Exporting Windows events
To export an indexed event list for Window sessions from the command line, use the following syntax:
FindSessions /i=”InstallationName” /export=”WashEvents” /path=”folder”
For example, to export the indexed event list for the sessions associated with a specific user and save the output in the C:\Temp\Session Events folder, you would type a command like this:
FindSessions /i=”MyInstallation” /user=”chris.howard” /export=”WashEvents” /path=”C:\Temp\Session Events”
The command generates the list of events as comma-separated values in a text file. For example:
"Time","Application","Title","Type","Desktop","Audited","Role","Ticket"
"1/29/2015 1:53:14 PM", "Windows Explorer", "Start", "Application Activate", "Default", "Y","<None>","<None>" "1/29/2015 1:53:56 PM", "DirectAuthorize System Tray", "Options", "Application Activate", "Default", "Y","<None>","<None>" ... "1/29/2015 3:00:51 PM", "Windows Explorer", "Start", "Window Activate", "LocalSQLAdmin", "Y","<None>","<None>" "1/29/2015 3:01:16 PM", "Microsoft SQL Server Management Studio Express", "Microsoft SQL Server Management Studio Express", "Application Activate", "LocalSQLAdmin", "Y","<None>","<None>" .
Doc Feedback