Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2008 R2 / How to Filter Event Logs by Username in Windows 2008 and higher

November 17, 2016 Windows Server 2008 R2Windows Server 2012

How to Filter Event Logs by Username in Windows 2008 and higher

In Windows Server 2003 or Windows XP, you could easily filter the events in the system Event Log Viewer by a specific user account if you enter the desired username in the User field of the log filter. But in Windows Server 2008 / Windows 7, this simple way of finding events related to the specific user does not work.

filter event log in Windows 2003

In Windows Server 2008, there is no User field in the standard presentation of the event log. Let’s try to add it using View -> Add/Remove Columns menu option.

Add Remove Columns

Now the User column has appeared in the log presentation, but the name of the user who initiated an event is not displayed in this column. We can see N/A instead. The information about the account is now contained in the description of the event itself (in the values of Security ID and Account Name in this example). How to filter the events in the log now?

user field in the event viewer

To filter the events by the username (or any other event attributes) in Windows Server 2008 or higher, you can use manual modification of XML queries (XPath).

Note. Earlier using XPath to find specific events in the log was considered in the article Running a Scheduled Task after another 

So, open the log you need in the Event View (in our case, it is the Security log) and select Filter Current Log… in the context menu.

Go to the XML tab and check Edit query manually.

Edit XML query for event filter

Copy and paste the following code that allows to select all events of the specific user in the log (replace username with the account name you need).

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='username']]</Select>
</Query>
</QueryList>

xpath filter: select events by username

Save the changes in the filter and look at the log. Only events related to the account you specified should stay in the log.

filtered security log
If you need, for example, to additionally filter the events for a user and Event ID 4624 (An account was successfully logged on) and 4625 (An account failed to log on.), the XPath filter will look like this:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select>
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='username']]</Select>
</Query>
</QueryList>

1 comment
0
Facebook Twitter Google + Pinterest
previous post
Using FSRM on Windows File Server to Prevent Ransomware
next post
Recovering Encrypted Files from VSS Snapshot after Ransomware Infection

Related Reading

How to Run Disk Cleanup (Cleanmgr.exe) on Windows...

March 12, 2020

Windows 7: End of Support Notifications, Extended Security...

December 27, 2019

RDP Authentication Error: CredSSP Encryption Oracle Remediation

September 10, 2019

Adding USB 3.0 Drivers to Windows 7 Install...

April 29, 2019

Fix: BSOD Error 0x0000007B on Boot on Windows...

February 7, 2019

1 comment

Sobraj March 30, 2018 - 12:40 pm

XML query line 3: replace ‘subjectUsername’ with ‘TargetUsername’

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • Create Organizational Units (OU) Structure in Active Directory with PowerShell

    May 17, 2022
  • Windows Security Won’t Open or Shows a Blank Screen on Windows 10/ 11

    May 17, 2022
  • How to Manually Install Windows Updates from CAB and MSU Files?

    May 16, 2022
  • RDS and RemoteApp Performance Issues on Windows Server 2019/2016

    May 16, 2022
  • Deploying Software (MSI Packages) Using Group Policy

    May 12, 2022
  • Updating VMware ESXi Host from the Command Line

    May 11, 2022
  • Enable or Disable MFA for Users in Azure/Microsoft 365

    April 27, 2022
  • Fix: You’ll Need a New App to Open This Windows Defender Link

    April 27, 2022
  • How to Reset an Active Directory User Password with PowerShell and ADUC?

    April 27, 2022
  • How to Completely Uninstall Previous Versions of Office with Removal Scripts?

    April 26, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Remote Desktop Connection Error: Outdated entry in the DNS cache
  • Windows Update Error 0x80244022 and WsusPool Memory Limit
  • Fixing High Memory Usage by Metafile on Windows Server 2008 R2
  • Unable to Install Print Driver after KB3170455
  • GPO Logging Using Gpsvc.log in Windows 7
  • Windows Event Triggers
  • Monitoring RDS Bandwidth Usage by Users with Perfmon
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top