Playing around revealed the inconsistencies between XML syntax and this
command line's
1. for simple filtering, WEVTUTIL does not need double-quoting for /q switch
wevtutil qe system /rd:true /f:text /q:*[System[(Level=2)]]
but the following would fail with range
wevtutil qe system /rd:true /f:text /q:*[System[(Level=1 or Level=2)]]
and this one works
wevtutil qe system /rd:true /f:text /q:"*[System[(Level=1 or Level=2)]]"
Note PowerShell always needs double-quoting for /q switch to work
2. For Boolean operations
XML showed: *[System[((EventID >=8194 and EventID <=8211))]]
but the command line needs: wevtutil.exe qe application /rd:true /f:text
/q:"*[System[((EventID > 8194 and EventID < 8211))]]"
Hong
"Hong" wrote:
> hi
>
> Any update on the functionality of the command WEVTUTIL in Vista on
>
> 1. using a filter range for eventID such as "8194,8211" "8194-8211"
> where syntax such as >=8194 and <=8211 is not valid
>
> 2. using a negative filter range such as "-8194"
>
> I am trying the above on Vista SP1 and they all failed. The file
> WEVTUTIL.EXE is 6.0.6001.18000
>
> Thanks for any help
>
>
> Hong
>
>
>
|
Similar Threads
Linear Mode
