wevtutil.exe

wevtutil.exe administers the Windows event logging system. It can list logs and publishers (el, ep), show or change a log's configuration (gl, sl), read events (qe), export and archive a log (epl, al), and clear a log (cl). Several operations can also run against a remote machine with the /r option. The genuine binary lives at C:\Windows\System32\wevtutil.exe.

Legitimately, wevtutil is run by administrators and monitoring tools to read, export, and configure logs as part of diagnostics or log collection. The verb and the target log, both on the command line, are what give an instance meaning. Reading and exporting are routine. Clearing and disabling are not.

wevtutil.exe is a standard tool for destroying logs after an intrusion (T1685.005). wevtutil cl Security, and the same against System, Application, or the PowerShell operational log, erases a log outright, and clearing several in a row is a strong indicator of anti-forensics. The act does leave a trace of its own: clearing the Security log writes event ID 1102, and clearing any other log writes event ID 104, so the gap and the clear-event together tell the story.

It can also switch logging off before anything is recorded (T1685.001). wevtutil sl <log> /e:false disables a log, which is quieter than clearing because there is no after-the-fact wipe to notice, future events simply never land. Disabling security-relevant logs, the Security channel, PowerShell operational, or a Sysmon channel, is high-signal. Because wevtutil is a legitimate administrative tool, the verb and the targeted log are what separate log management from evidence tampering.