WEVTUtil export certain event
10,338
I want to export only Event ID 4624 from Security
WEVTUtil query-events Security /rd:true /format:text > "%~dp0Logins.txt"<EventID>4624</EventID>"
You are using the wrong format for the /q option.
Use the following command line:
wevtutil qe Security "/q:*[System [(EventID=4648)]]" /rd:true /f:text > "%~dp0Logins.txt"
How do I restrict the filter to Event ID 4624 containing User32?
When all 4624 events exported I want filter only events with:
<Data Name='LogonProcessName'>User32 </Data>
Use the following command line:
wevtutil qe Security "/q:*[System [(EventID=4648)]]" /rd:true | findstr User32 >nul && wevtutil qe Security "/q:*[System [(EventID=4648)]]" /f:text /rd:true > "%~dp0Logins.txt"
Code based on the following source link.
Source How to use wevtutil command to get event details if it only comply with specific text or word
Further Reading
- An A-Z Index of the Windows CMD command line - An excellent reference for all things Windows cmd line related.
- findstr - Search for strings in files.
- wevutil - Windows Events Command Line Utility.
Author by
acid magic
Updated on June 07, 2022Comments
-
acid magic about 2 years
I want to export only event id 4624 from Security
Code below exports all event from security (i want only 4624);
WEVTUtil query-events Security /rd:true /format:text > %~dp0Logins.txt /q:"<EventID>4624</EventID>"When all 4624 events exported i want filter only events with:
<Data Name='LogonProcessName'>User32 </Data>This will be RDP logs with IP, because logs in "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" dont have IP (only username) :( I heard this is because RDP connection is TLS secured...