Windows Server
Active Directory
- Active Directory Domain Services (AD DS)
- Group Policies
Windows Clients
- Windows 11
- Windows 10
- Windows 8
- Windows 7
- Windows XP
- MS Office
- Outlook
Virtualization
- VMWare
- Hyper-V
- KVM
PowerShell
Exchange
Cloud
Linux
- CentOS
- RHEL
- Ubuntu

Home
About

Windows Server
Active Directory
- Active Directory Domain Services (AD DS)
- Group Policies
Windows Clients
- Windows 11
- Windows 10
- Windows 8
- Windows 7
- Windows XP
- MS Office
- Outlook
Virtualization
- VMWare
- Hyper-V
- KVM
PowerShell
Exchange
Cloud
Linux
- CentOS
- RHEL
- Ubuntu

Windows OS Hub / Windows Server 2008 R2 / How to Filter Event Logs by Username in Windows 2008 and higher

November 17, 2016 Windows Server 2008 R2 Windows Server 2012

How to Filter Event Logs by Username in Windows 2008 and higher

In Windows Server 2003 or Windows XP, you could easily filter the events in the system Event Log Viewer by a specific user account if you enter the desired username in the User field of the log filter. But in Windows Server 2008 / Windows 7, this simple way of finding events related to the specific user does not work.

In Windows Server 2008, there is no User field in the standard presentation of the event log. Let’s try to add it using View -> Add/Remove Columns menu option.

Now the User column has appeared in the log presentation, but the name of the user who initiated an event is not displayed in this column. We can see N/A instead. The information about the account is now contained in the description of the event itself (in the values of Security ID and Account Name in this example). How to filter the events in the log now?

To filter the events by the username (or any other event attributes) in Windows Server 2008 or higher, you can use manual modification of XML queries (XPath).

Note. Earlier using XPath to find specific events in the log was considered in the article Running a Scheduled Task after another

So, open the log you need in the Event View (in our case, it is the Security log) and select Filter Current Log… in the context menu.

Go to the XML tab and check Edit query manually.

Copy and paste the following code that allows to select all events of the specific user in the log (replace username with the account name you need).

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='username']]</Select>
</Query>
</QueryList>

Save the changes in the filter and look at the log. Only events related to the account you specified should stay in the log.

If you need, for example, to additionally filter the events for a user and Event ID 4624 (An account was successfully logged on) and 4625 (An account failed to log on.), the XPath filter will look like this:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select>
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='username']]</Select>
</Query>
</QueryList>

1 comment

0

1 comment

Sobraj March 30, 2018 - 12:40 pm

XML query line 3: replace ‘subjectUsername’ with ‘TargetUsername’

Reply

Leave a Comment Cancel Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Current ye@r *

Leave this field empty

ad

Facebook
Twitter
RSS

How to Filter Event Logs by Username in Windows 2008 and higher

Using FSRM on Windows File Server to Prevent Ransomware

Recovering Encrypted Files from VSS Snapshot after Ransomware Infection

Related Reading

1 comment

Leave a Comment Cancel Reply