New request -- get-winevent: get all log generated by a specific user

Welcome Forums General PowerShell Q&A New request -- get-winevent: get all log generated by a specific user

This topic contains 1 reply, has 2 voices, and was last updated by

 
Participant
4 weeks ago.

  • Author
    Posts
  • #171319

    Participant
    Topics: 18
    Replies: 11
    Points: 181
    Rank: Participant

    If I try to find when the user abc.cd logon to my computer.
    I will do a log query as follow.
    Get-WinEvent -FilterHashtable @{logname='security';data='abc.cd';id=4624}

    If I want to know when a software was install on computer.
    I will do a log query as follow.
    Get-WinEvent -FilterHashtable @{logname='application';id=11707}

    but It does not work with a user ID as follow.
    Get-WinEvent -FilterHashtable @{logname='application';id=11707;data='abc.cd'}

    What I do I want is collectting all logs that caused by the user abc.cd by using get-winevent , like he installs a new software , he starts a service ,he starts a scheduled task ..

    expected cmdlet:
    Get-WinEvent -FilterHashtable @{logname=alllog;user='abc.cd'}

    Sorry , I post this request in powershell user voice and powershell github repo at the same time, I really need some one help on this case ,I need to figure out who is doing shit on my computer

  • #172063

    Participant
    Topics: 0
    Replies: 4
    Points: 21
    Rank: Member
    Get-WinEvent -LogName "security" -MaxEvents 100 | where {$_.message -like "*abc.cd*"}
    

    You will need to search the other logs, the name match up with event viewer (security, application, etc...), also I set MaxEvents to 100 for speed.

You must be logged in to reply to this topic.