MZ@ !L!This program cannot be run in DOS mode. $Rؕ3}3}3}H̴3}H̱3}Rich3}PEL!  \p@8Z.rsrc`\@@( @XpUfMUI7,~E}aK{1@QA=Hnu6#) MUI zh-CNT0elSb_MneN: %1!s!0%0 MneNeHe0%0 $elRYS COM0%0 ,elS %1!s! ^\'`0%0 ,eln %1!s! ^\'`0%0 ( N/ec}TN %1!s!0%0 8 y %1!s! eHe0*gc[ y Ty0%0 8 y %1!s! eHe0\ yc[NY!k0%0 8 y %1!s! eHe0\ yc[NY!k0%0 4 y %1!s! eHe0*gc[ yN0%0 elg>NS^0%0 (elR}Dn %1!s!0%0 8elSb_S^ %1!s! vNNCQpenc0%0 8elg>NS^ %1!s! vNNCQpenc0%0 @elHTsNN0NNSg = 0x%1!08x!0%0 (ellQ %1!s!0%0 0elSe_ %1!s! vMn0%0 4elOX[Mnbo;me_ %1!s!0%0 8elSe_ %1!s! ve_r`Oo`0%0 4elR} xml ech %1!s!0%0 4elS xml p %1!s!0%0 (WnUSeN %1!s! -N ~b N0R assembly/instrumentation/events:events b events:instrumentationManifest/events:instrumentation/events:events p0 xmlns:events="http://schemas.microsoft.com/win/2004/08/events" %0 ,^\'` %1!s! vf:yQ0Yg:N true RO(u Unicode >f:yQ0 Nyr[}TNv~Oo` .eQN N}TN: wevtutil COMMAND /? 4

N0%0 elg>NS0%0 X>f:yNNe_MnOo` Sb/f&T/T(ue_0 e_vS_MRg'Y'Y\P6RNS X[Pe_veNv_0 (ul: wevtutil { gl | get-log } <LOG_NAME> [/OPTION:VALUE [/OPTION:VALUE] ...] <LOG_NAME> /UN0WhƋe_vW[&{2N0 `OSNǏЏL wevtutil el >f:y@b ge_ TyvRh0 y: `OSNO(uw(Y /f)b(Y /format)b__v y Ty0 ySvQ

f:y gsQ,g0W|~e_ vMnOo`0 wevtutil gl System /f:xml $O9ee_Mn0 (ul: wevtutil { sl | set-log } <LOG_NAME> [/OPTION:VALUE [/OPTION:VALUE] ...] <LOG_NAME> /UN0WhƋe_vW[&{2N0 Ygc[N /ca y R N^c[ <LOG_NAME> V:N[/fNMneN-NSv0 y: `OSNO(uw(Y /e)b(Y /enable)b__v y Ty0 ySvQ

f:y y0 NT(u7b>f:yNUOc:ybmo`0 Yg*gc[ R؞ n(uNOYuNNvg'Y/T(upe vQ-N <n> /f 1 0R 16 KNvtepe0\:Nk*N/T(uR^N*NeN Vdk Yg g'Ye_'Y\ vQ-N <n> /fW[pe0 la <n> vg\ e_v~+R[{ hV vQ-N <n> /fNUO gHev~+R n:N 0 eg Rd~+R[{ hV0 /{k | keywords}:VALUE e_vsQ.W[[{ hV0VALUE SN/fNUO gHev 64 MOsQ.W[cx0 N(uNN(uO݋ve_0 /{ca | channelaccess}:VALUE NNe_vCgP0 VALUE /fO(u[hQc&{[IN(SDDL)c[v[hQc&{0 d"} MSDN (http://msdn.microsoft.com) NN SDDL }TNLSpe0 \NdkMneN-NSe_ Ty0 :yO: N N:yOǏO(uMneN :N^(u z^e_nOYu0ꁨRYNTg'Ye_'Y\0 la MneN/fN*N XML eN [O(uN wevtutil gl <LOG_NAME> /f:xml Qv Tv <channel name="Application" isolation="Application" xmlns="http://schemas.microsoft.com/win/2004/08/events"> <logging> <retention>true</retention> <autoBackup>true</autoBackup> <maxSize>9000000</maxSize> </logging> <publishing> </publishing> </channel> wevtutil sl /c:config.xml RQNNS^0 (ul: wevtutil { ep | enum-publishers } :yO: N N:yORQS_MR{:g NvNNS^0 wevtutil ep SNNS^vMnOo`0 (ul: wevtutil { gp | get-publisher } <PUBLISHER_NAME> [/OPTION:VALUE [/OPTION:VALUE] ...] <PUBLISHER_NAME> /UN0WhƋNNS^vW[&{2N0 `OSNǏ.eQ wevtutil ep SS^ TyvRh0 y: `OSNO(uw(Y /f)b(Y /format)b__v y Ty0 ySvQ

f:y[Emo` N/fpeW[mo` ID0 /{f | format}:[XML|Text] c[e_eNf:y gsQ Microsoft-Windows-Eventlog NNS^vOo` vQ-NSb gsQdkS^S_SvNNvCQpenc0 wevtutil gp Microsoft-Windows-Eventlog /ge:true NNNe_be_eN-NSNN bO(u~gSgSNN0 (ul: wevtutil { qe | query-events } <PATH> [/OPTION:VALUE [/OPTION:VALUE] ...] <PATH> ؞`Q N :N <PATH> SpecOe_ Ty0 NǏ Yg`OO(u /lf y R_{:N <PATH> SpecOe_eN_0 Yg`OO(u /sq Spe R_{cOS+T~gSg⋄veN v_0 y: `OSNO(uw(Y /f)b(Y /format)b__v y Ty0 ySvQ

/fe_eNv[te_0 /{sq | structuredquery}:[true|false] Yg:N true R <PATH> /fS+T~gSg⋄veNv[te_0 /{q | query}:VALUE VALUE /f(uN[{ SvNNv XPath g0 Yg*gc[ RԏV@b gNN0Yg /sq :N true R NO(udk y0 /{bm | bookmark}:VALUE VALUE /fS+T NNg⋄vfN~{veNv[te_0 /{sbm | savebookmark}:VALUE VALUE /f(uNOX[dkg⋄vfN~{veNv[te_0 eNibU\ T^:N .xml0 /{rd | reversedirection}:[true|false] NNSeT0Yg:N true RHQԏVgяvNN0 /{f | format}:[XML|Text|RenderedXml] ؞ Svg'YNNpe0 /{e | element}:VALUE (WQNN XML e S+TN*N9hCQ }Nubcknx</root> Q XML0 :yO: N N:yOO(ue,gf:y^(u z^e_-Nv N*NgяvNN0 wevtutil qe Application /c:3 /rd:true /f:text 8 ygN(uNg{|We_Te_eN0%0 elSb_NNg0%0 ,el(Wc[vfN~{-Ng~bNN0%0 0el(Wc[vNNU_-Ng~bNN0%0 elSNN0%0 8el\fN~{OX[0ReN "%1!s!" -N0%0 S gsQNNe_be_eNvr`Oo`0 (ul: wevtutil { gli | get-loginfo } <LOG_NAME> <LOG_NAME> e_ Tybe_eN_0Yg /lf y:N true R[/fe_eN_ v^NcOe_eN_0 Yg /lf :N false R[/fe_ Ty0 `OSNǏ.eQ wevtutil el g we_ TyvRh0 y: `OSNO(uw(Y /lf)b(Y /logfile)b__v y Ty0 ySvQ

/fe_eN_0 :yO: wevtutil gli Application \NNNe_-NndNN NSYNndvNN(S )0 (ul: wevtutil { cl | clear-log } <LOG_NAME> [/OPTION:VALUE] <LOG_NAME> ndve_v Ty0 `OSNǏ.eQ wevtutil el h"}e_ TyvRh0 y: `OSNO(uw(Y /bu)b(Y /backup)b__v y Ty0 ySvQ

<TARGETFILE> [/OPTION:VALUE [/OPTION:VALUE] ...] <PATH> ؞`Q N :N <PATH> cOe_ Ty0 NǏ Yg`OO(u /lf y :N <PATH> \[QvNNX[P0RveNv_0 y: `OSNO(uw(Y /l)b(Y /locale)b__v y Ty0 ySvQ

/fe_eNv_0 /{sq | structuredquery}:[true|false] Yg:N true R <PATH> /fS+T~gSg⋄veNv_0 Yg bY*NNN(FO N/fhQ) }TNS_ve0 /{q | query}:VALUE VALUE /f(uN[{ [QvNNv XPath g0 Yg*gc[ RԏV@b gNN0 Yg /sq :N true R NO(udk y0Yg bY*NNN(FO N/fhQ) }TNS_ve0 /{ow | overwrite}:[true|false] Yg:N true v^N <TARGETFILE> -Nc[vvheN]X[(W ROv勇eN NۏLnx0 :yO: N N:yO\|~e_-NvNN[Q0R C:\backup\system0506.evtx0 wevtutil epl System C:\backup\system0506.evtx (el[Qe_ %1!s!0%0 O(uS+T [/OPTION:VALUE [/OPTION:VALUE] ...] <LOG_FILE> X[chve_eN0SNO(u export-log b clear-log }TN ube_eN0 y: `OSNO(uw(Y /l)b(Y /locale)b__v y Ty0 ySvQ

[/OPTION:VALUE [/OPTION:VALUE] ...] <MANIFEST> NNnUSveN_0 \[ňnUS-N[INv@b gS^Te_0 N㉋NNnUSNSO(udk yv~Oo` S Microsoft Developers Network (MSDN)-Nv Windows Eventing SDK Q@W:N http://msdn.microsoft.com0 y: `OSNO(uw(Y /rf)b(Y /resourceFilePath)b__v y Ty0 ySvQ

<MANIFEST> NNnUSveN_0 \xS}nUS-N[INv@b gS^Te_0 N㉋NNnUSNSO(udk yv~Oo` S Microsoft Developers Network (MSDN) Nv Windows Eventing SDK Q@W:N http://msdn.microsoft.com0 :yO: N N:yON myManifest.man nUSeN-NxS} S^Te_0 wevtutil um myManifest.man ,:N %1!s! .eQ[x: %0 (elSeN %1!s!0%0 8S^\'` %1!s! v