Filtering Windows Events by User Account

In Windows, you can filter events in the event logs based on specific criteria, such as the user account associated with an event. This can be particularly useful for security and auditing purposes. Below are examples of XML queries that filter Windows events by user account using XPath expressions.

Example 1: Filter Successful Logon Events (Event ID 4624) by User Account

This example demonstrates how to filter successful logon events (Event ID 4624) in the Security event log for a specific user account, in this case, “john.doe.”

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[
        EventData[Data[@Name='LogonType']='2']
        and
        EventData[Data[@Name='TargetUserName']='john.doe']
        and
        System[(EventID='4624')]
      ] 
    </Select>
  </Query>
</QueryList>

In this query:

  • Path="Security" specifies that we are searching in the Security event log.
  • EventData[Data[@Name='LogonType']='2'] filters events where the Logon Type is ‘2’, which typically represents an interactive logon (e.g., via the console or Remote Desktop).
  • EventData[Data[@Name='TargetUserName']='john.doe'] filters events where the TargetUserName is ‘john.doe.’
  • System[(EventID='4624')] further filters events to include only those with Event ID 4624, which corresponds to a successful logon event.

Example 2: Filter Events by User Account

This example demonstrates how to filter events in the Security event log for any occurrence of a specific user account, “john.doe.”

1
2
3
4
5
6
7
8
9
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[
        EventData[Data[@Name='TargetUserName']='john.doe']
      ] 
    </Select>
  </Query>
</QueryList>

In this query:

  • Path="Security" specifies that we are searching in the Security event log.
  • EventData[Data[@Name='TargetUserName']='john.doe'] filters events where the TargetUserName is ‘john.doe,’ irrespective of the event type.

You can modify these queries by replacing “john.doe” with the specific username you want to filter events for. These queries can be used with tools like Windows Event Viewer or PowerShell to search and analyze Windows event logs based on user account criteria.

0%