How to Filter Event Logs by Username in Windows 2008 and higher
In Windows Server 2003 or Windows XP, you could easily filter the events in the system Event Log Viewer by a specific user account if you enter the desired username in the User field of the log filter. But in Windows Server 2008 / Windows 7, this simple way of finding events related to the specific user does not work.
In Windows Server 2008, there is no User field in the standard presentation of the event log. Let’s try to add it using View -> Add/Remove Columns menu option.
Now the User column has appeared in the log presentation, but the name of the user who initiated an event is not displayed in this column. We can see N/A instead. The information about the account is now contained in the description of the event itself (in the values of Security ID and Account Name in this example). How to filter the events in the log now?
To filter the events by the username (or any other event attributes) in Windows Server 2008 or higher, you can use manual modification of XML queries (XPath).
Note. Earlier using XPath to find specific events in the log was considered in the article Running a Scheduled Task after another
So, open the log you need in the Event View (in our case, it is the Security log) and select Filter Current Log… in the context menu.
Go to the XML tab and check Edit query manually.
Copy and paste the following code that allows to select all events of the specific user in the log (replace username with the account name you need).
Save the changes in the filter and look at the log. Only events related to the account you specified should stay in the log.
If you need, for example, to additionally filter the events for a user and Event ID 4624 (An account was successfully logged on) and 4625 (An account failed to log on.), the XPath filter will look like this: