thanks that is interesting, i could see a keystore in C:\ProgramData\Elastic\Beats\winlogbeat\data and C:\Program Files\Elastic\Beats\7.12.0\winlogbeat\data both with todays date although program files was a later time
Although despite running
winlogbeat.exe" -c "C:\ProgramData\Elastic\Beats\winlogbeat\winlogbeat.yml" keystore create -E keystore.path= C:\ProgramData\Elastic\Beats\winlogbeat\data
it was the program files that ended up updating
As a test i have copied the keystore from program files and copied to programdata and winlogbeat started.
Do you know if it is possible to supply the keystore add with the password as part of the command?