Drive Error

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, March 27, 2013

Filter Security Event Logs by User in Windows 2008 & Windows 7

Posted on 7:42 PM by Unknown
If you are like me, you probably miss being able to easily filter your security event logs by a specific user like we did in previous versions of Microsoft Windows. Well, it is still possible in Windows 2008 and Windows 7. You just need to use the XML filter option. When you are in the security event logs, click on "Filter Current Log..." from the actions pane. Click the XML tab of the window that opens, and check the box next to "Edit query manually".

 

If you want to see all events in the security event log for a specific user, then you need to use an XML filter like this. (Make sure to replace <username> with the username that you want to show logs for.)

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='<username>']]</Select>
</Query>
</QueryList>

If you only want to see the successful and failed logon events for a specific user, than you could modify it to look like this.

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select>
<Select Path="Security">* [EventData[Data[@Name='subjectUsername']='<username>']]</Select>
</Query>
</QueryList>
 
 
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in Event Logs, filter, security event logs, user, Windows 2008, Windows 2008 R2, Windows 7, xml | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Resolved: IDRAC Drive Error Either Virtual Media is detached or redirection for the selected virtual disk drive is already in use
    I haven't used Dell servers much in an enterprise environment, so working with their IDRAC (Integrated Dell Remote Access Controller) co...
  • The Distributed Transaction Coordinator service terminated with service-specific error 3221229584 (0xC0001010).
    If you get the following error in the system event logs while trying to start the Distributed Transaction Coordinator service, we can help. ...
  • Resolution: Visual Studio Test Agent Unable to Connect to the controller. There is no agent registered...
    Problem: I discovered a weird quirk with the Visual Studio Test Agents (a.k.a. TFS Test Agents). We were trying to set them up to do some l...
  • How to Setup Visual Studio (TFS) Test Agents in the Cloud
    We ran into some issues trying to get the Visual Studio Test Agents to register and communicate with the Visual Studio Test Controller when ...
  • Fix Event ID# 7043 Load control template file /_controltemplates/TaxonomyPicker.ascx failed: Could not load type
    This is an error that's a little misleading. At first it might seem that the file is missing or that there is a permissions issue, but t...
  • How to Delegate Rights to Modify SPNs in Active Directory
    With Kerberos taking over as the preferred authentication protocol, system administrators need to be able to modify the SPN for their servic...
  • Error! Windows - No Disk: Exception Processing Message c0000013 Parameters 75a851d8 979a26dc 75a851d8 75a851d8
    This is one of those errors that doesn't really give you any information to go on. All you really get is this popup message that say Win...
  • How to Turn On Debug Logging for Group Policy
    When you are troubleshooting group policy issues, it's helpful to turn on some additional logging. Unfortunately, it's not just a si...
  • How to Configure Windows Event Logs as SNMP Traps
    There are a lot of different monitoring suites out there that monitor servers by using SNMP traps. If you want to be alerted when a specific...
  • Resolution: Error during encryption or decryption. System error code 997 in SharePoint
    I was recently ran into an issue in SharePoint where my Central Administration web app disappeared. When I tried to redeploy Central Adminis...

Categories

  • %windir%\system32\evntwin.exe
  • $TOPS
  • 0x80300001
  • 2010
  • 404
  • 997
  • Active Directory
  • Active Directory Federation Services
  • ADDS
  • ADFS
  • ADFSRelyingPartyTrust
  • adminvs
  • Adsense
  • Adsense Association
  • Advertising Income
  • AIDS
  • Amazon AWS
  • Android
  • Apple
  • associate an adsense account
  • Attribute objecttypecode
  • Authentication is Required
  • AxQuickMksAxCtl
  • bcdedit
  • block
  • BYOD
  • cell phone
  • certificate of authenticity
  • Channel
  • Ciphers
  • Citrix
  • cloud
  • commerce server 2007
  • commerce server 2009
  • configure
  • connection pooling
  • ControlTemplates
  • corrupt
  • could not load type
  • crash
  • credential caching
  • CurrentNavSiteMapProvider
  • Data Execution Prevention
  • dbo.DependencyBase
  • DC
  • debug
  • decryption
  • definition files
  • Dell
  • demotion
  • DEP
  • Destop
  • detached
  • devices
  • devmgmt.msc
  • devmgr_show_nonpresent_devices
  • Disable ADFS Credential Caching
  • discovery service
  • disk drive
  • disk space
  • distributed computing
  • Distributed Transaction Coordinator service
  • DNS
  • domain
  • domain account
  • Domain Controllers
  • Drivers
  • dsacls
  • duplicate key
  • DynamicChildLimit
  • EC2
  • education
  • email router
  • encryption
  • enterprise
  • error
  • error code 997
  • error status: 1603
  • event ID# 1033
  • event ID# 16192
  • Event ID# 26234
  • event id# 7024
  • event ID# 7043
  • Event Logs
  • Event Sources
  • Event to Trap Translator
  • Exception
  • exception processing message
  • facebook
  • failed
  • FarmAdmin
  • fight aids
  • FightAIDS@Home
  • filter
  • fix
  • free
  • free disk space
  • free download
  • freeware
  • fsutil
  • game
  • games
  • Generate Trap
  • ghost devices
  • Google
  • Google Adsense
  • google-corpeng
  • GPO
  • gpresult
  • grid computing
  • group policy debug logging
  • group policy logging
  • hard drive
  • Hashes
  • HBA
  • hiberfil.sys
  • hibernation
  • hidden devices
  • hotfix
  • how to
  • IDRAC
  • IIS
  • index
  • Install
  • Integrated Dell Remote Access Controller
  • invalid code received
  • invalid operation exception
  • invites
  • IP Address
  • ISA
  • iso
  • KB
  • kerberos
  • key code
  • Key Exchange Algorithms
  • libraries
  • license key
  • limit
  • list
  • lists
  • load testing
  • lockdown
  • Log Management
  • LogFiles
  • logons per second
  • loopback
  • LSA
  • LsaLookupCacheMaxSize;
  • Mac OS X
  • Macs
  • management
  • menu
  • metadata cleanup
  • Microsoft
  • Microsoft Dynamics CRM 2011
  • Microsoft Dynamics CRM 4.0
  • Microsoft Office 2003
  • Microsoft Office 2007
  • Microsoft TechEd
  • Microsoft.VisualStudio.TestTools.Exceptions.EqtException
  • mobile phone
  • Monetization
  • Monitoring Suites
  • MSCRMEmail
  • msdtc. resetlog
  • Multiple Logins
  • Navigation
  • ndx_UniqueDependencyNodes
  • network adapter
  • Network connections
  • news feed
  • NIC
  • no disk
  • ntdsutil
  • open source
  • Operating System
  • OS
  • package management
  • page file
  • pagefile
  • pagefile.sys
  • pages
  • Passive Income
  • patch
  • patch management
  • patches
  • PCT
  • performance tuning
  • picklist
  • PortalSiteMapProvider
  • powercfg
  • powershell
  • PrincipalObjectAccessReadSnapshot
  • product key
  • psconfig
  • query group policy
  • r2
  • RAID controller
  • reclaim disk space
  • redirection
  • reference
  • registry key
  • remove
  • remove selected server
  • resolution
  • resource unavailable
  • rights
  • rights delegation
  • root hints
  • RSPO
  • run error detected
  • sasl profiles
  • SCCM
  • schannel ciphers
  • schannel protocols
  • script
  • scripting
  • SCSI controller
  • Security
  • security event logs
  • security providers
  • server
  • Server Administration
  • service account
  • Service Control Manager
  • service principle name
  • servicePrincipleName
  • services
  • session
  • shadow copy storage
  • SharePoint
  • sharepoint 2007
  • Sharepoint 2010
  • sharepoint 2013
  • shrink
  • Simian
  • sitemap
  • sites
  • smart phone
  • SNMP
  • SNMP Monitoring
  • SNMP Traps
  • social networking
  • software
  • software deployment
  • solution
  • sql
  • SSL
  • STIGS
  • stsadm
  • subsites
  • Symantec Endpoint Protection
  • system event logs
  • TaxonomyPicker.ascx
  • temporary internet files
  • Test Agents
  • Test Controller
  • Test Tools
  • TFS
  • the farm is unavailable
  • timeout
  • TLS
  • TMG
  • TokenLifetime
  • tops file
  • training
  • transaction resource manager
  • troubleshooting
  • troubleshooting group policy
  • UAG
  • unexpected error
  • update rollups
  • UpdateFarmCredentials
  • upgrade
  • user
  • users
  • videos
  • virtual adapter
  • Virtual Infrastructure Client
  • virtual media
  • virus definitions
  • Visual Studio
  • VM
  • VMWare
  • VSphere client
  • vss storage
  • Walk-Through
  • wcat
  • wcat.wsf
  • wcclient
  • wcctl
  • wdigest
  • Weak SSL
  • web services
  • web.config
  • webs
  • website
  • Windows
  • Windows 2000
  • Windows 2003
  • Windows 2008
  • Windows 2008 R2
  • Windows 2012 R2
  • Windows 7
  • Windows 8.1
  • Windows Azure
  • windows desktop
  • Windows Live ID Sign-in Assistant
  • Windows Server
  • windows update service
  • Windows Vista
  • Windows XP
  • Windwos DNS
  • WMI
  • wmic
  • work around
  • Workstation
  • world community grid
  • xml
  • YouTube
  • YouTube Publishing

Blog Archive

  • ▼  2013 (42)
    • ►  October (4)
    • ►  September (3)
    • ►  July (2)
    • ►  June (1)
    • ►  May (1)
    • ►  April (4)
    • ▼  March (10)
      • Resolution: Errors After Installing Update Rollup ...
      • Filter Security Event Logs by User in Windows 2008...
      • Dynamics CRM: Authentication is Required - Timing ...
      • List all of the Microsoft Hotfixes Installed on a ...
      • $10,000 Worth of Microsoft Training Videos For Free
      • Fix Event ID# 7043 Load control template file /_co...
      • Fix Sharepoint/Powershell Error: The Farm is Unava...
      • The Distributed Transaction Coordinator service te...
      • The IP Address You Have Entered for this Network A...
      • VMWare Console Window Blank
    • ►  February (4)
    • ►  January (13)
  • ►  2012 (1)
    • ►  December (1)
Powered by Blogger.

About Me

Unknown
View my complete profile