> For the complete documentation index, see [llms.txt](https://docs.golgothus.tech/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.golgothus.tech/other-research/research-and-misc.-write-ups/windows-event-logging.md).

# Windows Event Logging

```Powershell
Get-WinEvent -Path C:\Users\ContosoAdmin\Desktop\SystemLog.evtx -FilterXPath 'Event/System/TimeCreated[@SystemTime="2019-12-13T08:24:27.5440626"]'
Get-WinEvent -Path C:\Users\ContosoAdmin\Desktop\SecurityLog.evtx -FilterXPath '*/*/TimeCreated[(@SystemTime>"2020-02-26T00:00:00Z") and (@SystemTime<"2020-02-26T23:59:00Z")] and */*/EventID=4624 and */*/Data[@Name="TargetUserName"]="Eleanor"'
wevtutil.exe qe /lf "c:\Users\ContosoAdmin\Desktop\SecurityLog.evtx" /q:"*/*/TimeCreated[(@SystemTime>'2020-02-26T00:00:00Z') and (@SystemTime<'2020-02-26T23:59:00Z')] /c:1"
wevtutil.exe qe /lf "c:\Users\ContosoAdmin\Desktop\SecurityLog.evtx" /q:"Event/EventData/Data[@Name='TargetUserName']='Eleanor' and */*/EventID=4624" /c:1 /rd
wevtutil.exe qe /lf "%userprofile%/dedsktop/SecurityLog.evtx" /q:"*/*/TimeCreated[(@SystemTime>'2020-02-26T00:00:00Z') and (@SystemTime<'2020-02-26T23:59:00Z')] and */*/EventID=4624 and */*/Data[@Name='TargetUserName']='Eleanor'"
Get-WinEvent -path C:\Users\ContosoAdmin\Desktop\ApplicationLog.evtx -FilterXPath "*/*/TimeCreated[@SystemTime>'2020-02-11T10:50:00:00Z' and (@SystemTime<'2020-02-11T11:10:00Z')] and */*/Provider[@Name='MsiInstaller']"
Get-WinEvent -path C:\Users\ContosoAdmin\Desktop\Systemlog.evtx -FilterXPath "*/*/TimeCreated[@SystemTime>'2020-02-03T00:00:00:00Z' and (@SystemTime<'2020-02-03T23:59:00Z')] and */*/EventID=13"
Get-WinEvent -path C:\Users\ContosoAdmin\Desktop\Securitylog.evtx -FilterXPath "*/*/TimeCreated[@SystemTime>'2020-02-26T00:00:00:00Z' and (@SystemTime<'2020-02-26T23:59:00Z')] and */*/EventID=4616 and */*/Data[@Name='SubjectDomainName']='NT Authority'"
$test = Get-WinEvent -path C:\Users\ContosoAdmin\Desktop\Securitylog.evtx -FilterXPath "*/*/TimeCreated[@SystemTime>'2020-02-26T00:00:00:00Z' and (@SystemTime<'2020-02-26T23:59:00Z')] and */*/EventID=4624 and */*/Data[@Name='TargetUserName']='Network Service'"
```
