Export events from a log, log file, or using structured query to a file. Usage: wevtutil { epl

Export events from a log, log file, or using structured query to a file.

Usage:

wevtutil { epl | export-log }  
  [/OPTION:VALUE [/OPTION:VALUE] ...]


By default, you provide a log name for . However, if you
use the /lf option, then you provide the path to a log file for the 
value. If you use the /sq parameter, then you provide the path to a file
containing a structured query. 


Path to the file where the exported events are to be stored.

Options:

You can use either the short (for example, /l) or long (for example, /locale) 
version of the option names. Options and their values are not case-sensitive.

/{lf | logfile}:[true|false]
If true,  is the path to a log file.

/{sq | structuredquery}:[true|false]
If true,  is the path to a file that contains a structured query. The 
command might take a long time if selecting many, but not all, events.

/{q | query}:VALUE
VALUE is an XPath query to filter the events you want to export. If not 
specified, all events will be returned. This option is not available when /sq is 
true. The command might take a long time if selecting many, but not all, events.

/{ow | overwrite}:[true|false]
If true, and the destination file specified in  already exists, it 
will be overwritten without confirmation.

Example:

The following example exports events from System log to 
C:\backup\system0506.evtx.

wevtutil epl System C:\backup\system0506.evtx

Existing restore points on the disk will be deleted and new restore points will not be created. You will not be able to use ... Expands the maximum size available on a virtual disk. Syntax: EXPAND VDISK MAXIMUM= MAXIMUM= Indicates the new virtual size ... Expected data for Software Restriction Policies cannot be found. Use the Group Policy Management Editor to reconfigure the ... Expedited Data Received} The network transport returned data to its client that was marked as expedited by the remote system. ... Export events from a log, log file, or using structured query to a file. Usage: wevtutil { epl | export-log } /OPTION:VALUE ... Extended Mode Negotiation Time is the number of milliseconds taken for the last extended mode security association negotiated. ... Extended Mode SAs That Used Impersonation is the number of extended mode security associations completed using impersonation ... Extended type definition has been skipped for the '{0}' type because its name did not match the value of the FormatTypeName ... Extends the time that Windows waits to turn off the display if you repeatedly turn on the display with the keyboard or mouse. ...