How to filter the Windows Security event log by SID?

6,044

Solution 1

Use the -FilterXPath option instead!

In the following example, I've saved all events from the Security log on my machine to seclog.evtx on the Desktop and search for events with SubjectUserSid S-1-5-18 (LOCAL SYSTEM):

$events = Get-WinEvent -Path "$HOME\Desktop\seclog.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18"]]'

In a script, I would probably opt for a splatting table to make the statement a bit more readable (here limited to the last 10 events):

$seclogSplat = @{
    'Path'        = "$HOME\Desktop\seclog.evtx"
    'FilterXPath' = '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18"]]'
    'MaxEvents'   = 10
}
$events = Get-WinEvent @seclogSplat

You can specify multiple non-exclusive criteria with or:

*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18" or Data[@Name="SubjectUserSid"] = "S-1-0-0"]]

Solution 2

I don't know of any built in way to find out if a specific UserID exists.
However, you can just match the content of the message to find your SiD, as it should be unique:

$events = get-winevent -logname security -path "Archive-Security-2015-04-14-02-13-02-299.evtx" | where {$_.message -match 'S-1-5-21-220523388-838170752-839522115-yyyy'}

There are also some cleaner ways using XML filtering.
But personally I haven't had a need for them yet, and content matching the message has been sufficient so far.

Share:
6,044

Related videos on Youtube

Old Geezer
Author by

Old Geezer

Don't shoot the messenger. An expert, or teacher, is a person who, after reading your question, knows what you know, what you don't know, what you are trying to know, and what else you need to know in order to achieve what you are trying to know.

Updated on September 18, 2022

Comments

  • Old Geezer
    Old Geezer over 1 year

    I want to filter the event log for a certain user, but I don't think there's an option to search by SAMID. There is a filter by UserId though, according to here. Is the following correct syntax correct to search the user in the screen shot below?

    $events = get-winevent -filterhashtable 
      @{ logname='security'; path="Archive-Security-2015-04-14-02-13-02-299.evtx";
      UserId='S-1-5-21-220523388-838170752-839522115-yyyy' }
    

    Events

    I get "No events were found that match the specified selection criteria." with the above command. But if I remove the UserId key, a long list is returned, so there should be nothing wrong with logname or path.

    • Reaces
      Reaces about 9 years
      Correct me if I'm wrong, but I thought the id paramater under the hashtable filter is actually the event id?
    • Old Geezer
      Old Geezer about 9 years
      Thanks for pointing it out. I pasted the command from a wrong attempt. I have updated the question. I used UserId='....'
  • Old Geezer
    Old Geezer about 9 years
    That's what I did for further post processing to get my report. But I prefer filtering before piping, as, as your linked article says, it's a greater than 100X difference in performance. The said id exists, as the GUI event viewer shows. What I am uncertain is the syntax or whether UserId key refers to this SID field.
  • Old Geezer
    Old Geezer about 9 years
    Thanks. How do I specify a saved log file and the logname with the FilterXPath option?
  • Mathias R. Jessen
    Mathias R. Jessen about 9 years
    @OldGeezer Sorry, didn't notice it was a Saved log file. Just use the -Path parameter, answer updated
  • Old Geezer
    Old Geezer about 9 years
    Thanks. It works. One more question if you don't mind: what's the syntax for logical OR in that *[.[ [..]..].] thingy?
  • Mathias R. Jessen
    Mathias R. Jessen about 9 years
    or (lowercase)
  • Old Geezer
    Old Geezer about 9 years
    I found out that with this method I could also filter by SubjectserName, which is more user friendly than the SID.