Ok onto learning more about the wevtutil. I have been playing with it early this morning and this is what i have so far. Trying to filter events caused by a particular provider (VSS in this case). The evtx file gets created but is empty. Something is probaly wrong with my query. Any clues?
wevtutil.exe epl System C:\temp\VSSLog.evtx /q:“*[System[Provider[@Name=’VSS’]]] ” /ow:true