shadow-man/windows/sysinternals/psloglist.md at master

date: “2016-12-13” draft: false title: “psloglist” tag: [“cli”, “commands”] category: “sysinternals”

Man

``` none
psloglist [- ] [\\computer[,computer[,...] | @file
					[-u user [-p passwd]]] [-s [-t delim]]
					[-m #|-n #|-h #|-d #|-w]
					[-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy]
					[-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]]
					[-o event source[,event source][,..]]]
					[-q event source[,event source][,..]]]
					[-l event_log_file] <eventlog>

Options \computer The computer on which the log resides. Default=local system -p passwd Specify a password for user (optional). Passed as clear text. If omitted, you will be prompted to enter a hidden password. -u user Specify a user name for login to remote computer(optional). @file Execute the command on each of the computers listed in the file. -a Dump records timestamped after specified date. -b Dump records timestamped before specified date. -c Clear the event log after displaying. -d # Only display records from previous # days. -e ID Exclude events with the specified ID or IDs (up to 10). -f filter Filter event types with filter string (e.g. “-f w” to filter warnings). -h # Only display records from previous # hours. -i ID Show only events with the specified ID or IDs (up to 10). -l event_log_file Dump records from the specified event log file. -m # Only display records from previous # minutes. -n # Only display # number of most recent entries. -o event source Show only records from the specified event source (e.g. "-o cdrom"). -q event source Omit records from the specified event source or sources (e.g. "-q cdrom"). -r Dump log from least recent to most recent. -s Print Event Log records one-per-line, with comma delimited fields. This format is convenient for text searches, e.g. psloglist | findstr /i text -t delim The default delimeter is a comma, but can be overriden with the specified character. -w Wait for new events, dumping them as they generate (local system only). -x Dump extended data. eventlog application, system or security, only the first few letters need be used. default=system log. -accepteula Suppress the display of the license dialog. Examples List everyting in the application event log on computer from the last 24 hours psloglist \computer -h 24 application