Event Log Readers

Event Log Readers is a Windows user group that grants permission to read system and application event logs. It allows users to monitor security events, troubleshoot issues, and analyze system activity without full admin rights. Members can access logs via Event Viewer (eventvwr.msc) or PowerShell (Get-EventLog, Get-WinEvent). This group is useful for auditors, security analysts, and administrators who need log access without elevated privileges.

Enumeration

net localgroup "Event Log Readers"

# Search Security Logs to capture commands which are passing password from CLI argument
wevtutil qe Security /rd:true /f:text | Select-String "/user"

# Pass Credentials to wevtutil (run as another user)
wevtutil qe Security /rd:true /f:text /r:share01 /u:rezydev /p:Passw0rd | findstr "/user"

# Using Powershell Cmdlets (need ADMINISTRATOR ACCESS)
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

# '-Credential' can be used to run as another user

Enumeration​

Enumeration