3

First of all, I'd like to rant about how stupidly hard searching for something event logs, but I bet MS is not listening to me so that's about it.

My problem is this: I'm trying to find out all the events that have this value (0x84e9c0d) in the data portion of the event. However, the query editor tells me that "the specified query is invalid". What is wrong with this query? I've copied the code directly from https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security"> 
            *[EventData[Data and (Data=’0x84e9c0d′)]] 
         </Select>
  </Query>
</QueryList>
user2629636
  • 774
  • 5
  • 19
  • 40

1 Answers1

3

Pretty sure your problem is:

Data=’0x84e9c0d′

Those quote characters are mismatched and neither of those characters appear to be the single quote character (') that is expected.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • I'm pretty sure I need to pay more attention to details. Thanks! – user2629636 Apr 27 '16 at 17:12
  • @user2629636 I've wasted many hours myself with copy-pasta because some character didn't match what was expected. Look out for dashes... or characters that look like dashes, but aren't actually dashes. Grrrr. – HopelessN00b Apr 27 '16 at 18:44