New request -- get-winevent: get all log generated by a specific user

Welcome Forums General PowerShell Q&A New request -- get-winevent: get all log generated by a specific user

Viewing 1 reply thread
  • Author
    Posts
    • #171319
      Participant
      Topics: 18
      Replies: 11
      Points: 181
      Rank: Participant

      If I try to find when the user abc.cd logon to my computer.
      I will do a log query as follow.
      Get-WinEvent -FilterHashtable @{logname='security';data='abc.cd';id=4624}

      If I want to know when a software was install on computer.
      I will do a log query as follow.
      Get-WinEvent -FilterHashtable @{logname='application';id=11707}

      but It does not work with a user ID as follow.
      Get-WinEvent -FilterHashtable @{logname='application';id=11707;data='abc.cd'}

      What I do I want is collectting all logs that caused by the user abc.cd by using get-winevent , like he installs a new software , he starts a service ,he starts a scheduled task ..

      expected cmdlet:
      Get-WinEvent -FilterHashtable @{logname=alllog;user='abc.cd'}

      Sorry , I post this request in powershell user voice and powershell github repo at the same time, I really need some one help on this case ,I need to figure out who is doing shit on my computer

    • #172063
      Participant
      Topics: 0
      Replies: 11
      Points: 55
      Helping Hand
      Rank: Member
      Get-WinEvent -LogName "security" -MaxEvents 100 | where {$_.message -like "*abc.cd*"}
      

      You will need to search the other logs, the name match up with event viewer (security, application, etc...), also I set MaxEvents to 100 for speed.

Viewing 1 reply thread
  • The topic ‘New request -- get-winevent: get all log generated by a specific user’ is closed to new replies.