WEVTUtil export certain event

Question

I want to export only event id 4624 from Security

Code below exports all event from security (i want only 4624);

WEVTUtil query-events Security /rd:true /format:text > %~dp0Logins.txt /q:"<EventID>4624</EventID>"

When all 4624 events exported i want filter only events with:

<Data Name='LogonProcessName'>User32 </Data>

This will be RDP logs with IP, because logs in "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" dont have IP (only username) :( I heard this is because RDP connection is TLS secured...

Answer 1

I want to export only Event ID 4624 from Security

WEVTUtil query-events Security /rd:true /format:text > "%~dp0Logins.txt"<EventID>4624</EventID>"

You are using the wrong format for the /q option.

Use the following command line:

wevtutil qe Security "/q:*[System [(EventID=4648)]]" /rd:true /f:text > "%~dp0Logins.txt"

---

How do I restrict the filter to Event ID 4624 containing User32?

When all 4624 events exported I want filter only events with:

<Data Name='LogonProcessName'>User32 </Data>

Use the following command line:

wevtutil qe Security "/q:*[System [(EventID=4648)]]" /rd:true | findstr User32 >nul && wevtutil qe Security "/q:*[System [(EventID=4648)]]" /f:text /rd:true > "%~dp0Logins.txt"

Code based on the following source link.

Source How to use wevtutil command to get event details if it only comply with specific text or word

---

Further Reading

• An A-Z Index of the Windows CMD command line - An excellent reference for all things Windows cmd line related.
• findstr - Search for strings in files.
• wevutil - Windows Events Command Line Utility.