Advanced XML filtering in the Windows Event Viewer

To find logon event with specific user, goto windows powershell and run as privilege user:

[PS] $query = @”
<QueryList>
<Query Id=”0″ Path=”file://E:\TMP\Security_22.evtx”>
<Select Path=”file://E:\TMP\Security_22.evtx”>
*[EventData[Data[@Name=’SubjectUserName’] and (Data=’username’)]]
and
*[System[(EventID=’4624′)]]
</Select>
</Query>
</QueryList>
“@
[PS] $event = Get-WinEvent -FilterXml $query | Select-Object -first 10
[PS] $event | Select-Object * | Out-GridView

Leave a Reply

Your email address will not be published. Required fields are marked *

4 + 2 =