I want to filter some logs for specific username. In event viewer, you can enter username in the mentioned field and it will filter your logs. but I want to use cmd ( wevtutil ) , so I should use xml query to filter my logs. But the problem appears here . In xml query you can only enter sid of the user you are looking for ( in system[security[@Userid]]] ). Is it possible somehow to use username instead of sid?
notes: In event viewer, when you enter the username , it convert the username to sid and use the sid in its xml query. I don't have any idea how does it occur.
And I should mention a note here that is : Some people suggest me to use "target username" to filter my logs. But it is not what I'm looking for. "target username" only deals with login logs.
You could just use the UserName to retrieve their SID for use in your wevtutil command.
From the Command Prompt, (cmd):
For /F %G In ('%SystemRoot%\System32\wbem\WMIC.exe UserAccount Where "Name='KnownUserName'" Get SID 2^>NUL ^| %SystemRoot%\System32\find.exe "-"') Do @%SystemRoot\System32\wevtutil.exe CommandLineOptions
You'd simply replace KnownUserName and CommandLineOptions, and substitute their SID with %G.
Or from a batch-file:
@For /F %%G In ('%SystemRoot%\System32\wbem\WMIC.exe UserAccount Where
"Name='KnownUserName'" Get SID 2^>NUL ^| %SystemRoot%\System32\find.exe "-"'
) Do @%SystemRoot\System32\wevtutil.exe CommandLineOptions
Obviously you'd replace KnownUserName and CommandLineOptions again, and substitute their SID this time with %%G.