Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-userevent executes a SELECT * FROM Win32_NTLogEvent WMI query against a target Windows host to retrieve Security event log entries related to user authentication activity. By default it collects both logon events (Event ID 4624 / Type 2 interactive logon) and Kerberos TGT request events (Event ID 4768), scoped to events from the past five days. Adjusting --date-start extends or narrows that window. This command is used internally by invoke-eventhunter to identify which users have recently authenticated to a set of hosts, enabling you to infer where high-value accounts such as domain administrators may be active.

Flags

--computername
string
required
IP address or hostname of the target Windows host to query for user events.
-w, --workgroup
string
Name of the domain to authenticate with. Can be omitted when using local credentials.
-u, --user
string
Username for authentication. Accepts both domain accounts (DOMAIN\user) and local accounts.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. The LM portion can be omitted or replaced with the empty LM hash.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Falls back to the provided username and password if no valid ticket is found.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.
--event-type
string[]
default:"['logon', 'tgt']"
Type(s) of events to search for. Accepted values: logon (interactive logon events) and tgt (Kerberos TGT request events). Pass one or both values. Defaults to returning both event types.
--date-start
integer
default:"5"
Filter out events older than this many days. For example, --date-start 7 returns events from the last week. Defaults to 5.

Examples

# Retrieve all logon and TGT events from the last 5 days (default)
pywerview get-userevent --computername 192.168.1.10 -u alice -p 'P@ssw0rd' -w contoso.com

# Retrieve only interactive logon events
pywerview get-userevent --computername 192.168.1.10 -u alice -p 'P@ssw0rd' -w contoso.com \
  --event-type logon

# Retrieve only Kerberos TGT events
pywerview get-userevent --computername 192.168.1.10 -u alice -p 'P@ssw0rd' -w contoso.com \
  --event-type tgt

# Extend the lookback window to 30 days
pywerview get-userevent --computername 192.168.1.10 -u alice -p 'P@ssw0rd' -w contoso.com \
  --date-start 30

# Pass-the-hash authentication
pywerview get-userevent --computername 192.168.1.10 -u alice --hashes :a87f3a337d73085c45f9416be5787d86 \
  -w contoso.com --event-type logon tgt --date-start 7

# JSON output
pywerview get-userevent --computername 192.168.1.10 -u alice -p 'P@ssw0rd' -w contoso.com --json
Reading the Security event log via WMI requires local administrator privileges on the target host. The Security log may also be cleared or have limited retention — a short or empty result set does not necessarily mean no logons occurred.
get-userevent is used by invoke-eventhunter under the hood. For large-scale hunts across multiple hosts, prefer invoke-eventhunter which parallelises the WMI queries and correlates results against domain user lists.

Build docs developers (and LLMs) love

Get started for freeTalk to us