Wednesday, March 27, 2013

Filter Security Event Logs by User in Windows 2008 & Windows 7

If you are like me, you probably miss being able to easily filter your security event logs by a specific user like we did in previous versions of Microsoft Windows. Well, it is still possible in Windows 2008 and Windows 7. You just need to use the XML filter option. When you are in the security event logs, click on "Filter Current Log..." from the actions pane. Click the XML tab of the window that opens, and check the box next to "Edit query manually".

 

If you want to see all events in the security event log for a specific user, then you need to use an XML filter like this. (Make sure to replace <username> with the username that you want to show logs for.)

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='<username>']]</Select>
</Query>
</QueryList>

If you only want to see the successful and failed logon events for a specific user, than you could modify it to look like this.

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select>
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='<username>']]</Select>
</Query>
</QueryList>