How to filter the Windows Security event log by SID?

powershell windows-event-log powershell-v3.0

6,044

Solution 1

Use the -FilterXPath option instead!

In the following example, I've saved all events from the Security log on my machine to seclog.evtx on the Desktop and search for events with SubjectUserSid S-1-5-18 (LOCAL SYSTEM):

$events = Get-WinEvent -Path "$HOME\Desktop\seclog.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18"]]'

In a script, I would probably opt for a splatting table to make the statement a bit more readable (here limited to the last 10 events):

$seclogSplat = @{
    'Path'        = "$HOME\Desktop\seclog.evtx"
    'FilterXPath' = '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18"]]'
    'MaxEvents'   = 10
}
$events = Get-WinEvent @seclogSplat

You can specify multiple non-exclusive criteria with or:

*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18" or Data[@Name="SubjectUserSid"] = "S-1-0-0"]]

Solution 2

I don't know of any built in way to find out if a specific UserID exists.
However, you can just match the content of the message to find your SiD, as it should be unique:

$events = get-winevent -logname security -path "Archive-Security-2015-04-14-02-13-02-299.evtx" | where {$_.message -match 'S-1-5-21-220523388-838170752-839522115-yyyy'}

There are also some cleaner ways using XML filtering.
But personally I haven't had a need for them yet, and content matching the message has been sufficient so far.

6,044

Old Geezer

Don't shoot the messenger. An expert, or teacher, is a person who, after reading your question, knows what you know, what you don't know, what you are trying to know, and what else you need to know in order to achieve what you are trying to know.

Updated on September 18, 2022

Comments

Old Geezer over 1 year
I want to filter the event log for a certain user, but I don't think there's an option to search by SAMID. There is a filter by UserId though, according to here. Is the following correct syntax correct to search the user in the screen shot below?
```
$events = get-winevent -filterhashtable 
  @{ logname='security'; path="Archive-Security-2015-04-14-02-13-02-299.evtx";
  UserId='S-1-5-21-220523388-838170752-839522115-yyyy' }
```
I get "No events were found that match the specified selection criteria." with the above command. But if I remove the UserId key, a long list is returned, so there should be nothing wrong with logname or path.
- Reaces about 9 years
  
  Correct me if I'm wrong, but I thought the id paramater under the hashtable filter is actually the event id?
- Old Geezer about 9 years
  
  Thanks for pointing it out. I pasted the command from a wrong attempt. I have updated the question. I used UserId='....'
Old Geezer about 9 years

That's what I did for further post processing to get my report. But I prefer filtering before piping, as, as your linked article says, it's a greater than 100X difference in performance. The said id exists, as the GUI event viewer shows. What I am uncertain is the syntax or whether UserId key refers to this SID field.
Old Geezer about 9 years

Thanks. How do I specify a saved log file and the logname with the FilterXPath option?
Mathias R. Jessen about 9 years

@OldGeezer Sorry, didn't notice it was a Saved log file. Just use the -Path parameter, answer updated
Old Geezer about 9 years

Thanks. It works. One more question if you don't mind: what's the syntax for logical OR in that *[.[ [..]..].] thingy?
Mathias R. Jessen about 9 years

or (lowercase)
Old Geezer about 9 years

I found out that with this method I could also filter by SubjectserName, which is more user friendly than the SID.