Powershell – How to filter the Windows Security event log by SID

powershellpowershell-v3.0windows-event-log

I want to filter the event log for a certain user, but I don't think there's an option to search by SAMID. There is a filter by UserId though, according to here. Is the following correct syntax correct to search the user in the screen shot below?

$events = get-winevent -filterhashtable 
  @{ logname='security'; path="Archive-Security-2015-04-14-02-13-02-299.evtx";
  UserId='S-1-5-21-220523388-838170752-839522115-yyyy' }

Events

I get "No events were found that match the specified selection criteria." with the above command. But if I remove the UserId key, a long list is returned, so there should be nothing wrong with logname or path.

Best Answer

Use the -FilterXPath option instead!

In the following example, I've saved all events from the Security log on my machine to seclog.evtx on the Desktop and search for events with SubjectUserSid S-1-5-18 (LOCAL SYSTEM):

$events = Get-WinEvent -Path "$HOME\Desktop\seclog.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18"]]'

In a script, I would probably opt for a splatting table to make the statement a bit more readable (here limited to the last 10 events):

$seclogSplat = @{
    'Path'        = "$HOME\Desktop\seclog.evtx"
    'FilterXPath' = '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18"]]'
    'MaxEvents'   = 10
}
$events = Get-WinEvent @seclogSplat

You can specify multiple non-exclusive criteria with or:

*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18" or Data[@Name="SubjectUserSid"] = "S-1-0-0"]]
Related Topic