After running the following as administrator:
wevtutil cl System /bu:c:\backup\log.evtx
I notice that the permissions on C:\windows\system32\winevt\Logs change and eventlog service account no longer has access causing Events to stop logging. I can reset the permissions and it will work again, but after running running the command again,
I run into the same issue again.
Windows Event Log folder permissions change after wevtutil clear
June 18th, 2015 9:22pm
Hi,
If we clear an event log by using Event Viewer, how about the result?
If possible, could you please share the permission changed. I have do the same test, and the permission for the Logs file did not change.
Regards.
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2015 7:07am
I see no issue if I clear the event log using the event user.
When I use powershell, it seems to work, however the permissions change.
It is my understanding that eventlog service account needs to have access to the C:\Windows\System32\winevt\Logs folder. When I use wevtutil or powershell to clear, I notice that eventlog service account is removed when I look at the security tab.
The difference I see is that with wevtutil, the event log stops logging events where when I use the powershell to clear, it keeps working fine.
June 24th, 2015 8:02pm
Hi,
Sorry for the delay reply.
The issue is like below.
----------------------------
1.Use the cmd or powershell command wevtutil cl System /bu:c:\backup\log.evtx to clean up the system log, then we lost the Eventlog permission and stop logging records.
2. But we clear event logs by using Event Viewer without issue.
If anything is misunderstood, please dont hesitate to let me know.
If so, some questons.
------------------------
1.Does only this computer encounter this issue or other computers also have this issue?
2.Please perform a clean-boot to check if this issue will occur.
--------------------------------------------------------
a. Click Start, type msconfig.exe
in the Start Search box, and then press Enter to start the System
Configuration utility.
b. On the General tab, click the Selective
startup option, and then click to clear the Load startup items check
box. (The Use Original Boot.ini check box is unavailable.)
c. On the Services tab, click to select the Hide
all Microsoft services check box, and then click Disable all.
d. Click OK, and then click Restart
Regards.
Free Windows Admin Tool Kit Click here and download it now
July 8th, 2015 3:37am
This topic is archived. No further replies will be accepted.
Other recent topics
