The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,465 other followers

Digging Through Event Log Hell (finding user logon & logoff) – Ars Technica OpenForum

Posted by jpluimers on 2021/08/31

This helped me big time finding failed logon attempts: [WayBack] Event Log Hell (finding user logon & logoff) – Ars Technica OpenForum

Alternatively, you can use the XPath query mechanism included in the Windows 7 event viewer. In the event viewer, select “Filter Current Log…”, choose the XML tab, tick “Edit query manually”, then copy the following to the textbox:

Code:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[EventID=4624] and EventData[Data[@Name='TargetUserName'] = 'USERNAME']]</Select>
  </Query>
</QueryList>

This selects all events from the Security log with EventID 4624 where the EventData contains a Data node with a Name value of TargetUserName that is equal to USERNAME. Remember to replace USERNAME with the name of the user you’re looking for.

If you need to be even more specific, you can use additional XPath querying – have a look at the detail view of an event and select the XML view to see the data that you are querying into.

Thanks user Hamstro!

Notes:

Related:

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: