June 2010

Monday, June 28, 2010

Query Windows 7/Vista/Server 2008 Security Log for Login Failures using an XPATH


The following XPATH query allows you to query for all “Audit Failure” events from the Windows Security event log where the user name matches the string “username”.  Ideally you’d be able to use a contains(.,“username”) clause instead of the =“username” syntax, but so far I haven’t been able to make that work.

Code Snippet
  1. <QueryList>
  2.   <Query Id="0" Path="Security">
  3.     <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] ]] and (*[System[band(Keywords,4503599627370496)]]) and (*[EventData[Data[@Name="TargetUserName"]="username"]])</Select>
  4.   </Query>
  5. </QueryList>

If you have some über-cool XPATHs you use to query your event logs, post them to the comments section.