0

I'm trying to query the Windows 11 event log for any use of a computer. I'm starting with someone getting access to the Windows UI, so I've tried this query I found somewhere on ServerFault, but the most recent event it shows is 2024-02-28, and I've just unlocked the machine minutes ago.

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (EventID=42)]]</Select>
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (EventID=107)]]</Select>
    <Select Path="System">*[System[Provider[@Name='eventlog'] and (EventID=6006)]]</Select>
    <Select Path="System">*[System[Provider[@Name='eventlog'] and (EventID=6005)]]</Select>
    <Select Path="System">*[System[Provider[@Name='User32'] and (EventID=1074)]]</Select>
    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4802)]]</Select>
    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4803)]]</Select>
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Power-Troubleshooter'] and (EventID=1)]]</Select>
    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4800)]]</Select>
    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4801)]]</Select>    
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4767)]]</Select>
  </Query>
</QueryList>

Any suggestions on better event IDs or something I'm doing wrong?

Improve this question
1

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .