WEvtUtil

Example of dumping a user’s logins from an RD gateway and domain controller.

wevtutil qe /r:RDGATEWAY Microsoft-Windows-TerminalServices-Gateway/Operational /e:root /f:RenderedXML /q:”*[UserData[EventInfo[Username=’DOMAIN\username’]]]” >wevtutil.username.xml

wevtutil qe /r:DCSERVER System /f:RenderedXML /q:”*[System[(EventID=5723) and TimeCreated[timediff(@SystemTime)<=8640000]]]” > 5723.xml

wevtutil qe /r:DCSERVER Security /f:RenderedXML /q:”*[System[(EventID=4740) and TimeCreated[timediff(@SystemTime)<=8640000]]]” > 4740.xml