Using Wevtutil to capture and view the CAPI2 Operational log

CAPI2 events are logged to Application LogsMicrosoftWindowsCAPI 2Operational.

However, CAPI2 logging is off by default due to performance reasons.

To enable CAPI2 Operational logging,

wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true

To clear the log so we only get the latest CAPI2 events (optional):

wevtutil.exe cl Microsoft-Windows-CAPI2/Operational

To restart the KDC service to capture CAPI events generated by the KDC service:

Net stop kdcsvc & net start kdcsvc

To save the log to file using the .elf format:

wevtutil.exe epl Microsoft-Windows-CAPI2/Operational filename.elf

Once you have the saved log in .elf format you need to convert it to XML format:

wevtutil qe <exported .elf file> /lf:True /f:xml

Additional resources