A Step-by-Step Guide to Mastering PsLogList Commands

PsLogList is a powerful command-line utility from Microsoft’s Sysinternals suite that allows administrators to dump and query Windows Event Logs. By default, it targets the local machine, but it includes built-in support to query logs from remote computers across a network without requiring PowerShell remoting. Core Syntax for Remote Queries

To target a remote computer, append the computer’s NetBIOS name, FQDN, or IP address immediately after the executable name, followed by the specific event log you want to check (e.g., Application, Security, or System). psloglist.exe \RemoteComputerName [options] Use code with caution. Example Commands

View a remote log: Dump the entire System log from a remote server named SRV-01. psloglist \SRV-01 system Use code with caution.

Specify alternate credentials: Authenticate with a different domain account when your current session lacks admin rights on the remote machine. psloglist \SRV-01 -u domaindminuser -p password system Use code with caution.

(Note: If you omit the -p parameter, you will be securely prompted for the password.) Powerful Filtering and Formatting Options

Dumping an entire remote log can consume massive bandwidth. Use these native switches to narrow down your search:

Filter by time range (-h or -d): View entries from the last 24 hours or the last 3 days. psloglist \SRV-01 -h 24 application Use code with caution. Limit total records (-n): Retrieve only the most recent records (great for quick triage). psloglist \SRV-01 -n 10 security Use code with caution.

Filter by Event ID (-i): Isolate a specific Event ID, such as RDP logins or service failures. psloglist \SRV-01 -i 4624 security Use code with caution.

String-friendly parsing (-s and -t): Print event logs as a single line per record with a custom delimiter (default is a comma), making it easy to pipe to findstr or export to a CSV file. psloglist \SRV-01 -s -t “,” system > remote_logs.csv Use code with caution. Network and Firewall Prerequisites

If PsLogList throws connection errors (like “The network path was not found”), the remote machine is likely blocking the required administrative protocols. Ensure the following configurations are met on the target computer:

Enable Remote Event Log Management: Windows Firewall blocks these incoming requests by default. Run this PowerShell command on the remote machine to open the necessary RPC ports: powershell

Get-NetFirewallRule | Where-Object DisplayName -like ‘Event Log’ | Enable-NetFirewallRule Use code with caution.

Start the Remote Registry Service: PsLogList relies heavily on the Remote Registry service to pull event data. Ensure its startup type is set to Automatic and that the service is running.

Verify Admin Rights: Your executing account (or the alternate credentials passed with -u) must belong to the Local Administrators group on the remote machine. Known Limitations Batch Script to access application logs using Psloglist.exe