How can I view information in the Event Log from the command line?

A. A. A utility called DUMPEL.EXE is supplied with the Windows NT Resource Kit which outputs a comma or tab separated file. It allows the events from all 3 logs to be dumped on the local or remote computer. For full information see the NT Resource Kit Tools help however below is the basic syntax.

dumpel -f <filename for output> \[-s \\<servername>\]  \[-l <which log, e.g. system, application,security>\] -c
e.g., dumpel -f applog.txt -l application -c

This would dump out the application log as a comma separated file (alternatively use -t instead of -c for a tab separated file).

Another useful switch is -e <event> which allows you to only output a given event, e.g.

dumpel -f winlogon.txt -l application -c -m "winlogon"

Would display all information re winlogon (you don't need the quotes if the event is one word).

Another application is NTLast which can be downloaded from This utility does two major things that event viewer does not. It can distinguish remote/interactive logons and it matches logon times with logoff times. Example uses:

ntlast - gets a default list of last 10 successful logons against local machine
ntlast /f - gets last 10 failed logon attempts
ntlast /f /i - gets last 10 failed interactive logon attempts
ntlast /f /r - gets last 10 failed remote logon attempts
ntlast /i - gets last 10 successful logons
ntlast /r - gets last 10 successful remote logons
ntlast /n 6 - gets last 6 logons

And most useful
ntlast /m machinename /f /r - gets last 10 failed remote attempts against machinename

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.