Event Log Readers

Confirming Group Membership

C:\xyz> net localgroup "Event Log Readers"

Alias name     Event Log Readers
Comment        Members of this group can read event logs from local machine

Members

-------------------------------------------------------------------------------
logger
The command completed successfully.

We can query Windows events from the command line using the wevtutil utility and the Get-WinEvent PowerShell cmdlet.

Searching Security Logs Using wevtutil

PS C:\xyz> wevtutil qe Security /rd:true /f:text | Select-String "/user"

        Process Command Line:   net use T: \\fs01\backups /user:tim MyStr0ngP@ssword

We can also specify alternate credentials for wevtutil using the parameters /u and /p.

C:\xyz> wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

We filter for process creation events (4688), which contain /user in the process command line.

Note: Searching the Security event log with Get-WInEvent requires administrator access or permissions adjusted on the registry key HKLM\System\CurrentControlSet\Services\Eventlog\Security. Membership in just the Event Log Readers group is not sufficient.

Searching Security Logs Using Get-WinEvent

PS C:\xyz> Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

CommandLine
-----------
net use T: \\fs01\backups /user:tim MyStr0ngP@ssword

cmdlet can also be run as another user with the -Credential parameter.

PowerShell Operational log, may also contain sensitive information or credentials if script block or module logging is enabled. This log is accessible to unprivileged users.