CAPI2 events are logged to Application Logs\Microsoft\Windows\CAPI 2\Operational.

However, CAPI2 logging is off by default due to performance reasons.


To enable CAPI2 Operational logging,

wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true

To clear the log so we only get the latest CAPI2 events (optional):

wevtutil.exe cl Microsoft-Windows-CAPI2/Operational


To restart the KDC service to capture CAPI events generated by the KDC service:

Net stop kdcsvc & net start kdcsvc


To save the log to file using the .elf format:

wevtutil.exe epl Microsoft-Windows-CAPI2/Operational filename.elf

Once you have the saved log in .elf format you need to convert it to XML format:

wevtutil qe <exported .elf file> /lf:True /f:xml