Removal of certain event logs within a Windows OS
- Open a PowerShell window, launch Event Viewer, and build an XML query to use. You may want to do this on another system instead of the target.
PS C:> eventvwr-
Create a filter on the log you want to alter. Note: In the below example, we are querying for all events, except event ID 4625, that have triggered in the last 7 days.
-
Click the XML tab and copy the text circled in red.
-
Paste the text from the above step in Notepad and make the below change. Note: If not doing the example, use the link at the bottom of the screen to alter the comparison operator accordingly.
# Current
[System[TimeCreated[timediff(@SystemTime) <= 604800000
# What it needs to change to
[System[TimeCreated[timediff(@SystemTime) <= 604800000-
Get a System level Powershell window
-
Copy the changed data from step 4
-
Dot source and run Invoke-GhostLog, using the changed data from step 4 as the filter
PS C:> . .\Invoke-GhostLog
PS C:> Invoke-GhostLog -log Security -filter "[System[TimeCreated[timediff(@SystemTime) <= 604800000"- Check out the event logs and notice the specified logs are gone.
https://blogs.technet.microsoft.com/heyscriptingguy/2014/06/06/understanding-xml-and-xpath/