How to filter the eventlog in Vista manually (XML)

So I ran into a situation last week where I wanted to filter the event log in Vista to only show events in the Application log that contained the string msnmsgr.exe.  Alas, this was not as easy as alt-clicking and adding to the keywords.  I thought it would have been, in any case this is how you would filter the event log for such an instance.  One caveat, the data string must match exactly (no wildcards) and must be present in the XML of the event. 

1) Alt-click the app log

2) Choose "Filter Current Log"

3) Click the XML tab and select "edit query manually"

4) <QueryList>

   <Query Id="0" Path="Application">

      <Select Path="Application">*[EventData[(Data='msnmsgr.exe')]]</Select>



Comments (3)

  1. BooRadely says:

    I was just thinking another scenario where this would be handy is if you wanted to filter the eventlog on a Longhorn server for a particular machine account or user account.

  2. LSB - says:

    Hi….this blog entry was great. Thank you, it helped me along.


    /Lars B.

  3. Jürgen Wieder says:

    Hi all

    I reboot my server through the XA Mgmt Console. And I want to know, if there are still users logged on or disconnected… So I created a scheduled task which is triggered by the Application popup from Citrix:

    "Application popup: Warning

    : The Citrix XenApp you are using will be restarted in 7 minutes. Please save all data and log off. Any unsaved data will be lost."

    with the following XML Query:


     <Query Id="0" Path="System">

       <Select Path="System">*[System[Provider[@Name='Application Popup']]] and *[EventData[Data='Warning']]</Select>



    But it is not working… If I change the 'Warning' to 'Windows' it works.

    Any Ideas?

    Thanks and regards


Skip to main content