Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Windows Server 2008 R2 / How to Filter Event Logs by Username in Windows 2008 and higher

November 17, 2016 Windows Server 2008 R2Windows Server 2012

How to Filter Event Logs by Username in Windows 2008 and higher

In Windows Server 2003 or Windows XP, you could easily filter the events in the system Event Log Viewer by a specific user account if you enter the desired username in the User field of the log filter. But in Windows Server 2008 / Windows 7, this simple way of finding events related to the specific user does not work.

filter event log in Windows 2003

In Windows Server 2008, there is no User field in the standard presentation of the event log. Let’s try to add it using View -> Add/Remove Columns menu option.

Add Remove Columns

Now the User column has appeared in the log presentation, but the name of the user who initiated an event is not displayed in this column. We can see N/A instead. The information about the account is now contained in the description of the event itself (in the values of Security ID and Account Name in this example). How to filter the events in the log now?

user field in the event viewer

To filter the events by the username (or any other event attributes) in Windows Server 2008 or higher, you can use manual modification of XML queries (XPath).

Note. Earlier using XPath to find specific events in the log was considered in the article Running a Scheduled Task after another 

So, open the log you need in the Event View (in our case, it is the Security log) and select Filter Current Log… in the context menu.

Go to the XML tab and check Edit query manually.

Edit XML query for event filter

Copy and paste the following code that allows to select all events of the specific user in the log (replace username with the account name you need).

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='username']]</Select>
</Query>
</QueryList>

xpath filter: select events by username

Save the changes in the filter and look at the log. Only events related to the account you specified should stay in the log.

filtered security log
If you need, for example, to additionally filter the events for a user and Event ID 4624 (An account was successfully logged on) and 4625 (An account failed to log on.), the XPath filter will look like this:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select>
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='username']]</Select>
</Query>
</QueryList>

1 comment
0
Facebook Twitter Google + Pinterest
previous post
How To Backup and Restore IIS configuration to Another Server
next post
Recovering Encrypted Files from VSS Snapshot after Ransomware Infection

Related Reading

How to Run Disk Cleanup (Cleanmgr.exe) on Windows...

March 12, 2020

Windows 7: End of Support Notifications, Extended Security...

December 27, 2019

RDP Authentication Error: CredSSP Encryption Oracle Remediation

September 10, 2019

Adding USB 3.0 Drivers to Windows 7 Install...

April 29, 2019

Killing a Windows Service that Hangs on Stopping...

April 8, 2019

1 comment

Sobraj March 30, 2018 - 12:40 pm

XML query line 3: replace ‘subjectUsername’ with ‘TargetUsername’

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Fix: Server Stuck on “Preparing to Configure Windows”
  • Windows Update Error 0x80244022 and WsusPool Memory Limit
  • Remote Desktop Connection Error: Outdated entry in the DNS cache
  • Fixing High Memory Usage by Metafile on Windows Server 2008 R2
  • Unable to Install Print Driver after KB3170455
  • GPO Logging Using Gpsvc.log in Windows 7
  • How to Create Scheduled Task Using PowerShell
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top