none
Windows Event Log folder permissions change after wevtutil clear RRS feed

  • Question

  • After running the following as administrator:

        wevtutil cl System /bu:c:\backup\log.evtx

    I notice that the permissions on C:\windows\system32\winevt\Logs change and eventlog service account no longer has access causing Events to stop logging.  I can reset the permissions and it will work again, but after running running the command again, I run into the same issue again.

    Thursday, June 18, 2015 9:22 PM

All replies

  • Hi,

    If we clear an event log by using Event Viewer, how about the result?

    If possible, could you please share the permission changed. I have do the same test, and the permission for the Logs file did not change.

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, June 23, 2015 7:07 AM
    Moderator
  • I see no issue if I clear the event log using the event user.

    When I use powershell, it seems to work, however the permissions change.

    It is my understanding that eventlog service account needs to have access to the C:\Windows\System32\winevt\Logs folder.  When I use wevtutil or powershell to clear, I notice that eventlog service account is removed when I look at the security tab.

    The difference I see is that with wevtutil, the event log stops logging events where when I use the powershell to clear, it keeps working fine.

    Wednesday, June 24, 2015 8:02 PM
  • Hi,

    Sorry for the delay reply.

    The issue is like below.

    ----------------------------
    1.Use the cmd or powershell command “wevtutil cl System /bu:c:\backup\log.evtx” to clean up the system log, then we lost the Eventlog permission and stop logging records.


    2.  But we clear event logs by using Event Viewer without issue.


    If anything is misunderstood, please don’t hesitate to let me know.

    If so, some questions.
    ------------------------
    1.Does only this computer encounter this issue or other computers also have this issue?
    2.Please perform a clean-boot to check if this issue will occur.

    --------------------------------------------------------

    a.  Click Start, type msconfig.exe
    in the Start Search box, and then press Enter to start the System
    Configuration utility.

    b.  On the General tab, click the Selective
    startup option, and then click to clear the Load startup items check
    box. (The Use Original Boot.ini check box is unavailable.)

    c.  On the Services tab, click to select the Hide
    all Microsoft services check box, and then click Disable all.

    d.  Click OK, and then click Restart

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Wednesday, July 8, 2015 7:35 AM
    Moderator
  • This occurs on all computers.

    I have found a workaround by using "wevtutil epl" to export.

    Then "PowerShell -Command "& {Clear-EventLog -LogName Application, Security, System}"" to clear it.

    That seems to work, however sometimes it will, I find that it will randomly not work.  For example, using the above command, I will sometimes find that Application and Security have been cleared but System has not.  Another issue is that I do not know how to check if the Clear-EventLog command was successful.  It does not seem to return an errorcode when it fails.

    The only way I can think of is to use (Get-EventLog -logname xxx).count but it can be slow if it didn't work.  "Get-eventlog -list" seems to beable to display the count instantly but I don't know how to extract the number into a variable 


    • Edited by eng_3 Friday, August 28, 2015 2:29 PM
    Friday, August 28, 2015 12:16 PM