evntcmd.exe

File Path: C:\windows\system32\evntcmd.exe
Description: Event Translator Configuration Tool

Hashes

Type	Hash
MD5	`83AD1BD2BF691BF25FB75B8593C9BFBB`
SHA1	`DF74819660EB06F18740F404F4149E74CEC442F7`
SHA256	`CB335C39B8BD2DA55071E3FB19FC516F26CB1DF10E8113DAAE7A2537E4834F85`
SHA384	`6709CB63CCE0D26C53C9344231272DC87974DA9BC60938A14905B2128EE3D2F47E7B5069AB033D33DDE39F38360BF5E4`
SHA512	`9BB8FB16A09CAC647F52FE72A07473A3AB7E6FF35680BA175DAB54046D512C40A3897FE606F141B9C1708B40E808BCEA6FDFCD2FB964613A4093735C4FD92049`
SSDEEP	`384:XdzXejBImR1Yd0JOsD8tqZDbRNtKYpjV40zjleCiDL0Cajh1sF/No3eqSbWYZrW:tciRsD3ZDtjZVN1eCCLHajh1mqSB`

Signature

Status: The file C:\windows\system32\evntcmd.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: eventcmd.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
Product Version: 6.3.9600.16384
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

evntcmd

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Configures the translation of events to traps, trap destinations, or both based on information in a configuration file.

Syntax

evntcmd [/s <computername>] [/v <verbositylevel>] [/n] <filename>

Parameters

Parameter	Description
/s `<computername>`	Specifies, by name, the computer on which you want to configure the translation of events to traps, trap destinations, or both. If you do not specify a computer, the configuration occurs on the local computer.
/v `<verbositylevel>`	Specifies which types of status messages appear as traps and trap destinations are configured. This parameter must be an integer between 0 and 10. If you specify 10, all types of messages appear, including tracing messages and warnings about whether trap configuration was successful. If you specify 0, no messages appear.
/n	Specifies that the SNMP service should not be restarted if this computer receives trap configuration changes.
`<filename>`	Specifies, by name, the configuration file that contains information about the translation of events to traps and trap destinations you want to configure.
/?	Displays help at the command prompt.

Remarks

if you want to configure traps but not trap destinations, you can create a valid configuration file by using Event to Trap Translator, which is a graphical utility. If you have the SNMP service installed, you can start Event to Trap Translator by typing evntwin at a command prompt. After you have defined the traps you want, click Export to create a file suitable for use with evntcmd. You can use Event to Trap Translator to easily create a configuration file and then use the configuration file with evntcmd at the command prompt to quickly configure traps on multiple computers.
The syntax for configuring a trap is as follows:
```
#pragma add <eventlogfile> <eventsource> <eventID> [<count> [<period>]]
```
Where the text following is true:
- #pragma must appear at the beginning of every entry in the file.
- The parameter add specifies that you want to add an event to trap configuration.
- The parameters eventlogfile, eventsource, and eventID are required, and where eventlogfile specifies the file in which the event is recorded, eventsource specifies the application that generates the event and eventID specifies the unique number that identifies each event.
To determine what values correspond to each event, start the Event to Trap Translator by typing evntwin at a command prompt. Click Custom, and then click edit. Under Event Sources, browse the folders until you locate the event you want to configure, click it, and then click add. Information about the event source, the event log file, and the event ID appear under Source, Log, and Trap specific ID, respectively.
- The count parameter is optional, and it specifies how many times the event must occur before a trap message is sent. If you don’t use this parameter, the trap message is sent after the event occurs once.
- The period parameter is optional, but it requires you to use the count parameter. The period parameter specifies a length of time (in seconds) during which the event must occur the number of times specified with the count parameter before a trap message is sent. If you don’t use this parameter, a trap message is sent after the event occurs the number of times specified with the count parameter, no matter how much time elapses between occurrences.
The syntax for removing a trap is as follows:
```
#pragma delete <eventlogfile> <eventsource> <eventID>
```
Where the text following is true:
- #pragma must appear at the beginning of every entry in the file.
- The parameter delete specifies that you want to remove an event to trap configuration.
- The parameters eventlogfile, eventsource, and eventID are required, and where eventlogfile specifies the file in which the event is recorded, eventsource specifies the application that generates the event and eventID specifies the unique number that identifies each event.
To determine what values correspond to each event, start the Event to Trap Translator by typing evntwin at a command prompt. Click Custom, and then click edit. Under Event Sources, browse the folders until you locate the event you want to configure, click it, and then click add. Information about the event source, the event log file, and the event ID appear under Source, Log, and Trap specific ID, respectively.
The syntax for configuring a trap destination is as follows:
```
#pragma add_TRAP_DEST <communityname> <hostID>
```
Where the text following is true:
- #pragma must appear at the beginning of every entry in the file.
- The parameter add_TRAP_DEST specifies that you want trap messages to be sent to a specified host within a community.
- The parameter communityname specifies, by name, the community in which trap messages are sent.
- The parameter hostID specifies, by name or IP address, the host to which you want trap messages to be sent.
The syntax for removing a trap destination is as follows:
```
#pragma delete_TRAP_DEST <communityname> <hostID>
```
Where the text following is true:
- #pragma must appear at the beginning of every entry in the file.
- The parameter delete_TRAP_DEST specifies that you do not want trap messages to be sent to a specified host within a community.
- The parameter communityname specifies, by name, the community to which trap messages shouldn’t be sent.
- The parameter hostID specifies, by name or IP address, the host to which you don’t want trap messages to be sent.

Examples

The following examples illustrate entries in the configuration file for the evntcmd command. They are not designed to be typed at a command prompt.

To send a trap message if the Event Log service is restarted, type:

##pragma add System Eventlog 2147489653

To send a trap message if the Event Log service is restarted twice in three minutes, type:

##pragma add System Eventlog 2147489653 2 180

To stop sending a trap message whenever the Event Log service is restarted, type:

##pragma delete System Eventlog 2147489653

To send trap messages within the community named Public to the host with the IP address 192.168.100.100, type:

##pragma add_TRAP_DEST public 192.168.100.100

To send trap messages within the community named Private to the host named Host1, type:

##pragma add_TRAP_DEST private Host1

To stop sending trap messages within the community named Private to the same computer on which you are configuring trap destinations, type:

##pragma delete_TRAP_DEST private localhost

Additional References

Command-Line Syntax Key