How to filter the Windows Security event log by SID?

Question

I want to filter the event log for a certain user, but I don't think there's an option to search by SAMID. There is a filter by UserId though, according to here. Is the following correct syntax correct to search the user in the screen shot below?

$events = get-winevent -filterhashtable 
  @{ logname='security'; path="Archive-Security-2015-04-14-02-13-02-299.evtx";
  UserId='S-1-5-21-220523388-838170752-839522115-yyyy' }

Events

I get "No events were found that match the specified selection criteria." with the above command. But if I remove the UserId key, a long list is returned, so there should be nothing wrong with logname or path.

Correct me if I'm wrong, but I thought the `id` paramater under the hashtable filter is actually the `event id`? — Reaces, Apr 14 '15 at 11:04
Thanks for pointing it out. I pasted the command from a wrong attempt. I have updated the question. I used `UserId`='....' — Old Geezer, Apr 14 '15 at 11:10

Mathias R. Jessen · Accepted Answer · 2015-04-15T09:59:23.130

6

Use the -FilterXPath option instead!

In the following example, I've saved all events from the Security log on my machine to seclog.evtx on the Desktop and search for events with SubjectUserSid S-1-5-18 (LOCAL SYSTEM):

$events = Get-WinEvent -Path "$HOME\Desktop\seclog.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18"]]'

In a script, I would probably opt for a splatting table to make the statement a bit more readable (here limited to the last 10 events):

$seclogSplat = @{
    'Path'        = "$HOME\Desktop\seclog.evtx"
    'FilterXPath' = '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18"]]'
    'MaxEvents'   = 10
}
$events = Get-WinEvent @seclogSplat

You can specify multiple non-exclusive criteria with or:

*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-18" or Data[@Name="SubjectUserSid"] = "S-1-0-0"]]

edited Apr 15 '15 at 09:59

answered Apr 14 '15 at 16:35

Mathias R. Jessen

25,161
4
63
95

Thanks. How do I specify a saved log file and the logname with the FilterXPath option? – Old Geezer Apr 14 '15 at 16:42
@OldGeezer Sorry, didn't notice it was a Saved log file. Just use the `-Path` parameter, answer updated – Mathias R. Jessen Apr 14 '15 at 18:52
Thanks. It works. One more question if you don't mind: what's the syntax for logical OR in that *[.[ [..]..].] thingy? – Old Geezer Apr 15 '15 at 09:25
`or` (lowercase) – Mathias R. Jessen Apr 15 '15 at 09:58
1

I found out that with this method I could also filter by SubjectserName, which is more user friendly than the SID. – Old Geezer Apr 16 '15 at 02:28

score 2 · Answer 2 · answered Apr 14 '15 at 11:43

2

I don't know of any built in way to find out if a specific UserID exists.
However, you can just match the content of the message to find your SiD, as it should be unique:

$events = get-winevent -logname security -path "Archive-Security-2015-04-14-02-13-02-299.evtx" | where {$_.message -match 'S-1-5-21-220523388-838170752-839522115-yyyy'}

There are also some cleaner ways using XML filtering.
But personally I haven't had a need for them yet, and content matching the message has been sufficient so far.

answered Apr 14 '15 at 11:43

Reaces

5,597
4
38
46

That's what I did for further post processing to get my report. But I prefer filtering before piping, as, as your linked article says, it's a greater than 100X difference in performance. The said id exists, as the GUI event viewer shows. What I am uncertain is the syntax or whether UserId key refers to this SID field. – Old Geezer Apr 14 '15 at 14:29

How to filter the Windows Security event log by SID?

2 Answers2