Skip to main content

Updated: April 17, 2012

Applies To: Windows Server 2008, Windows Server 2012, Windows 8

Enables an administrator to create a custom event in a specified event log. For examples of how to use this command, see Examples.

eventcreate [/s <Computer> [/u <Domain\User> [/p <Password>]] {[/l {APPLICATION|SYSTEM}]|[/so <SrcName>]} /t {ERROR|WARNING|INFORMATION|SUCCESSAUDIT|FAILUREAUDIT} /id <EventID> /d <Description>



/s <Computer>

Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.

/u <Domain\User> 

Runs the command with the account permissions of the user specified by <User> or <Domain\User>. The default is the permissions of the current logged on user on the computer issuing the command.

/p <Password> 

Specifies the password of the user account that is specified in the /u parameter.


Specifies the name of the event log where the event will be created. The valid log names are APPLICATION and SYSTEM.

/so <SrcName> 

Specifies the source to use for the event. A valid source can be any string and should represent the application or component that is generating the event.



Specifies the type of event to create. The valid types are ERROR, WARNING, INFORMATION, SUCCESSAUDIT, and FAILUREAUDIT.

/id <EventID> 

Specifies the event ID for the event. A valid ID is any number from 1 to 1000.

/d <Description>

Specifies the description to use for the newly created event.


Displays help at the command prompt.

  • Custom events cannot be written to the security log.


The following examples show how you can use the eventcreate command:

eventcreate /t error /id 100 /l application /d "Create event in application log"
eventcreate /t information /id 1000 /so winmgmt /d "Create event in WinMgmt source"
eventcreate /t error /id 2001 /so winword /l application /d "new src Winword in application log"
eventcreate /s server /t error /id 100 /l application /d "Remote machine without user credentials"
eventcreate /s server /u user /p password /id 100 /t error /l application /d "Remote machine with user credentials"
eventcreate /s server1 /s server2 /u user /p password /id 100 /t error /so winmgmt /d "Creating events on Multiple remote machines"
eventcreate /s server /u user /id 100 /t warning /so winmgmt /d "Remote machine with partial user credentials"