filter logs by username instead of sid

Question

I want to filter some logs for specific username. In event viewer, you can enter username in the mentioned field and it will filter your logs. but I want to use cmd ( wevtutil ) , so I should use xml query to filter my logs. But the problem appears here . In xml query you can only enter sid of the user you are looking for ( in system[security[@Userid]]] ). Is it possible somehow to use username instead of sid?

1 2

notes: In event viewer, when you enter the username , it convert the username to sid and use the sid in its xml query. I don't have any idea how does it occur.

And I should mention a note here that is : Some people suggest me to use "target username" to filter my logs. But it is not what I'm looking for. "target username" only deals with login logs.

Answer 1

You could just use the UserName to retrieve their SID for use in your wevtutil command.

From the Command Prompt, (cmd):

For /F %G In ('%SystemRoot%\System32\wbem\WMIC.exe UserAccount Where "Name='KnownUserName'" Get SID 2^>NUL ^| %SystemRoot%\System32\find.exe "-"') Do @%SystemRoot\System32\wevtutil.exe CommandLineOptions

You'd simply replace KnownUserName and CommandLineOptions, and substitute their SID with %G.

Or from a batch-file:

@For /F %%G In ('%SystemRoot%\System32\wbem\WMIC.exe UserAccount Where
 "Name='KnownUserName'" Get SID 2^>NUL ^| %SystemRoot%\System32\find.exe "-"'
) Do @%SystemRoot\System32\wevtutil.exe CommandLineOptions

Obviously you'd replace KnownUserName and CommandLineOptions again, and substitute their SID this time with %%G.

Answer 2

I hope this helps everyone because I had the same problem. To query events related to a specific user. Below, Jsmith will be our specific user in question. You want to use either TargetUserName or SubjectUserName.

wevtutil qe security /q:"*[EventData/Data[@Name='TargetUserName']='Jsmith']"

OR

wevtutil qe security /q:"*[EventData/Data[@Name='SubjectUserName']='Jsmith']"