Windows OS Hub / How to Filter Event Logs by Username in Windows 2008 and higher

November 17, 2016

How to Filter Event Logs by Username in Windows 2008 and higher

In Windows Server 2003 or Windows XP, you could easily filter the events in the system Event Log Viewer by a specific user account if you enter the desired username in the User field of the log filter. But in Windows Server 2008 / Windows 7, this simple way of finding events related to the specific user does not work.

filter event log in Windows 2003

In Windows Server 2008, there is no User field in the standard presentation of the event log. Let’s try to add it using View -> Add/Remove Columns menu option.

Add Remove Columns

Now the User column has appeared in the log presentation, but the name of the user who initiated an event is not displayed in this column. We can see N/A instead. The information about the account is now contained in the description of the event itself (in the values of Security ID and Account Name in this example). How to filter the events in the log now?

user field in the event viewer

To filter the events by the username (or any other event attributes) in Windows Server 2008 or higher, you can use manual modification of XML queries (XPath).

Note. Earlier using XPath to find specific events in the log was considered in the article Running a Scheduled Task after another 

So, open the log you need in the Event View (in our case, it is the Security log) and select Filter Current Log… in the context menu.

Go to the XML tab and check Edit query manually.

Edit XML query for event filter

Copy and paste the following code that allows to select all events of the specific user in the log (replace username with the account name you need).

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='username']]</Select>
</Query>
</QueryList>

xpath filter: select events by username

Save the changes in the filter and look at the log. Only events related to the account you specified should stay in the log.

filtered security log
If you need, for example, to additionally filter the events for a user and Event ID 4624 (An account was successfully logged on) and 4625 (An account failed to log on.), the XPath filter will look like this:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select>
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='username']]</Select>
</Query>
</QueryList>

1 comment
0
Facebook Twitter Google + Pinterest

1 comment

Sobraj March 30, 2018 - 12:40 pm

XML query line 3: replace ‘subjectUsername’ with ‘TargetUsername’

Reply

Leave a Comment