EVENTCREATE is a command-line utility in Windows that allows administrators to create custom entries in the event logs. This command is particularly useful for scripting and monitoring in larger IT deployments, enabling professionals to log specific events manually or through automated scripts. It is commonly used in scenarios involving system monitoring, diagnostics, and automated event management.


EVENTCREATE [/S system [/U username [/P [password]]]]
            /ID eventid
            /L logname
            /T type
            /SO source
            /D description
  • /S system specifies the remote system to connect to.
  • /U username specifies the user context under which the command should execute.
  • /P password specifies the password for the given user.
  • /ID eventid sets a custom event ID for the event.
  • /L logname specifies the name of the event log.
  • /T type defines the type of event (Valid Types: ERROR, WARNING, INFORMATION).
  • /SO source defines the source to be displayed in the event log.
  • /D description sets the description for the event.


  • /S system: Optionally define a target remote system. The default value targets the local system.
  • /U username and /P password: Use these flags when administrative privileges on the target system require different user credentials.
  • /ID eventid: Mandatory. Identify the event with a custom identifier, helping in categorizing and querying specific logs.
  • /L logname: The target log where the event will be written. Common values are Application, System, or a custom-created log.
  • /T type: Indicates whether the event is an ‘Error’, ‘Warning’, or ‘Information’.
  • /SO source: This is used to specify the origin of the event, helping in filtering the events from the same origin.
  • /D description: The actual text that describes what the event is about. This should be as informative as possible to aid in diagnostics.


1. Creating an Information event in the Application log:

EVENTCREATE /T INFORMATION /ID 500 /L Application /SO "BackupScript" /D "Backup process completed successfully"

2. Logging an error event to a remote system’s System log:

EVENTCREATE /S server01 /U admin /P adminpass /T ERROR /ID 999 /L System /SO "DiskCheck" /D "Disk space critically low on server01"

Common Issues

  • Permission Errors: When executing EVENTCREATE without sufficient privileges, it will fail to log events. Run the command prompt as an administrator or specify appropriate user credentials with /U and /P.

  • Invalid Event ID: Ensure that the event ID (/ID) is a valid integer and is correctly classified according to your logging specification.

  • Compatibility Issues: Some custom logs might not accept entries from all sources or event types, depending on how they are configured.


Combining EVENTCREATE with other commands can enhance automated scripts or monitoring setups. For instance:

IF NOT EXIST C:\Backup\Archive.zip (
    EVENTCREATE /T ERROR /ID 1000 /L Application /SO "BackupScript" /D "Backup archive not found."
) ELSE (
    EVENTCREATE /T INFORMATION /ID 1001 /L Application /SO "BackupScript" /D "Backup verification completed."

This script checks for the existence of a backup archive and logs an event based on the outcome.

  • WEVTUTIL: Manage event logs and publishers.
  • TASKSCHD.MSC: Schedule tasks that can trigger on specific events logged by EVENTCREATE.

More detailed information can be found here.

This command serves as a powerful tool for manual and automated event logging, aiding in system management and monitoring.