Event Log Readers

Confirming Group Membership

C:\xyz> net localgroup "Event Log Readers"

Alias name     Event Log Readers
Comment        Members of this group can read event logs from local machine


The command completed successfully.

We can query Windows events from the command line using the wevtutil utility and the Get-WinEvent PowerShell cmdlet.

Searching Security Logs Using wevtutil

PS C:\xyz> wevtutil qe Security /rd:true /f:text | Select-String "/user"

        Process Command Line:   net use T: \\fs01\backups /user:tim MyStr0ngP@ssword

We can also specify alternate credentials for wevtutil using the parameters /u and /p.

C:\xyz> wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

We filter for process creation events (4688), which contain /user in the process command line.

Note: Searching the Security event log with Get-WInEvent requires administrator access or permissions adjusted on the registry key HKLM\System\CurrentControlSet\Services\Eventlog\Security. Membership in just the Event Log Readers group is not sufficient.

Searching Security Logs Using Get-WinEvent

PS C:\xyz> Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

net use T: \\fs01\backups /user:tim MyStr0ngP@ssword

cmdlet can also be run as another user with the -Credential parameter.

PowerShell Operational log, may also contain sensitive information or credentials if script block or module logging is enabled. This log is accessible to unprivileged users.