How to extract Event logs

Updated
  • Updated on Oct 8, 2025
  • Published on Oct 8, 2025
  • 1 minute(s) read
Prev Next

🧰Tools Needed

  • Windows built-in Event Viewer

  • Optional: PowerShell (for automated extraction)

  • Administrator privileges

🪟Step 1: Open Event Viewer

  1. Press Win + R, type eventvwr, and press Enter.

  2. Event Viewer will open.

🧭Step 2: Navigate to the Logs

1. Application Log

  • In the left pane, expand Windows Logs.

  • Click on Application.

  • This log contains errors from applications and services (e.g., .NET, apps crashing, etc.).

2. Task Scheduler Operational Log

  • In the left pane, expand Applications and Services Logs > Microsoft > Windows > TaskScheduler.

  • Click on Operational.

  • If it's not enabled, right-click > Enable Log.

🔍Step 3: Filter or Find Relevant Events

Filter Events

  1. Right-click the log → Filter Current Log…

  2. Under Logged, choose:

    1. Last 7 days, or use Custom Range.

    2. Click OK.

💾Step 4: Save the Logs

📝Manual Export:

  1. In Event Viewer, right-click the log (Application or Operational).

  2. Choose Save the filtered log:

    1. Right-click > Save Filtered Log File As…

  3. Choose format:

    1. .evtx (best for reopening in Event Viewer)

    2. .xml or .txt for analysis/sharing

⚙️Optional: Use PowerShell to Extract Logs

# Export Application logs from the last 7 days Get-WinEvent -LogName Application -MaxEvents 1000 |  Where-Object {$_.TimeCreated -gt (Get-Date).AddDays(-7)} |  Export-Clixml -Path "C:\Logs\ApplicationLog.xml" # Export Task Scheduler logs (Operational) Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational -MaxEvents 1000 |  Export-Clixml -Path "C:\Logs\TaskSchedulerLog.xml"

Replace Export-Clixml with Out-File if you want plain text output.

🤖Option 2: Use PowerShell for Automated Export (Last 7 Days)

Export Application Logs from the Last Week:

$StartTime = (Get-Date).AddDays(-7) $EndTime = Get-Date Get-WinEvent -FilterHashtable @{    LogName = 'Application';    StartTime = $StartTime;    EndTime = $EndTime } | Export-Clixml -Path "C:\Logs\ApplicationLog_Last7Days.xml"

Export Task Scheduler Logs (Operational) from the Last Week:

$StartTime = (Get-Date).AddDays(-7) $EndTime = Get-Date Get-WinEvent -FilterHashtable @{    LogName = 'Microsoft-Windows-TaskScheduler/Operational';    StartTime = $StartTime;    EndTime = $EndTime } | Export-Clixml -Path "C:\Logs\TaskSchedulerLog_Last7Days.xml"

You can change the export format:

  1. Export-Clixml (for structured data you can re-import)

  2. Out-File for readable text:

    ... | Out-File "C:\Logs\TaskSchedulerLog_Last7Days.txt"

📤Step 5: Share Logs

  • You can re-import .evtx files into Event Viewer for full context.

  • Share .evtx with KYP support for detailed help.

💡Tips

  • Always check time and date of the event.

  • Look at the Details tab in Event Viewer for full XML data.

  • Enable Operational log for Task Scheduler if it's empty or not logging.

If you have any issues completing these steps, please contact us via the support portal or email to support@kyp.ai for further assistance.