Find a specific user events in Windows Security Logs
Event searching in windows security logs is too difficult, because of there are too many events in a short time.
To overcome this issue we must use “Filer Current Log” in the action menu. But options in the filter windows is not enough, if you want to filter security event logs by User . (User option in Filter Window is useless for our concern)
So what can we do?
We can use XML tab of “Filter current log” window:
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[ EventData[Data[@Name='TargetUserName']='admtest']]</Select> </Query> </QueryList>
NOTE: Replace amdtest to your username.
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[System[(EventID='4624')] and EventData[Data[@Name='TargetUserName']='admtest'] ] </Select> </Query> </QueryList>