Share via

Windows Event Viewer: Custom View to Exclude User Account

  • Article

It seems that if you can exclude events, surely you could exclude certain accounts just as easily.
However Microsoft Event Viewer requires you to create a custom view with custom xml.

Let's examine the following Custom View XML Query.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12801 and (EventID=4657 or EventID=4663)]]</Select>
    <Suppress Path="Security">*[System[(EventID=4657 or EventID=4663)]] and *[EventData[Data[@Name='SubjectUserSid'] and (Data='S-1-5-18' or Data='S-1-5-19')]]</Suppress>
  </Query>
</QueryList>

While most of this is self-explanatory, what really makes this query special is it shows us the inner workings of how the view uses the logic.

With Select, it gathers events matching criteria.
With Suppress, it removes events matching criteria.

Seems simple enough: you generate some events, look at the Event Properties -> Details and try to find what you want to use for a custom filter.

Some data is easy to figure out, you want EventID 4657 for "Registry Value Modified" and EventID 4663 for "Registry Accessed"

But some of this data isn't quite as easy to spot, for example, You will see an event with the Source of Microsoft Windows security auditing with a Task Category of Registry.  It's only when you take a closer look at an Events Details, that you see it differently.  

  • System - Provider [Name] == Microsoft-Windows-Security-Auditing
  • System - Task == 12801

What really matters for this particular query is the EventData - SubjectUserSid ..... by getting the SIDs of the accounts you want to exclude, you can compare the value of the SubjectUserSID from the event against a list of SIDs.

While not as advanced as SQL, it was pleasantly surprising to learn that the "and/or" operators were accessible at each level of data.

Note:  When you create a custom view, you should export it.... sometimes when you close and re-open Event Viewer, it won't save your changes, so it's smart to be able to import the completed version.

On Windows 7, to enable auditing the registry:

In gpedit.msc
-> Computer Configuration
 -> Windows Settings
  -> Security Settings
   -> Advanced Audit Policy Configuration
    -> System Audit Policies - Local Group Policy Object
     -> Object Access
      -> Audit Registry == Check Configure + both Success and Failure checkboxes

You then use regedit.exe to find the registry key you want to audit, right click, Permissions > Advanced > Auditing.. then add the group you would like to audit so when an account is part of said group, they get audited.  I prefer using "Everyone" because then everyone gets audited no matter what group they are in.

While there are other tools and scripts out there to perform powerful audits, this knowledge will allow you to handle the simpler audits better and make the Event Viewer Views a little less cluttered.