Hello all, I'm coming from this post: http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/d31cf0e4-a760-40fe-9fbd-297141b81c04 My problem is basically that when in windows 2008 r2 I reached more than 2^32 events in eventlog (4294967296) the WMI queries by Recordnumber are not working, such as: Select * from win32_ntlogevent where RecordNumber=xxxx When i get the max recordnumber I get a value lower than 4294967296, which means WMI gets the value truncated (WMI class stores the recordnumber in a UINT32, and as I can see in eventvwr, the recordnumber can be up to 2^64). In the query i use the truncated value, the same that wmi returns, so it should work. I realized that if I use quotes in the recordnumber, the query works, but is REALLY slow! Select * from win32_ntlogevent where RecordNumber='xxxx' Can this be a bug in wmi/eventlog? I'm coded a program that gets the events from eventlog in realtime, and I use the recordnumber to know which are the new events (I perform a query every minute or so). This is working fine till I got a server which recordnumber was higher than 4294967296. Right now those queries are not working for this server... I really want to use the recordnumber because it's a good way to now the last event read, and to not to read duplicates. I could use the TimeGenerated, but some events have the same value, so it could be a problem. Thanks!

This query is throwing an error, "Invalid query". I checked and the query "Select * from win32_ntlogevent where recordnumber='xxxxxx' " works, but is VERY VERY SLOW, so i'm stuck in the same point.