EVT_SUBSCRIBE_FLAGS enumeration (winevt.h)
Defines the possible values that specify when to start subscribing to events.
Syntax
typedef enum _EVT_SUBSCRIBE_FLAGS {
EvtSubscribeToFutureEvents = 1,
EvtSubscribeStartAtOldestRecord = 2,
EvtSubscribeStartAfterBookmark = 3,
EvtSubscribeOriginMask = 3,
EvtSubscribeTolerateQueryErrors = 0x1000,
EvtSubscribeStrict = 0x10000
} EVT_SUBSCRIBE_FLAGS;
Constants
EvtSubscribeToFutureEvents Value: 1 Subscribe to only future events that match the query criteria. |
EvtSubscribeStartAtOldestRecord Value: 2 Subscribe to all existing and future events that match the query criteria. |
EvtSubscribeStartAfterBookmark Value: 3 Subscribe to all existing and future events that match the query criteria that begin after the bookmarked event. If you include the EvtSubscribeStrict flag, the EvtSubscribe function fails if the bookmarked event does not exist. If you do not include the EvtSubscribeStrict flag and the bookmarked event does not exist, the subscription begins with the event that is after the event that is closest to the bookmarked event. |
EvtSubscribeOriginMask Value: 3 A bitmask that you can use to determine which of the following flags is set:
|
EvtSubscribeTolerateQueryErrors Value: 0x1000 Complete the subscription even if the part of the query generates an error (is not well formed). The service validates the syntax of the XPath query to determine if it is well formed. If the validation fails, the service parses the XPath into individual expressions. It builds a new XPath beginning with the left most expression. The service validates the expression and if it is valid, the service adds the next expression to the XPath. The service repeats this process until it finds the expression that is failing. It then uses the valid expressions that it found beginning with the leftmost expression as the XPath query (which means that you may not get the events that you expected). If no part of the XPath is valid, the EvtSubscribe call fails. |
EvtSubscribeStrict Value: 0x10000 Forces the EvtSubscribe call to fail if you specify EvtSubscribeStartAfterBookmark and the bookmarked event is not found (the return value is ERROR_NOT_FOUND). Also, set this flag if you want to receive notification in your callback when event records are missing. |
Remarks
The EvtSubscribeToFutureEvents, EvtSubscribeStartAtOldestRecord, and EvtSubscribeStartAfterBookmark flags are mutually exclusive.
Requirements
Requirement | Value |
---|---|
Minimum supported client | Windows Vista [desktop apps only] |
Minimum supported server | Windows Server 2008 [desktop apps only] |
Header | winevt.h |