Xpath

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Windows Event viewer uses xpath to create queries. It is retarded...

Some examples for greater good:

https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/

Code

Comment

<QueryList>
	<Query Id="0" Pat="Security">
		<Select Path="Security">
			*[System[(EventID='4662')]]
			and
			*[EventData[Data[@Name='ObjectType'] and (Data='%{bf967a9c-0de6-11d0-a285-00aa003049e2}')]]
			and
			*[EventData[Data[@Name='AccessList'] and (Data='%%7684&#xD;&#xA;&#x09;&#x09;&#x09;&#x09;')]]
		</Select>
	</Query>
</QueryList>

search for 4662 (group changed) of objecttype "bf967a9c-0de6-11d0-a285-00aa003049e2" which is group and accesslist = 7684 which is members

Example

some tags to find this page: query, QueryList, eventdata, ObjectType, AccessList, Security

Xpath

Navigation menu

Search