Apply Filters

Learn how you can query for events from a channel or a log file.

The channel or log file can exist on the local computer or in a remote computer. To specify the events that you want to get from the channel or log file, you can use an XPath query or a structured XML query. Windows Event Log supports a subset of XPath 1.0. The following example shows simple XPath expressions:
// The following query selects all events from the channel or log file
XPath Query: *

// The following query selects all the LowOnMemory events from the channel or log file
XPath Query: *[UserData/LowOnMemory]

// The following query selects all events with a severity level of 1 (Critical) from the channel or log file
XPath Query: *[System/Level=1]

// The following query shows a compound expression that selects all events from the channel or log file
// where the printer's name is MyPrinter and severity level is 1.
XPath Query: *[UserData/*/PrinterName="MyPrinter" and System/Level=1]

// The following query selects all events from the channel or log file where the severity level is
// less than or equal to 3 and the event occurred in the last 24 hour period.
XPath Query: *[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]

You can use the XPath expressions directly when calling the EvtQuery or EvtSubscribe function or you can use a structured XML query that contains the XPath expression. You can use an XPath expression in simple queries that query events from a single source. If the XPath expression is a compound expression that contains more than 20 expressions or you are querying for events from multiple sources, then you must use a structured XML query.

For more information on how to query events and which API to use, see https://docs.microsoft.com/en-gb/windows/win32/wes/querying-for-events.