Command Line Method to Clear Windows Event Logs Without Confirmation Prompt


3 views 
@echo off
:: Check for administrative privileges
NET SESSION >nul 2>&1
IF %ERRORLEVEL% NEQ 0 (
    echo This script requires administrator privileges.
    pause
    exit /b
)

:: Clear Application log
wevtutil cl Application
:: Clear Security log (requires special permissions)
wevtutil cl Security
:: Clear Setup log
wevtutil cl Setup
:: Clear System log
wevtutil cl System

echo All specified event logs have been cleared successfully.

The Windows Event Utility (wevtutil) is a built-in command-line tool for managing event logs. The cl subcommand stands for "clear log" and immediately purges all events from the specified log without confirmation prompts.

Clearing different logs requires different permission levels:

  • Application/System: Administrator privileges
  • Security: Requires "Manage auditing and security log" privilege (SeSecurityPrivilege)
# Clear specific logs for troubleshooting
wevtutil cl Application /r:10
wevtutil cl System /r:10

# Clear all logs in a script
FOR /F "tokens=*" %%G IN ('wevtutil el') DO (
    wevtutil cl "%%G"
)

# Clear logs using PowerShell (requires v3.0+)
Clear-EventLog -LogName Application, System
[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog("Security")

Before clearing logs:

  • Consider backing up logs with wevtutil epl
  • Log clearing events are recorded in Security log (Event ID 1102)
  • Some enterprise environments may restrict log clearing

For regular log maintenance, create a scheduled task:

schtasks /create /tn "Clear Event Logs" /tr "wevtutil cl Application & wevtutil cl System" /sc weekly /d SUN /st 23:00

For system administrators automating log maintenance, PowerShell provides the most straightforward method. The Clear-EventLog cmdlet offers complete control:

# Clear all standard logs
Clear-EventLog -LogName Application, Security, Setup, System -Confirm:$false

# Targeting specific logs (example for Security log)
Clear-EventLog -LogName Security -Confirm:$false

The Windows Event Utility provides lower-level access with these commands:

:: Clear System log
wevtutil cl System

:: Clear multiple logs in one command
wevtutil cl Application & wevtutil cl Security

For more granular control when you need to preserve recent entries:

# Clear events older than 30 days from System log
$cutoffDate = (Get-Date).AddDays(-30)
Get-WinEvent -LogName System | Where-Object {$_.TimeCreated -lt $cutoffDate} | Remove-EventLog -Confirm:$false

When scripting this operation:

  • Always wrap in error handling (try/catch blocks)
  • Consider logging the clearing operation itself
  • Verify administrator privileges before execution
try {
    if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
        throw "Elevated privileges required"
    }
    Clear-EventLog -LogName System -Confirm:$false
    Write-EventLog -LogName "Application" -Source "MyScript" -EntryType Information -EventId 100 -Message "System log cleared"
}
catch {
    Write-Error $_.Exception.Message
}

Minimum privileges needed:

  • Membership in local Administrators group
  • "Manage auditing and security log" privilege for Security log
  • Execution Policy allowing script execution