Both C# and CPP event fetches skips events on subscribing mode while fetching Events using EventRecordID

Sam light 6 Reputation points
2022-03-30T13:49:12.533+00:00

So I was using EventRecordID to subscribe to an Event Viewer data using the query:

   <QueryList>  
     <Query Id="0" Path="System">  
       <Select Path="System">*[System[EventRecordID>=164643]]</Select>  
     </Query>  
   </QueryList>  

And I am passing this into the EvtSubscribe to subscribe to the respective event viewer and read the event records from it. And according to this API it should return me all the events from the log. But some events are skipped:
188369-eventrecords-getting-skipped-on-subscription.png
May I know the reason as to why this is happening, considering this is not a defined behaviour and I scoured into all the docs related to fetching events. Like in this case it is skipping events 164903, 164905, 164906.
Example code to test this behaviour can be found in the official microsoft documentation itself, just by changing the query to the one I gave in this issue: Official microsoft documentation with code explanations for Subscribing to the Windows Events.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,103 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Karthikeyan Shankar 1 Reputation point
    2022-08-03T08:06:28.317+00:00

    Hi Samlight-9356 , If I am not wrong, in this line, "<Select Path="System">*[System[EventRecordID>=164643]]</Select>" you used EventRecordID>=164643 , as you are using Query in XML format you should not use ">" operator as it denotes the closing tag in XML. Find the Correct option instead of using ">" may be like "&lt".

    If I am right mail to this email id: skscience.kk@Stuff .com

    Thank You.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.