Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,944 questions
EvtSubscribe has strange behavior when using query criteria with EventRecordID.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 55.00000000000001%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Snshadow
0
Reputation points
When using EvtSubscribe from winevt.h referencing the example code from here with query string including EventRecord ID(e.g. "Event/System[EventRecordID>10000]", it looked like it is working as expected. However, when getting future events, some event are being skipped, which can be acquired with event viewer or from powershell using "Get-EventLog". While testing it, I could find out using push subscription method does not filter future events that do not match the query criteria. It this a bug in EvtSubscribe or am I using it incorrectly?
For more details and reproducing the issue, you can refer to this github repository I created.
{count} votes
-
Jeanine Zhang-MSFT 9,346 Reputation points Microsoft Vendor2024-05-23T05:55:28.21+00:00 When I test the code you provided, there are no skip events, EventRecordIDs are sequential.
Screenshot of using push subscription method for Application channel:
Screenshot of using pull subscription method for Application channel:
If I misunderstand you, please let me know.
-
Snshadow 0 Reputation points
2024-05-23T08:09:18.7066667+00:00 The behavior differs every time the program is run. Even while the program is running.
This behavior occurs from multiple devices(both virtual and physical) and doesn't look like it's a problem of the devices I'm using..
Also, I could find the similar issue from this link written in 2022.
-
Jeanine Zhang-MSFT 9,346 Reputation points Microsoft Vendor
2024-05-24T02:50:36.5033333+00:00 As this issue is complex, to resolve this issue as soon as possible, you can open an incident via
Contact ustab at link below: https://developer.microsoft.com/en-us/windows/support/Please choose the
Technical Support - Coding/Debuggingfor Windows SDK for this issue. In-addition, if the support engineer determines that the issue is the result of a bug the service request will be a no-charge case and you won't be charged.
Sign in to comment