4

I need to create entry to Windows Event Log (e.g. application log). I know how to do all the stuff beside filling in the user who performed the action.

Example: I need to create a script, that writes some message into application log. I used this tutorial, which worked fine: http://blogs.technet.com/b/heyscriptingguy/archive/2013/06/20/how-to-use-powershell-to-write-to-event-logs.aspx

But I am not able to influence the "user". When adding entry in windows log, it always fills "User: N/A".

Any idea how to pass "user" argument to the "write-eventlog" cmdlet?

Thank you for your help.

kubusz
  • 943
  • 3
  • 9
  • 17
  • 1
    According to the answers to [this similar question](http://stackoverflow.com/q/965308/1630171) spoofing the username is not possible. – Ansgar Wiechers Dec 12 '13 at 19:09
  • Hi Ansgar, thanks for your reply. Actually I am not trying to spoof the username, I just need to fill in current user who is writing to event log. I need to see who did the change in event log. Thanks – kubusz Dec 13 '13 at 14:21

1 Answers1

2

Even though (as far as I'm aware) Write-EventLog does not provide an option to write directly to the "User" field, you have two workarounds:

Use built-in standalone exec "EventCreate.exe" (type in eventcreate /? to see the manual)

This one does support providing the username field. I'm not sure, but it may require a password for that user too.

Second workaround would be to pass $env:USERNAME to the "message" field of Write-EventLog. This way you will still obtain the environment's current user.

I hope that helped.

AlexPawlak
  • 779
  • 1
  • 10
  • 22