $_”;wevtutil cl “$_”}
    Which one works, does the directory need to be in the users directory and why doesn’t it seem to work for me, I’m running 64 bit windows 7. Please help

  4. Dear Kristof,
    I’ve been using your cleaning line on servers for years now and wanted to thank you for this.
    Now,
    I have a new challenge that I’d like to submit (because I’m still very
    bad at scripting) : can you backup these eventlogs before cleaning them ?
    My first start is to change this :
    wevtutil el | Foreach-Object {Write-Host “Exporting and Clearing $_”; wevtutil epl “$_” “C:InstallEventLog$_”}

    But,
    when it arrives on eventlogs with / (like
    Microsoft-Windows-Wordpad/Diagnostic), it doesn’t work (of course, you
    cannot create a file with a / in the name).

    So now, my question is : can I replace these / with lets say _ and save all these eventlogs ?
    Thanks in advance

  5. How about this:

    wevtutil el | Foreach-Object { Write-Host “Exporting and Clearing $_”; $safeName = $_ -replace “/”, “_”; wevtutil epl $_ “D:EventLog$safeName`.evtx” /ow:true; wevtutil cl $_ }

    I create a $safeName where I replace the forward slashes with an underscore, export to a directory, and then clear. Notice that my export also does an overwrite if the file exists.

  6. OK, that’s right. I checked yesterday and everything is all right. Thanks again for your very quick help.

Comments are closed.