WEVTUtil export certain event - windows

I want to export only event id 4624 from Security
Code below exports all event from security (i want only 4624);
WEVTUtil query-events Security /rd:true /format:text > %~dp0Logins.txt /q:"<EventID>4624</EventID>"
When all 4624 events exported i want filter only events with:
<Data Name='LogonProcessName'>User32 </Data>
This will be RDP logs with IP, because logs in "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" dont have IP (only username) :( I heard this is because RDP connection is TLS secured...

I want to export only Event ID 4624 from Security
WEVTUtil query-events Security /rd:true /format:text > "%~dp0Logins.txt"<EventID>4624</EventID>"
You are using the wrong format for the /q option.
Use the following command line:
wevtutil qe Security "/q:*[System [(EventID=4648)]]" /rd:true /f:text > "%~dp0Logins.txt"
How do I restrict the filter to Event ID 4624 containing User32?
When all 4624 events exported I want filter only events with:
<Data Name='LogonProcessName'>User32 </Data>
Use the following command line:
wevtutil qe Security "/q:*[System [(EventID=4648)]]" /rd:true | findstr User32 >nul && wevtutil qe Security "/q:*[System [(EventID=4648)]]" /f:text /rd:true > "%~dp0Logins.txt"
Code based on the following source link.
Source How to use wevtutil command to get event details if it only comply with specific text or word
Further Reading
An A-Z Index of the Windows CMD command line - An excellent reference for all things Windows cmd line related.
findstr - Search for strings in files.
wevutil - Windows Events Command Line Utility.

Related

How to parse WMIC printer list full

When I use the following command, it outputs a text file with a computer's printer information: wmic printer list full >> c:\computer_printers.txt
However, the list is very long, and I only want to see the fields for DriverName, Name, and Portname in the output. Is there a way to modify the command I am using to get this result?
I researched the adverbs associated with the verb List, but the way I am interpreting the document here (https://msdn.microsoft.com/en-us/library/aa394531(v=vs.85).aspx), it does not seem like what I am trying to do is possible. Is there anyone with more experience with WMIC that can confirm this?
I only want to see the fields for DriverName, Name, and Portname in the output
Use the following command:
wmic printer get DriverName, Name, Portname >> c:\computer_printers.txt
Example output:
> type c:\computer_printers.txt
DriverName Name PortName
Microsoft XPS Document Writer Microsoft XPS Document Writer XPSPort:
Microsoft Shared Fax Driver Fax SHRFAX:
EPSON Stylus Photo RX560 Series EPSON Stylus Photo RX560 Series USB001
CutePDF Writer CutePDF Writer CPW2:
Further Reading
An A-Z Index of the Windows CMD command line | SS64.com
Windows CMD Commands (categorized) - Windows CMD - SS64.com
WMIC - Windows Management - Windows CMD - SS64.com

Add a user to a domain group and set the user privileges to certain folder

I have a user in my workplace domain, I want to add him to a specific domain group then assign him some privileges on a specific folder.
I wonder how this can be done using command line or a more automated process than doing it step by step as I do this quite often.
I'm using AD on Windows 10
Looks like dsmod group can be used but I don't know how.
If I have a user with username userh01 in domain mydom how I can add him automatically to group mydomgroup1?
I've tried this command:
dsmod group "mydomgroup1" -addmbr "userh01"
but I get this error
dsmod failed:Value for 'Target object for this command' has incorrect format.
Any advice?
Maybe using powershell to add memeber to a domain group is an alternative way.
here below th script for example
Add-ADGroupMember -Identity "Groupmane" -Memebers "Username to add"
Add-ADGroupMember -Identity "mymdomgroup1" -Memebers "userh01"
ps:you may need to import active diretory modul. before using Add-ADGroupMeber parameter use this command 'Import-Module ActiveDirectory' at begining
for different syntax and detailed description to add-adgroupmember parameter follow this link
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617210(v=technet.10)

wvetutil event parsing for errors in last few events

I am using wevtutil to get the last 10 logs in windows servers, with this simple command.
wevtutil qe Application /rd:false /c:10 /f:text
So can I parse events like: all the error events in last 10 logs.
this will list the lasts 10 errors:
wevtutil qe application "/q:*[System[(Level=1 or Level=2 )]]" /c:10 /f:text /rd:true
be carefull the Xpath query is case sensitive

Query windows event log for the past two weeks

I am trying to export a windows event log but limit the exported events not according to number but according to time the event was logged. I am trying to do that on windows 7 and newer. So far my efforts are focused on using wevtutil.
I am using wevtutil and my command line now is: wevtutil Application events.evtx The problem here is that I export the whole log and this can be quite big so I want to limit it just to the last 2 weeks.
I have found this post but first of all it does not seem to produce any output on my system(yes I have changed the dates and time) and second it seems to be dependent on the date format which I try to avoid.
Here is the modified command I ran:
wevtutil qe Application "/q:*[System[TimeCreated[#SystemTime>='2012-10-02T00:00:00' and #SystemTime<'2012-10-17T00:00:00']]]" /f:text
I had to replace the < and > with the actual symbols as I got a syntax error otherwise. This command produces empty output.
The problem is due to /q: being inside quotes. It should be outside, like:
wevtutil qe Application /q:"*[System[TimeCreated[#SystemTime>='2012-10-02T00:00:00' and #SystemTime<'2012-10-17T00:00:00']]]" /f:text
This works just fine for me.
For the events of the last 2 weeks, you could also use timediff, to avoid hard-coding dates.
Windows uses milliseconds, so it would be 1000 * 86400 (seconds, = 1 day) * 14 (days) = 1209600000.
For your query, that would look like
wevtutil qe Application /q:"*[System[TimeCreated[timediff(#SystemTime) <= 1209600000]]]" /f:text /c:1
I added /c:1 to get only 1 event in the example, since there are many events in the last 2 weeks.
You may also want to only list warning and errors. For that, you can use (Level=2 or Level=3). (For some reason, Level<4 doesn't seem to work for me on Win7)
wevtutil qe Application /q:"*[System[(Level=2 or Level=3) and TimeCreated[timediff(#SystemTime) <= 1209600000]]]" /f:text /c:1
I don't know how you feel about PowerShell, but it's available on all the systems you tagged.
From a powershell prompt, see Get-Help Get-EventLog -Examples for more info.
If you have to do this from a .cmd or .bat file, then you can call powershell.exe -File powershell_script_file_name
where powershell_script_file_name has the Get-EventLog command(s) you need in it.
This example gives all the Security Event Log failures, I use to audit systems:
Get-EventLog -LogName security -newest 1000 | where {$_.entryType -match "Failure"}
I strongly recommend using LogParser for this kind of task:
logparser -i:evt file:query.sql
With query.sql containing something like this:
SELECT
TimeGenerated,EventID,SourceName,Message
FROM Application
WHERE TimeGenerated > TO_TIMESTAMP(SUB(TO_INT(SYSTEM_TIMESTAMP()), 1209600))
ORDER BY TimeGenerated DESC
The somewhat unintuitive date calculation converts the system time (SYSTEM_TIMESTAMP()) to an integer (TO_INT()), subtracts 1209600 seconds (60 * 60 * 24 * 14 = 2 weeks) and converts the result back to a timestamp (TO_TIMESTAMP()), thus producing the date from 2 weeks ago.
You can parameterize the timespan by replacing the fixed number of seconds with MUL(86400, $days) and changing the commandline to this:
logparser -i:evt file:query.sql+days=14
You can also pass the query directly to logparser:
logparser -i:evt "SELECT TimeGenerate,EventID,SourceName,Message FROM ..."

Wevtutil to output event log description

Is there anyway to only output the description field in an event log entry?
Im current using:
wevtutil qe Application /q:*[System[(EventID=431)]] /f:text /rd:true /c:2 /gm:true > C :\query.txt
However this output everything. I just want to output the description which is under:
<EventData>
<Data> Description bllah blah</data>
</EventData>
You can use /f:text modifier and grep with ^|FIND "Description"
wevtutil qe Application /q:*[System[(EventID=431)]] /f:text /rd:true /c:2 /gm:true ^|FIND "Description" > C:\query.txt
Note the ^ before the pipe, it escapes the pipe in scripts.

Resources