Simple tutorial for writing event log xml query filter


K

KDAM71

Active member
Local time
2:17 PM
Posts
32
OS
Windows 11
Hello.

I'm trying to write an xml filter to trigger a task in task scheduler. At the first try I get an unspecific error message. Does anyone know a simple tutorial for writing xml queries for windows events?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    MSI
    CPU
    11th Gen Intel(R) Core(TM) i5-11400H @ 2.70GHz 2.69 G
    Motherboard
    I don't know. Laptop model is GF63 Thin 11 UC
    Memory
    8GB
    Graphics Card(s)
    NVidia GeForce RTX 3050 Laptop GPU, Intel UHD Graphics
    Sound Card
    I mainly use a Logitech bluetooth audio receiver
    Monitor(s) Displays
    I use the buildin laptop screen which uses Intel UHD Graphics
    Screen Resolution
    1920x1080
    Hard Drives
    WDC PC SN540 SDDPNPF-512G-1032
    Mouse
    Touchpad
    Internet Speed
    DSL
    Browser
    Firefox
    Antivirus
    Windows Defender

My Computers

System One System Two

  • OS
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming F16 (2024)
    CPU
    i7 13650HX
    Memory
    16GB DDR5
    Graphics Card(s)
    GeForce RTX 4060 Mobile
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    512GB SSD internal
    37TB external
    PSU
    Li-ion
    Cooling
    2× Arc Flow Fans, 4× exhaust vents, 5× heatpipes
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
  • Operating System
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Medion S15450
    CPU
    i5 1135G7
    Memory
    16GB DDR4
    Graphics card(s)
    Intel Iris Xe
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    2TB SSD internal
    37TB external
    PSU
    Li-ion
    Mouse
    Logitech G402
    Keyboard
    Logitech K800
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
Last edited:

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    MSI
    CPU
    11th Gen Intel(R) Core(TM) i5-11400H @ 2.70GHz 2.69 G
    Motherboard
    I don't know. Laptop model is GF63 Thin 11 UC
    Memory
    8GB
    Graphics Card(s)
    NVidia GeForce RTX 3050 Laptop GPU, Intel UHD Graphics
    Sound Card
    I mainly use a Logitech bluetooth audio receiver
    Monitor(s) Displays
    I use the buildin laptop screen which uses Intel UHD Graphics
    Screen Resolution
    1920x1080
    Hard Drives
    WDC PC SN540 SDDPNPF-512G-1032
    Mouse
    Touchpad
    Internet Speed
    DSL
    Browser
    Firefox
    Antivirus
    Windows Defender
What are the events you are trying to detect?

Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
Try3 said:
What are the events you are trying to detect?

Denis
Click to expand...
Source=Service Control Manager
Event ID=7040
EventData/param2=disabled
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    MSI
    CPU
    11th Gen Intel(R) Core(TM) i5-11400H @ 2.70GHz 2.69 G
    Motherboard
    I don't know. Laptop model is GF63 Thin 11 UC
    Memory
    8GB
    Graphics Card(s)
    NVidia GeForce RTX 3050 Laptop GPU, Intel UHD Graphics
    Sound Card
    I mainly use a Logitech bluetooth audio receiver
    Monitor(s) Displays
    I use the buildin laptop screen which uses Intel UHD Graphics
    Screen Resolution
    1920x1080
    Hard Drives
    WDC PC SN540 SDDPNPF-512G-1032
    Mouse
    Touchpad
    Internet Speed
    DSL
    Browser
    Firefox
    Antivirus
    Windows Defender
Trying to read from the Details pane is fraught with difficulty.
The only time I've tried it, the results were so unreliable [because of event recording timing issues] that I gave up.
I do not believe that there can be any Event viewer, Custom view definition that would accomplish what you want and therefore nothing to trigger a TS task with.

You could investigate a solution that uses the WEVUtil command.
wevutil - SS64
wevtutil - MSDocs
WEVTUtil export certain event with addn text filter - Stack Overflow
How to use wevtutil command to get event details if it only comply with specific text or word - TechNet
Query windows event log for the past two weeks - Stack Overflow
It is not impossible that you'll be able to use the Log-Source-EventID to trigger a TS task that will run a script that starts with a WEVUtil command to read the Details pane for that EventData/param2=disabled entry and then run whatever else you want it to do if it finds it.

You might also consider investigating a scripting solution that uses NirSoft FullEventLogView command line but I have never tried doing that.


All the best,
Denis
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
Try3 said:
Trying to read from the Details pane is fraught with difficulty.
The only time I've tried it, the results were so unreliable [because of event recording timing issues] that I gave up.
I do not believe that there can be any Event viewer, Custom view definition that would accomplish what you want and therefore nothing to trigger a TS task with.

You could investigate a solution that uses the WEVUtil command.
wevutil - SS64
wevtutil - MSDocs
WEVTUtil export certain event with addn text filter - Stack Overflow
How to use wevtutil command to get event details if it only comply with specific text or word - TechNet
Query windows event log for the past two weeks - Stack Overflow
It is not impossible that you'll be able to use the Log-Source-EventID to trigger a TS task that will run a script that starts with a WEVUtil command to read the Details pane for that EventData/param2=disabled entry and then run whatever else you want it to do if it finds it.

You might also consider investigating a scripting solution that uses NirSoft FullEventLogView command line but I have never tried doing that.


All the best,
Denis
Click to expand...
Thanks a lot. I'll look in to it.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    MSI
    CPU
    11th Gen Intel(R) Core(TM) i5-11400H @ 2.70GHz 2.69 G
    Motherboard
    I don't know. Laptop model is GF63 Thin 11 UC
    Memory
    8GB
    Graphics Card(s)
    NVidia GeForce RTX 3050 Laptop GPU, Intel UHD Graphics
    Sound Card
    I mainly use a Logitech bluetooth audio receiver
    Monitor(s) Displays
    I use the buildin laptop screen which uses Intel UHD Graphics
    Screen Resolution
    1920x1080
    Hard Drives
    WDC PC SN540 SDDPNPF-512G-1032
    Mouse
    Touchpad
    Internet Speed
    DSL
    Browser
    Firefox
    Antivirus
    Windows Defender
XML: 
<QueryList>
  <Query Path="System">
    <Select Path="System">*[System[Provider[@Name='Service Control Manager'] and (EventID=7040)]] and *[EventData[Data[@Name='param2']='disabled']]</Select>
  </Query>
</QueryList>
 

My Computers

System One System Two

  • OS
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming F16 (2024)
    CPU
    i7 13650HX
    Memory
    16GB DDR5
    Graphics Card(s)
    GeForce RTX 4060 Mobile
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    512GB SSD internal
    37TB external
    PSU
    Li-ion
    Cooling
    2× Arc Flow Fans, 4× exhaust vents, 5× heatpipes
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
  • Operating System
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Medion S15450
    CPU
    i5 1135G7
    Memory
    16GB DDR4
    Graphics card(s)
    Intel Iris Xe
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    2TB SSD internal
    37TB external
    PSU
    Li-ion
    Mouse
    Logitech G402
    Keyboard
    Logitech K800
    Internet Speed
    20Mbit/s up, 250Mbit/s down
    Browser
    FF
hdmi said:
XML: 
<QueryList>
  <Query Path="System">
    <Select Path="System">*[System[Provider[@Name='Service Control Manager'] and (EventID=7040)]] and *[EventData[Data[@Name='param2']='disabled']]</Select>
  </Query>
</QueryList>
Click to expand...
Thank you very much. This is exactly what I need.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    MSI
    CPU
    11th Gen Intel(R) Core(TM) i5-11400H @ 2.70GHz 2.69 G
    Motherboard
    I don't know. Laptop model is GF63 Thin 11 UC
    Memory
    8GB
    Graphics Card(s)
    NVidia GeForce RTX 3050 Laptop GPU, Intel UHD Graphics
    Sound Card
    I mainly use a Logitech bluetooth audio receiver
    Monitor(s) Displays
    I use the buildin laptop screen which uses Intel UHD Graphics
    Screen Resolution
    1920x1080
    Hard Drives
    WDC PC SN540 SDDPNPF-512G-1032
    Mouse
    Touchpad
    Internet Speed
    DSL
    Browser
    Firefox
    Antivirus
    Windows Defender
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom