How to clear all Windows event log categories fast

Open cmd prompt or create batch script and "run as admin":

for /f %x in ('wevtutil el') do wevtutil cl "%x"

Powershell code for clearing all event logs:

wevtutil el | Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"}

or pick and choose in a script:

wevtutil.exe cl Analytic
wevtutil.exe cl Application
wevtutil.exe cl DirectShowFilterGraph
wevtutil.exe cl DirectShowPluginControl
wevtutil.exe cl EndpointMapper
wevtutil.exe cl ForwardedEvents
wevtutil.exe cl HardwareEvents
wevtutil.exe cl Internet Explorer
wevtutil.exe cl Key Management Service
wevtutil.exe cl MF_MediaFoundationDeviceProxy
wevtutil.exe cl "Media Center"
wevtutil.exe cl MediaFoundationDeviceProxy
wevtutil.exe cl MediaFoundationPerformance
wevtutil.exe cl MediaFoundationPipeline
wevtutil.exe cl MediaFoundationPlatform
wevtutil.exe cl Microsoft-IE/Diagnostic
wevtutil.exe cl Microsoft-IEFRAME/Diagnostic
wevtutil.exe cl Microsoft-PerfTrack-IEFRAME/Diagnostic
wevtutil.exe cl Microsoft-PerfTrack-MSHTML/Diagnostic

etc...

You can get a complete list of all event category names by typing the following in a cmd prompt or powershell:

wevtutil el

More information can be found at MS TechNet. Examples:

Export events from System log to C:\backup\system0506.evtx:

wevtutil epl System C:\backup\system0506.evtx

Clear all of the events from the Application log after saving them to C:\admin\backups\a10306.evtx:

wevtutil cl Application /bu:C:\admin\backups\a10306.evtx

Try WEvtUtil.exe

There's no way via the GUI to clear all logs at once. At least not that I've ever found. :)

Loop and delete with intermediate file

Here's a batch file that uses WEVTUTIL.exe to list the logs into a text file, and then use that text file to delete each of the logs.

WEVTUTIL EL > .\LOGLIST.TXT
for /f %%a in ( .\LOGLIST.TXT ) do WEVTUTIL CL "%%a"
del .\LOGLIST.TXT
timeout 30

If you feel unsafe having this all in one batch file, then you can save this to two separate files and then run one after the other:
(The "Nuke" batch will just error out if it doesn't find a "loglist.txt" in its current directory.)

Populate-LogList.cmd

@ECHO OFF
REM Source: https://superuser.com/a/655185/389368
WEvtUtil.exe enum-logs > .\LOGLIST.TXT

Nuke-LogList.cmd

@ECHO OFF
REM Source: https://superuser.com/a/655185/389368
for /f %%a in ( .\LOGLIST.TXT ) do WEvtUtil.exe clear-log "%%a"
del .\LOGLIST.TXT
timeout 30

Loop and delete directly

As Logman pointed out in his answer, this can be further shortened down (and eliminate the need for the intermediate text file) by using something like (%'s double for batch file):

for /f %%a in ('WEVTUTIL EL') do WEVTUTIL CL "%%a"
timeout 30

Run as Admin!

Whichever way you choose, ensure you "Run As Administrator".

Easiest solution I've found. Been using it since Vista. :)


  • wevtutil is quite slow, specially when you clear all logs (including empty ones)

  • fastest solution I came up with:

ForEach ( $l in ( Get-WinEvent * ).LogName | sort | get-unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog("$l")}

Resul: "Cleared 16 events in 4 logs: 0.3684785 seconds"

Each part:

  • only gets logs containing events (there will be duplicate LogNames)

    ForEach ( $l in ( Get-WinEvent * ).LogName | sort | get-unique )

  • clear each one

    System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog( "$l" )

Full function:

function Clear-EventLogs
{
    Begin
    {
        $t1          = ( Measure-Command -Expression{ $active = ( Get-WinEvent ).LogName } ).TotalSeconds
        $totalEvents = $active.Count
        $active      = $active | Sort | Get-Unique
        $totalLogs   = $active.Count
    }
    Process
    {
        $t2 = ( Measure-Command -Expression{
            ForEach ( $l in $active )
            {
                [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog( "$l" )
                # ForEach-Object { Wevtutil.exe cl "$l" }
            }
        } ).TotalSeconds
    }
    End     { $t3 = $t1 + $t2; Write-Output "Cleared $totalEvents events in $totalLogs logs: $t3 seconds" }
}

If you see "Get-WinEvent : The data is invalid", you've hit the undocumented hard-limit of 256 logs. It may be necessary to filter the logs first. The following will select only the logs that have events (credit to http://www.powershellish.com/blog/2015/01/19/get-winevent-max-logs/ for the diagnosis ):

$logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName
ForEach ( $l in ( Get-WinEvent $logs ).LogName | sort | get-unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog("$l")}

Tags:

Windows 7

Event Viewer

Recent Posts