Clear Event Logs with Powershell (Microsoft Windows)

To totally unlock this section you need to Log-in

Clearing Event Logs on Windows could be useful when testing or developing software, but even for specific troubleshooting. To clear all of the event logs, we can run PowerShell as an administrator and type the following command:

wevtutil el | Foreach-Object {wevtutil cl "$_"}

Remember that this command will clear ALL event logs. If you want to clear an individual log (Application log for example) we will use the following:

wevtutil cl application

If we want to get a list of all the event logs on your server/client we will use the following:

wevtutil el

It will provide you with a list similar to the following (you will get a very long list by executing the above command):

C:\>wevtutil el
AMSI/Debug
AirSpaceChannel
Analytic
Application
DebugChannel
DirectShowFilterGraph
DirectShowPluginControl
Els_Hyphenation/Analytic
EndpointMapper
FirstUXPerf-Analytic
ForwardedEvents
General Logging
HardwareEvents
IHM_DebugChannel
Intel-SST-BUS/Debug
Intel-SST-OED/IntcOED_ETW_Debug
Intel-iaLPSS-GPIO/Analytic
Intel-iaLPSS-I2C/Analytic
Intel-iaLPSS2-GPIO2/Debug
Intel-iaLPSS2-GPIO2/Performance
Intel-iaLPSS2-I2C/Debug
Intel-iaLPSS2-I2C/Performance
IntelAudioServiceLog
Internet Explorer
Key Management Service
MF_MediaFoundationDeviceMFT
MF_MediaFoundationDeviceProxy
MF_MediaFoundationFrameServer
MedaFoundationVideoProc
MedaFoundationVideoProcD3D
MediaFoundationAsyncWrapper
MediaFoundationContentProtection
MediaFoundationDS
MediaFoundationDeviceProxy
MediaFoundationMP4
.....etc......

We can also use a classic batch DOS approach to clear all Event Logs by issuing the following command, using a for loop:

for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

The New Method

Since Powershell V3 (in Windows 8/8.1, now we are at Powershell V7 on Windows 10) we can use the Get-EventLog and Clear-EventLog cmdlets to get the list of event logs and clear them.

If we start a PowerShell console with the administrator privileges and we use the following command it will display the list of all standard event logs in the system with the maximum size and the number of events for each of them.

Get-EventLog –LogName *

To clear all entries from the specific event log (for example, System log) use this command:

Clear-EventLog –LogName System

As a result, all events of this log will be deleted, and there will be only one event with the EventId 104 and the message The System log file was cleared.

Backup Events before Clearing them

We recommend to make a full backup of the Event Logs in any case before clearing them. This can easily be achieved by using the following Powershell approach (rune Powershell as Administrator):

Get-Winevent -ListLog * | % { [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName,"C:\LogArchive\$($_.LogName -replace '/','.').evtx") }

You can obviously change the path in which will be saved all Event Logs by changing C:\LogArchive in the above command with the path you wish.

Clear Event Logs with Powershell (Microsoft Windows )

Category

Summary
Article Name
Clear Event Logs with Powershell (Microsoft Windows )
Description
Let's see how to quickly clear all available Event Logs on modern Windows clients and servers (this is usually useful on test systems and for troubleshooting, sometimes, but after a backup of all Event Logs).
Author
Publisher Name
Heelpbook.net

1 thought on “Clear Event Logs with Powershell (Microsoft Windows)”

Comments are closed.