Resolving UserID’s in Event Viewer.

I wanted to find out who made a change on a server – on a known day at a known time. Looking through event-viewer on the server all I could find was an irrelevent “TerminalServices-Printers” error. However within this error – by clicking the Details tab and expanding the ‘system’ paragraph I saw a USERID, which was a long string of numbers and dashes.

To resolve this userid I opened regedit and expanded HKEY_USERS. I located the userID in question and right-clicked it. Examininmg the ‘permissions’ configuration the username was listed.

Open SSMS as another user

I cobbled together this script which sits on my desktop called ‘ssms.vbs’. The disadvantage is you need to hard-code your password into the script and keep it upto date.

set WshShell = WScript.CreateObject("WScript.Shell")

'build runas command 
WshShell.run "runas /user:DOMAINUSERNAME %comspec%"
WScript.Sleep 100
WshShell.SendKeys "PASSWORD" 'send password
WshShell.SendKeys "{ENTER}"
WScript.Sleep 500

'Open SSMS
WshShell.SendKeys Chr(34) + "C:Program FilesMicrosoft SQL Server100ToolsBinnVSShellCommon7IDEssms.exe" + Chr(34)
WshShell.SendKeys "{ENTER}"

'Close command prompt
WshShell.SendKeys "exit"
WshShell.SendKeys "{ENTER}"
WScript.Sleep 1000

set wshshell = nothing