Sys Articles

Articles about storage, backup, virtualization, technology, innovation, programming, leadership, management,... etc

Find a specific user events in Windows Security Logs

By Ali YAZICIPosted on Posted in Microsoft2 Comments on Find a specific user events in Windows Security Logs

Event searching in windows security logs is too difficult, because of there are too many events in a short time.

To overcome this issue we must use “Filer Current Log” in the action menu. But options in the filter windows is not enough, if you want to filter security event logs by User . (User option in Filter Window is useless for our concern)

So what can we do?

We can use XML tab of “Filter current log” window:

 

 

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[
 EventData[Data[@Name='TargetUserName']='admtest']]</Select>
  </Query>
</QueryList>

If you want to find user events for a spesific event id (for example “Logons”), you can use code below;

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID='4624')]
     and
     EventData[Data[@Name='TargetUserName']='admtest']
     ] 
    </Select>
  </Query>
</QueryList>

Source: https://serverfault.com/questions/571732/filtering-security-logs-by-user-and-logon-type

facebookShare on Facebook
TwitterTweet
FollowFollow us
Find a specific user events in Windows Security Logs

Related posts:

  1. Windows 10 – Folders open with a long long delay after clicking
  2. EMC Networker security exploit that “Remote access”
  3. Logout a remote desktop user from command line
  4. Security expolit on Netbackup (No.Restrictions)
  5. Security Tips for Storage and Backup Admins

2 thoughts on “Find a specific user events in Windows Security Logs

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top