CAPI2 events are logged to Application Logs\Microsoft\Windows\CAPI 2\Operational.

However, CAPI2 logging is off by default due to performance reasons.

 

To enable CAPI2 Operational logging,

wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true

To clear the log so we only get the latest CAPI2 events (optional):

wevtutil.exe cl Microsoft-Windows-CAPI2/Operational

 

To restart the KDC service to capture CAPI events generated by the KDC service:

Net stop kdcsvc & net start kdcsvc

 

To save the log to file using the .elf format:

wevtutil.exe epl Microsoft-Windows-CAPI2/Operational filename.elf

Once you have the saved log in .elf format you need to convert it to XML format:


wevtutil qe <exported .elf file> /lf:True /f:xml