Using the dump event log utility

Have you ever needed to look for a certain event with the Event Viewer

logs? If you did, you probably went through the normal method - opening

the Event Log viewer, and performing a filter on the event ID you were

looking for. What if you had to do this on 100 servers? What would you

do? The solution would be to use the dump event log (dumpel.exe)

utility, which is included in the Windows 2000 Resource Kit.

This handy utility allows a systems administrator to dump the entire

event log or only portions of the event log. Recently I needed to find

out all instances of the Windows File Protection service within the

system log within the Event Viewer. The Windows File Protection (WFP)

service is activated when an application or user tries to replace a file

that is protected by the WFP service. I wanted to know when the WFP

service was activated and what files were being attempted to be

replaced. To do this, I issued the following command line inside of a

batch file against all of the servers I wanted to report on:

Dumpel.exe -l system -m "Windows File Protection" -s serverName -t >>


This dumped all of the events from the system log on serverName that

were generated by the source "Windows File Protection". By using the -t

option, I was able to export the data in tab-delimited format for easy

import into Excel. I was then able to sort the data and manipulate what

I was looking for.

One thing to note is that if you use the -f

option, you can't perform the dumpel.exe command on multiple servers because the file will get overwritten each time. To get around this, I redirected the standard output to a file by using the command line redirection syntax '>>', which appends each command's output to the existing file.
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon