0

I want to filter some logs for specific username. In event viewer, you can enter username in the mentioned field and it will filter your logs. but I want to use cmd ( wevtutil ) , so I should use xml query to filter my logs. But the problem appears here . In xml query you can only enter sid of the user you are looking for ( in system[security[@Userid]]] ). Is it possible somehow to use username instead of sid?

1 2

notes: In event viewer, when you enter the username , it convert the username to sid and use the sid in its xml query. I don't have any idea how does it occur.

And I should mention a note here that is : Some people suggest me to use "target username" to filter my logs. But it is not what I'm looking for. "target username" only deals with login logs.

john pridogov
  • 3
  • 1
  • 3

1 Answers1

0

You could just use the UserName to retrieve their SID for use in your wevtutil command.

From the Command Prompt, ():

For /F %G In ('%SystemRoot%\System32\wbem\WMIC.exe UserAccount Where "Name='KnownUserName'" Get SID 2^>NUL ^| %SystemRoot%\System32\find.exe "-"') Do @%SystemRoot\System32\wevtutil.exe CommandLineOptions

You'd simply replace KnownUserName and CommandLineOptions, and substitute their SID with %G.

Or from a :

@For /F %%G In ('%SystemRoot%\System32\wbem\WMIC.exe UserAccount Where
 "Name='KnownUserName'" Get SID 2^>NUL ^| %SystemRoot%\System32\find.exe "-"'
) Do @%SystemRoot\System32\wevtutil.exe CommandLineOptions

Obviously you'd replace KnownUserName and CommandLineOptions again, and substitute their SID this time with %%G.

Compo
  • 36,585
  • 5
  • 27
  • 39