Many Windows administrators struggle with extracting specific logon events from Security logs. The built-in Event Viewer GUI provides basic filtering, but complex queries require XML filtering - which isn't always intuitive.
For tracking interactive logons, we need three critical elements:
1. Event ID 4624 (Successful logon)
2. Logon Type 2 (Interactive)
3. TargetUserName (The specific user account)Here's the properly formatted XML query that combines all requirements:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID='4624')]
and
System[TimeCreated[timediff(@SystemTime) <= 604800000]]
and
EventData[Data[@Name='TargetUserName']='DOMAIN\\username']
and
EventData[Data[@Name='LogonType']='2']
]
</Select>
</Query>
</QueryList>Problem: Query returns no results for Logon Type 2
Solution: Check if these events are actually being logged. Some organizations disable interactive logon auditing or forward these events to SIEM systems.
If XML filtering proves difficult, consider PowerShell:
Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=4624
StartTime=(Get-Date).AddDays(-7)
} | Where-Object {
$_.Properties[5].Value -eq 'DOMAIN\username' -and
$_.Properties[8].Value -eq 2
}For more complex scenarios, include multiple logon types:
EventData[Data[@Name='LogonType'] and (Data='2' or Data='7')]This captures both interactive logons (2) and unlock operations (7).
Ensure proper GPO settings are configured under:
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy → Logon/Logoff
The "Audit Logon" policy should be set to track Success events.
To export matching events to CSV:
Get-WinEvent -FilterXml ([xml](Get-Content .\logon_query.xml)) |
Export-Csv -Path .\logons.csv -NoTypeInformationWhen auditing Windows security logs, administrators often need to track specific user logons within a defined timeframe. The Security event log contains Event ID 4624 (successful logons) with detailed information including:
- Target user account
- Logon type (2 for interactive)
- Source network address
- Authentication package
The initial approach tried by many administrators often fails because:
<!-- INCORRECT approach with separate Select statements -->
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624)]]</Select>
<Select Path="Security">*[EventData[Data[@Name='LogonType']='2']]</Select>
</Query>
</QueryList>
This doesn't work because each Select statement operates independently rather than combining conditions.
The correct approach combines all conditions in a single Select statement:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID='4624')]
and
System[TimeCreated[timediff(@SystemTime) <= 604800000]]
and
EventData[Data[@Name='TargetUserName']='john.doe']
and
EventData[Data[@Name='LogonType']='2']
]
</Select>
</Query>
</QueryList>
If you're getting no results despite apparently correct syntax:
- Verify the TargetUserName matches exactly (including domain if applicable)
- Check if the logon type you're filtering for actually exists in your logs
- Confirm the time range isn't too restrictive
For more complex filtering needs:
<!-- Multiple logon types -->
EventData[Data[@Name='LogonType'] and (Data='2' or Data='7')]
<!-- Case insensitive username match -->
EventData[Data[@Name='TargetUserName'] and
(translate(Data,'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
'abcdefghijklmnopqrstuvwxyz')='johndoe')]
To use these queries in Event Viewer:
- Open Event Viewer
- Right-click "Security" log
- Select "Filter Current Log..."
- Switch to XML tab
- Check "Edit query manually"
- Paste your XML query
For script-based solutions:
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4624
StartTime = (Get-Date).AddDays(-7)
EndTime = Get-Date
} | Where-Object {
($_.Properties[5].Value -eq 'john.doe') -and
($_.Properties[8].Value -eq 2)
}
Common logon types to consider:
| Type | Description |
|---|---|
| 2 | Interactive (local console) |
| 3 | Network |
| 4 | Batch |
| 7 | Unlock |
| 10 | RemoteInteractive (RDP) |