I'm trying to filter events with certain data. The XML of an event that I want to filter: - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2e35aaeb-857f-4beb-a418-2e6c0e54d988}" /> <EventID>2101</EventID> <Version>1</Version> <Level>4</Level> <Task>37</Task> <Opcode>2</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2011-10-24T12:29:08.715Z" /> <EventRecordID>3805</EventRecordID> <Correlation /> <Execution ProcessID="7692" ThreadID="5100" /> <Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel> <Computer>testpc</Computer> <Security UserID="S-1-5-19" /> </System> - <UserData> - <UMDFHostDeviceRequest lifetime="{BA4D6A91-A682-4396-B83B-0C46615AE07B}" instance="WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB__SD_READER&REV_1.00#12345678901234567890&0#" xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event"> - <Request major="27" minor="20"> <Argument>0x0</Argument> <Argument>0x0</Argument> <Argument>0x0</Argument> <Argument>0x0</Argument> </Request> <Status>3221225659</Status> </UMDFHostDeviceRequest> </UserData> </Event> The important part is the UMDFHostRequest instance value. I tried to use the following query: <QueryList> <Query Id="0" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational"> <Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[UserData[UMDFHostDeviceRequest[@instance='WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB__SD_READER&REV_1.00#12345678901234567890&0#']]]</Select> </Query> </QueryList> But I get the "Event log query specified is invalid." error. What am I missing? Thanks

bump

Hi, It seems that it is better to post this question to Script forum instead as the question is codec related. Here is the website: http://social.technet.microsoft.com/Forums/en/ITCG/threads For more information, please also refer to following Microsoft TechNet blog: Advanced XML filtering in the Windows Event Viewer http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Posted in the script forum... Another user suggests I should post this in the VS2008 forum. Which is it? This is not really a scripting problem...

Hi, VS2008 forum should be Visual Studio forum. You may find it from the following link: Visual Studio http://social.msdn.microsoft.com/Forums/en/category/visualstudio Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, VS2008 forum should be Visual Studio forum. You may find it from the following link: Visual Studio http://social.msdn.microsoft.com/Forums/en/category/visualstudio Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.