eventcreate.exe
- File Path:
C:\Windows\system32\eventcreate.exe - Description: Event Create - Creates a custom event in an event log
Hashes
| Type | Hash |
|---|---|
| MD5 | 2A8F8AF71D1ADB9E15153593D2B7E795 |
| SHA1 | 2D50B3F659240762714789DB84C2A35A983CC15F |
| SHA256 | F8A2DE8135A402BEDBDC3DBEB87677B70793E4AFEEF8A66B9792EA0C0315302E |
| SHA384 | 8AEC22F3F31570C9DB32E8CE08F32D4662168998E0CE3BBADEE0FD4DE830BA3E0B19276D81522C17972A13CA96954DB0 |
| SHA512 | 01FBE73D08961161B356AAE8E134CFD578AC591ADC379FCF5A127BEC0BBE552AB819A0D5515F10EF70624CE33348FB888453C884DDDC65B94DC312EB47A09A19 |
| SSDEEP | 768:A08kXeHVlWS2W/7YrgVWtSVSP3xt/WS9SkYQTpGZnlXOoa/QU:Ake74EV0Oi79SkYQmnlXva/QU |
| IMP | AFD01C6C03BABAB564D0A0CDA1CD4649 |
| PESHA1 | 891AE2E0F8DC8E81D9DD90C05DF9C832266D54DF |
| PE256 | A84B01C7D6600D722DC648F416814BEF04999433226F6AAA928B192B037973CC |
Runtime Data
Usage (stdout):
EVENTCREATE [/S system [/U username [/P [password]]]] /ID eventid
[/L logname] [/SO srcname] /T type /D description
Description:
This command line tool enables an administrator to create
a custom event ID and message in a specified event log.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain\]user Specifies the user context under which
the command should execute.
/P [password] Specifies the password for the given
user context. Prompts for input if omitted.
/L logname Specifies the event log to create
an event in.
/T type Specifies the type of event to create.
Valid types: SUCCESS, ERROR, WARNING, INFORMATION.
/SO source Specifies the source to use for the
event (if not specified, source will default
to 'eventcreate'). A valid source can be any
string and should represent the application
or component that is generating the event.
/ID id Specifies the event ID for the event. A
valid custom message ID is in the range
of 1 - 1000.
/D description Specifies the description text for the new event.
/? Displays this help message.
Examples:
EVENTCREATE /T ERROR /ID 1000
/L APPLICATION /D "My custom error event for the application log"
EVENTCREATE /T ERROR /ID 999 /L APPLICATION
/SO WinWord /D "Winword event 999 happened due to low diskspace"
EVENTCREATE /S system /T ERROR /ID 100
/L APPLICATION /D "Custom job failed to install"
EVENTCREATE /S system /U user /P password /ID 1 /T ERROR
/L APPLICATION /D "User access failed due to invalid user credentials"
Usage (stderr):
ERROR: Invalid argument/option - '--help'.
Type "EVENTCREATE /?" for usage.
Loaded Modules:
| Path |
|---|
| C:\Windows\system32\eventcreate.exe |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: evcreate.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/68
- VirusTotal Link: https://www.virustotal.com/gui/file/f8a2de8135a402bedbdc3dbeb87677b70793e4afeef8a66b9792ea0c0315302e/detection/
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
eventcreate
Enables an administrator to create a custom event in a specified event log.
[!IMPORTANT] Custom events can’t be written to the security log.
Syntax
eventcreate [/s <computer> [/u <domain\user> [/p <password>]] {[/l {APPLICATION|SYSTEM}]|[/so <srcname>]} /t {ERROR|WARNING|INFORMATION|SUCCESSAUDIT|FAILUREAUDIT} /id <eventID> /d <description>
Parameters
| Parameter | Description |
|---|---|
/s <computer> |
Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer. |
/u <domain\user> |
Runs the command with the account permissions of the user specified by <user> or <domain\user>. The default is the permissions of the current logged on user on the computer issuing the command. |
/p <password> |
Specifies the password of the user account that is specified in the /u parameter. |
/l {APPLICATION | SYSTEM} |
Specifies the name of the event log where the event will be created. The valid log names are APPLICATION or SYSTEM. |
/so <srcname> |
Specifies the source to use for the event. A valid source can be any string and should represent the application or component that is generating the event. |
/t {ERROR | WARNING | INFORMATION | SUCCESSAUDIT | FAILUREAUDIT} |
Specifies the type of event to create. The valid types are ERROR, WARNING, INFORMATION, SUCCESSAUDIT, and FAILUREAUDIT. |
/id <eventID> |
Specifies the event ID for the event. A valid ID is any number from 1 to 1000. |
/d <description> |
Specifies the description to use for the newly created event. |
| /? | Displays help at the command prompt. |
Examples
The following examples show how you can use the eventcreate command:
eventcreate /t ERROR /id 100 /l application /d "Create event in application log"
eventcreate /t INFORMATION /id 1000 /d "Create event in WinMgmt source"
eventcreate /t ERROR /id 201 /so winword /l application /d "New src Winword in application log"
eventcreate /s server /t ERROR /id 100 /l application /d "Remote machine without user credentials"
eventcreate /s server /u user /p password /id 100 /t ERROR /l application /d "Remote machine with user credentials"
eventcreate /s server1 /s server2 /u user /p password /id 100 /t ERROR /d "Creating events on Multiple remote machines"
eventcreate /s server /u user /id 100 /t WARNING /d "Remote machine with partial user credentials"
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.