The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,225 other subscribers

Digging Through Event Log Hell (finding user logon & logoff) – Ars Technica OpenForum

Posted by jpluimers on 2021/08/31

This helped me big time finding failed logon attempts: [WayBack] Event Log Hell (finding user logon & logoff) – Ars Technica OpenForum

Alternatively, you can use the XPath query mechanism included in the Windows 7 event viewer. In the event viewer, select “Filter Current Log…”, choose the XML tab, tick “Edit query manually”, then copy the following to the textbox:

  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[EventID=4624] and EventData[Data[@Name='TargetUserName'] = 'USERNAME']]</Select>

This selects all events from the Security log with EventID 4624 where the EventData contains a Data node with a Name value of TargetUserName that is equal to USERNAME. Remember to replace USERNAME with the name of the user you’re looking for.

If you need to be even more specific, you can use additional XPath querying – have a look at the detail view of an event and select the XML view to see the data that you are querying into.

Thanks user Hamstro!




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: