New request -- get-winevent: get all log generated by a specific user

tlsalex · August 17, 2019, 10:13pm

If I try to find when the user abc.cd logon to my computer.
I will do a log query as follow.
Get-WinEvent -FilterHashtable @{logname=‘security’;data=‘abc.cd’;id=4624}

If I want to know when a software was install on computer.
I will do a log query as follow.
Get-WinEvent -FilterHashtable @{logname=‘application’;id=11707}

but It does not work with a user ID as follow.
Get-WinEvent -FilterHashtable @{logname=‘application’;id=11707;data=‘abc.cd’}

What I do I want is collectting all logs that caused by the user abc.cd by using get-winevent , like he installs a new software , he starts a service ,he starts a scheduled task …

expected cmdlet:
Get-WinEvent -FilterHashtable @{logname=alllog;user=‘abc.cd’}

Sorry , I post this request in powershell user voice and powershell github repo at the same time, I really need some one help on this case ,I need to figure out who is doing shit on my computer

p0wd3r · August 21, 2019, 5:12pm

Get-WinEvent -LogName "security" -MaxEvents 100 | where {$_.message -like "*abc.cd*"}

You will need to search the other logs, the name match up with event viewer (security, application, etc…), also I set MaxEvents to 100 for speed.

Topic		Replies	Views
Event Log Filtering for Event ID and Date PowerShell Help	1	228	June 24, 2022
Powershell Script PowerShell Help	3	161	November 7, 2018
Trying grab user names from 4740 event ID PowerShell Help	1	179	May 10, 2017
Specific event to monitor and save. PowerShell Help	4	181	December 8, 2020
Get-WinEvent filterhashtable AND path? PowerShell Help	2	182	May 15, 2016

New request -- get-winevent: get all log generated by a specific user

Related Topics