????

Your IP : 3.145.197.164

Current Path : C:/Windows/SysWOW64/en-US/
Upload File :
Current File : C:/Windows/SysWOW64/en-US/wecutil.exe.mui

MZ����@���	�!�L�!This program cannot be run in DOS mode.

$��<߱�R���R���R�U�����R�U�P���R�Rich��R�PEL�!�

��@ ��8.rdata�@@.rsrc� �@@Q�P�
T88Q�P�$��8.rdata8x.rdata$zzzdbg �.rsrc$01� ��.rsrc$02 ��@7��,X���D��g�8��1̇�Q�P���(�@�X�p�����	�	�	�� ���!D������MUI�������DQ14�Ʀ���"�Ȥ-'�6��4½�w����MUIen-US9,Out of memory.%0

TFailed to open output file: %1!s!.%0

TFailed to open config file: %1!s!.%0

8Invalid config file.%0

PFailed to read from config file.%0

@Failed to initialize COM.%0

pFailed to read subscription id from config file.%0

HFailed to open subscription.%0

HFailed to save subscription.%0

The subscription is saved successfully, but it can't be activated at this time.

Use retry-subscription command to retry the subscription. If subscription is running,

you can also use get-subscriptionruntimestatus command to get extended error status.

LFailed to delete subscription.%0

`Failed to open subscription enumeration.%0

TFailed to enumerate subscriptions.%0

HFailed to get %1!s! property.%0

HFailed to set %1!s! property.%0

XFailed to retry event source: %1!s!.%0

LFailed to retry subscription. %0

@Format is not supported.%0

@Invalid delivery mode %d.%0

DInvalid content format %d.%0

\Invalid property value '%1!s!' (%2!s!).%0

LCommand %1!s! is not supported.%0

tInvalid option %1!s!. Option name is not specified.%0

�Invalid option %1!s!. Option is specified more than once.%0

hInvalid option %1!s!. Option is not integer.%0

xInvalid option %1!s!. Option value is not specified.%0

hInvalid option %1!s!. Option is not Boolean.%0

lInvalid option %1!s!. Option is not supported.%0

PToo many arguments are specified.%0

dRequired argument(s) is/are not specified.%0

,Internal error.%0

@Failed to read password.%0

XEventSourceAddress is not specified.%0

@Command is not specified.%0

lNo event source is found for this subscription.%0

�Root node of config file is not Subscription or in correct namespace.%0

`Warning: event source %1!s! is disabled.%0

TSubscription %1!s! already exists.%0

|Can not add event source %1!s! when it already exists.%0

�	Windows Event Collector Utility



Enables you to create and manage subscriptions to events forwarded from remote

event sources that support WS-Management protocol.



Usage:



You can use either the short (i.e. es, /f) or long (i.e. enum-subscription, /format)

version of the command and option names. Commands, options and option values are

case-insensitive.



(ALL UPPER-CASE = VARIABLE)



wecutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]



Commands:



es (enum-subscription)               List existent subscriptions.

gs (get-subscription)                Get subscription configuration.

gr (get-subscriptionruntimestatus)   Get subscription runtime status.

ss (set-subscription)                Set subscription configuration.

cs (create-subscription)             Create new subscription.

ds (delete-subscription)             Delete subscription.

rs (retry-subscription)              Retry subscription.

qc (quick-config)                    Configure Windows Event Collector service.



Common options:



/h|? (help)

Get general help for the wecutil program.



wecutil { -help | -h | -? }



For arguments and options, see usage of specific commands:



wecutil COMMAND -?

@)Create a remote subscription.



Usage:



wecutil { cs | create-subscription } CONFIGURATION_FILE [/OPTION:VALUE [/OPTION:VALUE] ...]



CONFIGURATION_FILE

String that specifies the path to the XML file that contains subscription configuration.

The path can be absolute or relative to the current directory.







Options:



You can use either the short (i.e. /cun) or long (i.e. /CommonUserName) version of the

option names. Options and their values are case-insensitive.



/cun:USERNAME  (CommonUserName)

Sets shared user credential to be used for event sources that do not have their own

user credentials. This option applies to collector initiated subscriptions only.

Note: if this option is specified, UserName/UserPassword settings for individual event

sources from the configuration file are ignored. If you want to use different credential

for a specific event source, use ss (set-subscription) command to set it for the event

source.



/cup:PASSWORD  (CommonUserPassword)

Sets the user password for the shared user credential. When PASSWORD is set to *

(asterisk), the password is read from the console. This option is only valid when

/cun (CommonUserName) option is specified.









Example:



Create a collector initiated subscription to forward events from the Application event log of

a remote computer mySource.myDomain.com to ForwardedEvents log.



wecutil cs ci_subscription.xml



Content of ci_subscription.xml:



<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">

    <SubscriptionId>SampleCISubscription</SubscriptionId>

    <SubscriptionType>CollectorInitiated</SubscriptionType>

    <Description>Collector Initiated Subscription Sample</Description>

    <Enabled>true</Enabled>

    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>



    <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->

    <ConfigurationMode>Custom</ConfigurationMode>



    <Delivery Mode="Push">

        <Batching>

            <MaxItems>20</MaxItems>

            <MaxLatencyTime>60000</MaxLatencyTime>

        </Batching>

        <PushSettings>

            <HostName>thisMachine.myDomain.com</HostName>

            <Heartbeat Interval="60000"/>

        </PushSettings>

    </Delivery>



    <Expires>2010-01-01T00:00:00.000Z</Expires>



    <Query>

        <![CDATA[

            <QueryList>

                <Query Path="Application">

                    <Select>*</Select>

                </Query>

            </QueryList>

        ]]>

    </Query>

    <ReadExistingEvents>false</ReadExistingEvents>

    <TransportName>http</TransportName>

    <ContentFormat>RenderedText</ContentFormat>

    <Locale Language="en-US"/>

    <LogFile>ForwardedEvents</LogFile>

    <CredentialsType>Default</CredentialsType>



    <EventSources>

        <EventSource Enabled="true">

            <Address>mySource.myDomain.com</Address>

            <UserName>myUserName</UserName>

        </EventSource>

    </EventSources>

</Subscription>











Example:



Create a source initiated subscription to forward events from the Application event log of

a remote computer mySource.myDomain.com to ForwardedEvents log.



wecutil cs si_subscription.xml



Content of si_subscription.xml:



<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">

    <SubscriptionId>SampleSISubscription</SubscriptionId>

    <SubscriptionType>SourceInitiated</SubscriptionType>

    <Description>Source Initiated Subscription Sample</Description>

    <Enabled>true</Enabled>

    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>



    <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->

    <ConfigurationMode>Custom</ConfigurationMode>



    <Delivery Mode="Push">

        <Batching>

            <MaxItems>1</MaxItems>

            <MaxLatencyTime>1000</MaxLatencyTime>

        </Batching>

        <PushSettings>

            <Heartbeat Interval="60000"/>

        </PushSettings>

    </Delivery>



    <Expires>2018-01-01T00:00:00.000Z</Expires>



    <Query>

        <![CDATA[

            <QueryList>

                <Query Path="Application">

                    <Select>Event[System/EventID='999']</Select>

                </Query>

            </QueryList>

        ]]>

    </Query>



    <ReadExistingEvents>true</ReadExistingEvents>

    <TransportName>http</TransportName>

    <ContentFormat>RenderedText</ContentFormat>

    <Locale Language="en-US"/>

    <LogFile>ForwardedEvents</LogFile>

    <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>

    <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>

</Subscription>



Note, that when creating a source initiated subscription, if 

AllowedSourceDomainComputers, AllowedSourceNonDomainComputers/AllowedIssuerCAList,

AllowedSubjectList, and DeniedSubjectList are all empty, then a default will

be provided for AllowedSourceDomainComputers - O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS). 

This SDDL default grants members of the Domain Computers domain group, as well

as the local Network Service group (for local forwarder), the ability to 

raise events for this subscription.



LList the names of all existent remote event subscriptions.



Usage:



wecutil { es | enum-subscription }



Example:



List event subscriptions.



wecutil es

�Displays remote subscription configuration information.



Usage:



wecutil { gs | get-subscription } SUBSCRIPTION_ID [/OPTION:VALUE [/OPTION:VALUE] ...]



SUBSCRIPTION_ID

String that uniquely identifies a subscription, specified by the <SubscriptionId> tag

of the XML configuration file used to create the subscription



Options:



You can use either the short (i.e. /f) or long (i.e. /format) version of the option

names. Options and their values are case-insensitive.



/f:VALUE (format)

VALUE can be XML or Terse. If VALUE is XML, print output in XML. If VALUE is Terse

(default), print value as name-value pairs.



/u:VALUE (unicode)

Display output in unicode (UTF-16). VALUE can be true or false. If VALUE is true then output is

in Unicode.



Example:



Output configuration information on a subscription named sub1.

wecutil gs sub1



Example output:



Subscription Id: sub1

SubscriptionType: CollectorInitiated

Description: Push Collector Initiated Subscription

Enabled: true

Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog

ConfigurationMode: Custom

DeliveryMode: Push

DeliveryMaxItems: 1

DeliveryMaxLatencyTime: 1000

HostName: thisMachine.myDomain.com

HeartbeatInterval: 60000

Expires: 2010-01-01T00:00:00.000Z

Query:

            <QueryList>

                <Query Path="Application">

                    <Select>*</Select>

                </Query>

            </QueryList>



ReadExistingEvents: true

TransportName: http

ContentFormat: RenderedText

Locale: en-US

LogFile: ForwardedEvents

CredentialsType: Default

CommonUserName: Administrator

CommonUserPassword: *



EventSource[0]:

    Address: mySource.myDomain.com

    Enabled: true

    UserName: myUserName

    UserPassword: *



EventSource[1]:

    Address: mySource1.myDomain.com

    Enabled: true

    UserName: myUserName

    UserPassword: *



�Displays subscription runtime status.



Usage:



wecutil { gr | get-subscriptionruntimestatus } SUBSCRIPTION_ID

 [EVENT_SOURCE [EVENT_SOURCE] ...]



SUBSCRIPTION_ID

String that uniquely identifies a subscription, specified by the

<SubscriptionId> tag of the XML configuration file used to create the subscription



EVENT_SOURCE

String that identifies a machine serving as a source of events using fully-qualified

domain name, NetBIOS name, or an IP address.



Example:



Display runtime status of subscription named sub1.

wecutil gr sub1





Subscription: sub1

    RunTimeStatus: Active

    LastError: 0    ErrorMessage:

    ErrorTime: 2007-01-01T12:00:00.000

    NextRetryTime:

    LastHeartbeatTime:

    EventSources:

        MYSOURCE$

            RunTimeStatus: Active

            LastError: 0

            ErrorMessage:

            ErrorTime:

            NextRetryTime:

            LastHeartbeatTime: 2007-01-01T12:15:00.000



�Deletes a specific subscription and unsubscribes from all event sources that deliver

events into the Event Log for the subscription. Any events already received and

logged are not deleted.



Usage:



wecutil { ds | delete-subscription } SUBSCRIPTION_ID



SUBSCRIPTION_ID

String that uniquely identifies a subscription, specified by the <SubscriptionId> tag of

the XML configuration file used to create the subscription



Example:



Delete a subscription named sub1.

wecutil ds sub1

xRetries inactive subscription by attempting to reactivate all or specified event

sources by establishing a connection and sending a remote subscription request.

Disabled sources are not retried.



Usage:



wecutil { rs | retry-subscription } SUBSCRIPTION_ID

 [EVENT_SOURCE [EVENT_SOURCE] ...]



SUBSCRIPTION_ID

String that uniquely identifies a subscription, specified by the <SubscriptionId> tag of

the XML configuration file used to create the subscription



EVENT_SOURCE

String that identifies a machine serving as a source of events using fully-qualified

domain name, NetBIOS name, or an IP address.



Example:



Retry all sources of a subscription named sub1.

wecutil rs sub1

&Sets subscription configuration by changing subscription parameters from the command

line or by using an XML configuration file.



Usage:



wecutil { ss | set-subscription } SUBSCRIPTION_ID [/OPTION:VALUE [/OPTION:VALUE] ...]



wecutil { ss | set-subscription } /c:CONFIG_FILE [/cus:USERNAME [/cup:PASSWORD] ...]



SUBSCRIPTION_ID

String that uniquely identifies a subscription, specified by the <SubscriptionId> tag of

the XML configuration file used to create the subscription



Options:



You can use either the short (i.e. /q) or long (i.e. /Query) version of the

option names. Options and their values are case-insensitive.











COMMON OPTIONS (for all type of subscriptions):



/c:CONFIG_FILE    (Config)

String that specifies the path to the XML file that contains subscription configuration.

The path can be absolute or relative to the current directory. This option may only be

used with the optional /cus (CommonUserName) and /cup (CommonUserPassword) options and

is mutually exclusive with all other options.



/e[:VALUE] (enabled)

Enable or disable a subscription. VALUE can be true or false. The default value of this

option is true.



/d:DESCRIPTION    (Description)

String that describes the subscription.



/ex:DATE_TIME    (Expires)

String that specifies the subscription expiration time. DATE_TIME value is specified in

standard XML or ISO8601 date-time format: yyyy-MM-ddThh:mm:ss[.sss][Z], where T is the

time separator and Z indicates UTC time.



/uri:URI

String that specifies the type of the events consumed by the subscription. The address

of the event source machine along with the URI uniquely identifies the source of the

events.



/cm:CONFIGURATION_MODE  (ConfigurationMode)

String that specifies the configuration mode. CONFIGURATION_MODE can be one of the

following strings: Normal, Custom, MinLatency or MinBandwidth. The Normal, MinLatency,

and MinBandwidth modes set delivery mode, delivery max items, heartbeat interval, and

delivery max latency time. The /dm (DeliveryMode), /dmi (DeliveryMaxItems),

/hi (HeartbeatInterval) or /dmlt (DeliveryMaxLatencyTime) option may only be specified

if the configuration mode is set to Custom.



/q:QUERY    (Query)

String that specifies that query string for the subscription. The format of this string

may be different for different URI values and applies to all sources in the subscription.



/dia:DIALECT  (Dialect)

String that specifies the dialect the query string uses.



/cf:FORMAT   (ContentFormat)

String that specifies the format of the returned events. FORMAT can be Events or

RenderedText. When the value is RenderedText, the events are returned with the localized

strings (such as event description) attached to the event. The default value of FORMAT

is RenderedText.



/l:LOCALE    (Locale)

String that specifies the locale for delivery of the localized strings in RenderedText

format. LOCALE is a language/country culture identifier, for example, "en-US". This

option is valid only if /cf (ContentFormat) option is set to "RenderedText".



/ree[:VALUE]   (ReadExistingEvents)

Specifies which events are to be delivered for the subscription. VALUE can true or false.

When the VALUE is true, all existing events are read from the subscription event sources.

When the VALUE is false, only future (arriving) events are delivered. The default value

is true for an /ree option without a value. If no /ree option is specified, the default

value is false.



/lf:FILENAME   (LogFile)

String that specifies the local event log used to store events received from the event

sources.



/pn:PUBLISHER  (PublisherName)

String that specifies the publisher name. It must be a publisher which owns or imports

log specified by /lf (LogFile) option.



/dm:MODE (DeliveryMode)

String that specifies the delivery mode. MODE can be either pull or push for collector

initiated subscriptions and only push for source initiated subscriptions. This option is

valid only if /cm (ConfigurationMode) option is set to Custom.



/dmi:NUMBER  (DeliveryMaxItems)

A number that specifies the maximum number of items for batched delivery. This option is

valid only if /cm (ConfigurationMode) is set to Custom.



/dmlt:MS (DeliveryMaxLatencyTime)

A number that specified the maximum latency in delivering a batch of events. MS is the

number of milliseconds. This option is valid only if /cm (ConfigurationMode) is set to

Custom.



/hi:MS   (HeartbeatInterval)

A number that specifies the heartbeat interval for push subscriptionsm, or the polling

interval for pull subscriptions. MS is the number of milliseconds. This option is valid 

only if /cm (ConfigurationMode) is set to Custom.



/tn:TRANSPORTNAME   (TransportName)

String that specifies the name of the transport used to connect to remote event source.

It can be http or https.

�$/esa:EVENT_SOURCE   (EventSourceAddress)

Specifies the address of an event source. EVENT_SOURCE is a string that identifies a

machine serving as a source of events using fully-qualified domain name, NetBIOS name,

or an IP address. This option should be used with /ese (EventSourceEnabled),

/aes (AddEventSource), /res (RemoveEventSource), or /un (UserName) and /up (UserPassword)

options.



/ese[:VALUE]  (EventSourceEnabled)

Enable or disable an event source. VALUE can be true or false. This option is allowed

only if /esa (EventSourceAddress) option is specified. The default value of this option

is true.



OPTIONS SPECIFIC TO COLLECTOR INITIATED SUBSCRIPTIONS:



/aes  (AddEventSource)

Adds event source specified by the /esa (EventSourceAddress) option, if it is not already

a part of the subscription. If the address specified by the /esa (EventSourceAddress) is

already a part of the subscription, an error is raised. This option is allowed only if

/esa (EventSourceAddress) option is specified.



/res  (RemoveEventSource)

Removes event source specified by the /esa (EventSourceAddress) option, if it is already

a part of the subscription. If the address specified by the /esa (EventSourceAddress)

is not a part of the subscription, an error is raised. This option is allowed only if

/esa (EventSourceAddress) option is specified.



/un:USERNAME   (UserName)

Specifies user credential to be used with the source specified by the

/esa (EventSourceAddress) option. This option is allowed only if /esa (EventSourceAddress)

option is specified.



/up:PASSWORD   (UserPassword)

Sets the user password for the user credential for the source specified by the

/esa (EventSourceAddress) option. This option is allowed only if /un (UserName) option

is specified.



/tp:TRANSPORTPORT   (TransportPort)

Port number used by transport when connecting to remote event source. If not specified the 

port defaults to the standard one used for the given transport name: 80 for http, 443 for 

https



/hn:NAME   (HostName)

String that specifies the FQDNS name of the local machine. This name is used by remote

event source to push back events and must be used for push subscription only. It is used

in scenarios involving multi-homed servers that may have multiple FQDNS names.



/ct:TYPE   (CredentialsType)

String that specifies the credential type to be used for remote source access. TYPE may

be one of the following values: "default", "negotiate", "digest", "basic" or

"localmachine". The default value is "default".



/cun:USERNAME   (CommonUserName)

Sets shared user credential to be used for event sources that do not have their own user

credentials.

Note: if this option is specified with the /c (Config) option, UserName/UserPassword

settings for individual event sources from the configuration file are ignored. If you

want to use different credential for a specific event source, you may override this

value by specifying the /un (UserName) and /up (UserPassword) for a specific event

source on the command line of another ss (set-subscription) command.



/cup:PASSWORD   (CommonUserPassword)

Sets the user password for the shared user credential. When PASSWORD is set to

* (asterisk), the password is read from the console. This option is only valid when

/cun (CommonUserName) option is specified.











OPTIONS SPECIFIC TO SOURCE INITIATED SUBSCRIPTIONS:



/ica:THUMBPRINTS   (AllowedIssuerCA)

Sets the list of issuer certificate thumbprints, in a comma separated list.



/as:SUBJECTS   (AllowedSubjects)

Comma separated list of strings that specifies the DNS names of non-domain computers

allowed to initiate subscriptions. The names may be specified using wildcards, like

"*.mydomain.com". By default this list is empty.



/ds:SUBJECTS   (DeniedSubjects)

Comma separated list of strings that specifies the DNS names of non-domain computers

not allowed to initiate subscriptions. The names may be specified using wildcards, like

"*.mydomain.com". By default this list is empty.



/adc:SDDL   (AllowedSourceDomainComputers)

A string which specifies which domain computers are allowed or not to initiate

subscriptions, in SDDL format. Default is to allow all domain computers.











EXAMPLES:



Update subscription configuration named sub1 from a new XML file, WsSelRg2.xml.

wecutil ss sub1 /c:%Windir%\system32\WsSelRg2.xml



Update subscription configuration named sub2 with multiple parameters:

wecutil ss sub2 /esa:myComputer /ese /un:uname /up:* /cm:Normal



Update the allowed and denied subject lists for a source initiated subscription:

wecutil ss sub3 /as:"*.private.mydomain.com" /ds:"*.public.mydomain.net,*.mydomain.tv"



�Configures Windows Event Collector service to make sure subscription can be created and

sustained through reboots. This includes the following steps:

  1. Enable ForwardedEvents channel if disabled.

  2. Set Windows Event Collector service to delay start (Vista and later only).

  3. Start Windows Event Collector service if not running.



Usage:



wecutil { qc | quick-config } [/OPTION:VALUE]



Options:



You can use either the short (i.e. /q) or long (i.e. /quiet) version of the

option names. Options and their values are case-insensitive.



/q[:VALUE] (Quiet)

VALUE can be true or false. If true, quick-config will not prompt for confirmation.

The default value of this option is false.



Example:



wecutil qc

�Failed to configure Windows Event Collector service properly. Please try again later.%0

HType the password for %1!s!:%0

�Warning: Configuration mode for the subscription is not Custom. Delivery properties are not

customizable for such mode. As a result, Delivery node from the provided configuration file

will be ignored.

�Configuration mode for the subscription is not Custom. Property %1!s! can't be set for this mode.

�The service startup mode will be changed to Delay-Start. Would you like to proceed ( %c- yes or %c- no)?%0

Y%0

N%0

�Windows Event Collector service was configured successfully.

�4VS_VERSION_INFO��
|O
|O?StringFileInfo�040904B0LCompanyNameMicrosoft Corporationr%FileDescriptionEvent Collector Command Line Utilityh$FileVersion10.0.20348.1 (WinBuild.160101.0800)8InternalNameWECUTIL.EXE�.LegalCopyright� Microsoft Corporation. All rights reserved.HOriginalFilenameWECUTIL.EXE.MUIj%ProductNameMicrosoft� Windows� Operating System>
ProductVersion10.0.20348.1DVarFileInfo$Translation	�PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD