Query EventLog with PowerShell and FilterXPath


In a previous post, I showed you how to make an efficient search in the EventLog with the “Get-WinEvent” cmdlet. Today, I’ll show you how to get even more from that cmdlet with a “FilterXPath”.

The syntaxe is quite more complex, but really more powerfull. Hereunder an exemple I made for the helpdesk to troubleshot lockout issues :

Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$User']]" -ComputerName DC1 | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}

You need to define a “$User” variable with the SamAccountName, and modify the “-ComputerName” with the name of the of the DC wich lock the account, you can easely know that with LockOut Status.

Leave a Reply