Computers, Programming, Technology, Music, Literature

Event Viewer – Filtering user events for forensics and audits

leave a comment »


This article was originally published for and could be located at Event Viewer – Filtering user events for forensics and audits


Skip the story

Let’s say you are tracking down some user, or trying to find users that logged in to a common Windows workstation at a timeline. Sounds downright easy with Event Viewer right? Create a custom view or filter the current view of the the Windows Logs\Security events, type in the user account in the User: textbox, and you should be done. But it does not work because it is not supposed to work by design.


Fig: 1

When the event viewer generates a query for the filter that we created to query a particular users activity, it actually associates the SID of that user to the actual query, and returns you 0 events.


Fig: 2

Why did it return 0 events? It is ok, that the user name that was typed in to the User: textbox got converted to the SID. But shouldn’t it have listed activities for that user? However, if you go the Windows Logs\Security (without any filters), you’d wonder that there are actually many events logged for the user name (Account Name: ) that you want to filter (ma is the user name in the sample).


Fig: 3

Picking a particular event, if you click Details to view the same event in xml or friendly view, ma (the user we want to query) is actually the TargetUserName w.r.t the event viewer database, and the TargetUserSid is the Sid associated to the user ma.


Fig: 4


Fig: 5

Let’s pause for a moment and think back, If the SID for the user is called as TargetUserSid in the Details view, shouldn’t the Query that Event Viewer generated in Fig 2 actually be TargetUserSid instead of UserID.


That is,


  <Query Id="0" Path="Security"> 
    <Select Path="Security">*[System[Security[@TargetUserSid='S-1-5-21-458116588-1234567890-1874793278-1000']]]</Select> 


instead of


  <Query Id="0" Path="Security"> 
    <Select Path="Security">*[System[Security[@UserID='S-1-5-21-458116588-1234567890-1874793278-1000']]]</Select> 


May be I am misunderstood, may be I do not understand the Event Viewer terminologies. I don’t know. All we expect is when we type the User: we want to filter the logs for, let the event viewer do it’s own queries and it’s conversions, I’d like to see the logs for that particular user. Since that does not work as expected, how do we actually see the Security logs for a user?


Use the below xml when you create the custom filter or when you try to filter the an existing log path. Remember it is the subjectUsername in the xml query.


  <Query Id="0" Path="Security"> 
    <Select Path="Security">* [EventData[Data[@Name='subjectUsername']='ma']]</Select> 


If there is an easy way, let me know.

Also, below is a table of logon events and logon types explained by their code. The list below is derived from a SANS poster named SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf. I lost the hyperlink of that poster, but a more descriptive is list could be found at –


Logon Type




Logon via console


Network Logon


Batch Logon


Windows Service Logon


Credentials used to unlock screen


Network logon sending credentials (cleartext) 


Different credentials used than logged on user


Remote interactive logon (RDP)


Cached credentials used to logon


Event ID

XP / Win 7



528 / 4624

Successful Logon

529 / 4625

Failed Logon

538 / 4634

Successful Logoff 

540 / 4624

Successful Network Logon


Written by gmaran23

July 4, 2014 at 8:41 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: