JSI Tip 7295. The Windows XP and Windows Server 2003 EventCreate utility

When you use the Windows XP CMD help., or Windows Server 2003 CMD help, and press Eventcreate on the New command-line tools page, you see:


Enables an administrator to create a custom event in a specified event log.


eventcreate \[/s Computer \[/u Domain\User \[/p Password\]\]\{\[/l \{Log Name\}\] | \[/so SrcName\]\}/t \{ERROR | WARNING | INFORMATION\}/id EventID/d Description


/s Computer
Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
/u Domain\User
Runs the command with the account permissions of the user specified by User or Domain\User. The default is the permissions of the current logged on user on the computer issuing the command.
/p Password
Specifies the password of the user account that is specified in the /u parameter.
/l \{Log Name\}
Specifies the name of the event log where the event will be created. The valid log names are APPLICATION and SYSTEM.
/so SrcName
Specifies the source to use for the event. A valid source can be any string and should represent the application or component that is generating the event.
Specifies the type of event to create. The valid types are ERROR, WARNING, and INFORMATION.
/id EventID
Specifies the event ID for the event. A valid ID is any number from 1 to 1000.
/d Description
Specifies the description to use for the newly created event.
Displays help at the command prompt.


  • Custom events cannot be written to the security log.
  • By default, eventcreate registers itself as the default event source for the Application log. Eventcreate can only be registered for one log at a time. If the default source is set to the Application log, any event created in the System log must have some /so source value listed explicitly.


The following examples show how you can use the eventcreate command:

eventcreate /t error /id 100 /l application /d "Create event in application log"
eventcreate /t information /id 1000 /so winmgmt /d "Create event in WinMgmt source"
eventcreate /t error /id 1000 /so winword /l application /d "new src Winword in application log"
eventcreate /s server /t error /id 100 /l application /d "Remote computer without user credentials"
eventcreate /s server /u user /p password /id 100 /t error /l application /d "Remote computer with user credentials"
eventcreate /s server1 /s server2 /u user /p password /id 100 /t error /so winmgmt /d "Creating events on Multiple remote computers"
eventcreate /s server /u domain\user /p password /t warning /l SYSTEM /so winmgmt /id 100 /d "Creating events on Multiple remote machines"

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.