A manager has asked me to log the start and stop times and dates when a user launches a particular program (Starcraft II). I have enabled logging on the user's machine so that it will report all process creation and termination. (Windows Logs -> Security)
I am unable to filter the logs to show "only" the process creation and termination of the specified programs.
The Process Creation information as follows.
NewProcessId 0xc10 NewProcessName C:\Program Files (x86)\StarCraft II\StarCraft II.exe TokenElevationType %%1936 ProcessId 0xa70 NewProcessId 0xf18 NewProcessName C:\Program Files (x86)\StarCraft II\Support\SC2Switcher.exe TokenElevationType %%1936 ProcessId 0xc10 NewProcessId 0x1a0c NewProcessName C:\Program Files (x86)\StarCraft II\Versions\Base16605\SC2.exe TokenElevationType %%1936 ProcessId 0xf18
The Process Termination uses the same ProcessId info.
What XML Query will yield "only" the logs in question?
This is all on a Windows 7 environment.
Best Answer
If you're not averse to a bit of PowerShell, give this a go. It will drop a CSV file you can play with in Excel in the current directory.
Get-EventLog Security -ComputerName RemotePC | ?{$_.Message -ilike '*StarCraft*'} | Export-Csv SecurityLog.csvYou can also add extra conditions like so:
Get-EventLog Security -ComputerName RemotePC | ?{$_.Message -ilike '*StarCraft*' -or $_.Message -ilike '*Something Else*'} | Export-Csv SecurityLog.csv