Event Queries and Event XML
You can query for specific events that match a specified criteria to filter events that you are not interested in. For example, to retrieve information for all the critical events logged in the security event log, you can define a query that would return events that match this criteria.
All events can be represented in XML (as described in the following example) and each event XML can be validated by the Event Schema (https://go.microsoft.com/fwlink/?LinkID=81771). Event queries are defined by XPath expressions because XPath provides the ability to navigate and select a tree of XML elements. Only events that are defined by XML that match the XPath expression are returned in the query results. For more information about learning XPath to define event queries, see XPath Syntax at https://go.microsoft.com/fwlink/?LinkId=94637 and XPath Examples at https://go.microsoft.com/fwlink/?LinkId=94638.
The following XML example defines an event.
<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-TaskScheduler"
Guid="{de7b24ea-73c8-4a09-985d-5bdadcfa9017}" />
<EventID>310</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>310</Task>
<Opcode>0</Opcode>
<Keywords>8000000000000000</Keywords>
<TimeCreated SystemTime="2006-02-28T21:51:44.754Z" />
<EventRecordID>7664</EventRecordID>
<Correlation />
<Execution ProcessID="1068" ThreadID="1496" />
<Channel>Microsoft-Windows-TaskScheduler</Channel>
<Computer>MyComputerName</Computer>
<Security UserID="S-1-5-14" />
</System>
<UserData>
<TaskEngineProcessStarted
xmlns:auto-ns2="https://schemas.microsoft.com/win/2004/08/events"
xmlns="https://manifests.microsoft.com/win/2004/08/windows/eventlog">
<TaskEngineName>S-1-5-14:NT AUTHORITY\Local Service:Interactive:LUA</TaskEngineName>
<Command>taskeng.exe</Command>
<ProcessID>6120</ProcessID>
<ThreadID>5920</ThreadID>
</TaskEngineProcessStarted>
</UserData>
</Event>
For more information about event XML, see https://go.microsoft.com/fwlink/?LinkId=94642.
The following XPath expressions used in an event query will return this event because the event XML matches the criteria in the XPath expression:
This query will only return events with an event ID equal to 310:
*[System/EventID=310]
This query will return all events with the Level element (under the System element) equal to 4:
*[System/Level=4]
This query will return all the events that have a Provider element (under the System element) that has a Name attribute equal to Microsoft-Windows-TaskScheduler:
*[System/Provider/@Name="Microsoft-Windows-TaskScheduler"]
This query will return all the events that have a ProcessID element (under the UserData element) equal to 6120:
*[UserData/ProcessID=6120]
This query will return all the events that have a UserData element:
*[UserData/*]
For more information about querying for events and to see example XPath queries, see https://go.microsoft.com/fwlink/?LinkId=94641.
You can define event queries using the EventLogQuery class. For examples that show how to query for events, see How to: Query for Events, How to: Subscribe to Events in an Event Log, and How to: Access and Read Event Information.
See Also
Concepts
Event Log Scenarios
How to: Query for Events
How to: Subscribe to Events in an Event Log
Send comments about this topic to Microsoft.
Copyright © 2007 by Microsoft Corporation. All rights reserved.