eventcreate.exe
- File Path:
C:\Windows\SysWOW64\eventcreate.exe - Description: Event Create - Creates a custom event in an event log
Hashes
| Type | Hash |
|---|---|
| MD5 | F4F9C1965981A7840F300E0FD6504793 |
| SHA1 | 1C364E47EEE0F542E60BC31DDC298512AA4D303C |
| SHA256 | CF7F814331696E120864D5D8227EE5ABC3BA8B2E46D7E7DF20DC317DFA1D1434 |
| SHA384 | 1E3555D1EE159B3096BCD22DDEEDE6D7BDE036C455F9A22C2DE709E9C111B033DEE13C0E0525E42D894ACFB243E8B4A4 |
| SHA512 | B8CC96923548CDBE5DA052227D5F14F3E1F16240D42F2F58CE8EB218C736789B2CA3B8A7208BE1C4A7C1812EB7722B9D04AFDE659DC207F04DED77BA664F1989 |
| SSDEEP | 768:x7Yg8N9Kk0JtbAvNNTCI6RPia8BSs8eUSndlVOoa+4U7:x7Yg8N91cRwzoRPi7VJVdlVva+4U |
| IMP | D9D5E96F73EC284F3BDBECE646CCF1EC |
| PESHA1 | A8C112E86B9B7AD5EC6D3B1328A9E89C1BD03AE4 |
| PE256 | B1D592AB9C0C0E6C7714EF2E3AC064E1409D5D2CDBAA7B60F669C790702CFF8F |
Runtime Data
Usage (stdout):
EVENTCREATE [/S system [/U username [/P [password]]]] /ID eventid
[/L logname] [/SO srcname] /T type /D description
Description:
This command line tool enables an administrator to create
a custom event ID and message in a specified event log.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain\]user Specifies the user context under which
the command should execute.
/P [password] Specifies the password for the given
user context. Prompts for input if omitted.
/L logname Specifies the event log to create
an event in.
/T type Specifies the type of event to create.
Valid types: SUCCESS, ERROR, WARNING, INFORMATION.
/SO source Specifies the source to use for the
event (if not specified, source will default
to 'eventcreate'). A valid source can be any
string and should represent the application
or component that is generating the event.
/ID id Specifies the event ID for the event. A
valid custom message ID is in the range
of 1 - 1000.
/D description Specifies the description text for the new event.
/? Displays this help message.
Examples:
EVENTCREATE /T ERROR /ID 1000
/L APPLICATION /D "My custom error event for the application log"
EVENTCREATE /T ERROR /ID 999 /L APPLICATION
/SO WinWord /D "Winword event 999 happened due to low diskspace"
EVENTCREATE /S system /T ERROR /ID 100
/L APPLICATION /D "Custom job failed to install"
EVENTCREATE /S system /U user /P password /ID 1 /T ERROR
/L APPLICATION /D "User access failed due to invalid user credentials"
Usage (stderr):
ERROR: Invalid argument/option - '--help'.
Type "EVENTCREATE /?" for usage.
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\eventcreate.exe |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: evcreate.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/70
- VirusTotal Link: https://www.virustotal.com/gui/file/cf7f814331696e120864d5d8227ee5abc3ba8b2e46d7e7df20dc317dfa1d1434/detection/
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
eventcreate
Enables an administrator to create a custom event in a specified event log.
[!IMPORTANT] Custom events can’t be written to the security log.
Syntax
eventcreate [/s <computer> [/u <domain\user> [/p <password>]] {[/l {APPLICATION|SYSTEM}]|[/so <srcname>]} /t {ERROR|WARNING|INFORMATION|SUCCESSAUDIT|FAILUREAUDIT} /id <eventID> /d <description>
Parameters
| Parameter | Description |
|---|---|
/s <computer> |
Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer. |
/u <domain\user> |
Runs the command with the account permissions of the user specified by <user> or <domain\user>. The default is the permissions of the current logged on user on the computer issuing the command. |
/p <password> |
Specifies the password of the user account that is specified in the /u parameter. |
/l {APPLICATION | SYSTEM} |
Specifies the name of the event log where the event will be created. The valid log names are APPLICATION or SYSTEM. |
/so <srcname> |
Specifies the source to use for the event. A valid source can be any string and should represent the application or component that is generating the event. |
/t {ERROR | WARNING | INFORMATION | SUCCESSAUDIT | FAILUREAUDIT} |
Specifies the type of event to create. The valid types are ERROR, WARNING, INFORMATION, SUCCESSAUDIT, and FAILUREAUDIT. |
/id <eventID> |
Specifies the event ID for the event. A valid ID is any number from 1 to 1000. |
/d <description> |
Specifies the description to use for the newly created event. |
| /? | Displays help at the command prompt. |
Examples
The following examples show how you can use the eventcreate command:
eventcreate /t ERROR /id 100 /l application /d "Create event in application log"
eventcreate /t INFORMATION /id 1000 /d "Create event in WinMgmt source"
eventcreate /t ERROR /id 201 /so winword /l application /d "New src Winword in application log"
eventcreate /s server /t ERROR /id 100 /l application /d "Remote machine without user credentials"
eventcreate /s server /u user /p password /id 100 /t ERROR /l application /d "Remote machine with user credentials"
eventcreate /s server1 /s server2 /u user /p password /id 100 /t ERROR /d "Creating events on Multiple remote machines"
eventcreate /s server /u user /id 100 /t WARNING /d "Remote machine with partial user credentials"
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.