I am attempting to create a XPath Event Filter to Execute a scheduled task upon completion of another one. My XPath looks like this
<QueryList>
<Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
<Select Path="Microsoft-Windows-TaskScheduler/Operational">
*[System[Provider[#Name='Microsoft-Windows-TaskScheduler'] and Task = 102 and (EventID=102)]]
</Select>
<Select Path="Microsoft-Windows-TaskScheduler/Operational">
*[EventData[Data[#Name=’TaskName’] and (Data=’\Visual Studio Dark Theme′)]]
</Select>
<Select Path="OAlerts">
*[System[Provider[#Name='Microsoft-Windows-TaskScheduler'] and Task = 102 and (EventID=102)]]
</Select>
</Query>
</QueryList>
The Event I am trying to find is this one.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-TaskScheduler" Guid="{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}" />
<EventID>102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>102</Task>
<Opcode>2</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="2016-07-20T16:14:08.280937900Z" />
<EventRecordID>13055</EventRecordID>
<Correlation ActivityID="{0A2EAFD2-B40E-4C60-A099-80C020CBA547}" />
<Execution ProcessID="1164" ThreadID="6464" />
<Channel>Microsoft-Windows-TaskScheduler/Operational</Channel>
<Computer>GXLT012660.CoyoteLogistics.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="TaskSuccessEvent">
<Data Name="TaskName">\Visual Studio Dark Theme</Data>
<Data Name="UserContext">COYOTELOGISTICS\benjamin.drolet</Data>
<Data Name="InstanceId">{0A2EAFD2-B40E-4C60-A099-80C020CBA547}</Data>
</EventData>
</Event>
Whenever Creating a custom filter on Event Viewer with the XPath query above, I get the following error.
One of more logs in the query have errors.
Log: Microsoft-Windows-TaskScheduler/Operational
Error: The specified query is invalid.
This is rather old, so I hope you have found the answer since then, but I encountered the same problem.
What I found is that I used the wrong kind of single quotes in the query, hardly distinguishable in the editor, but when I see in your question *[EventData[Data[#Name=’TaskName’] and (Data=’\Visual Studio Dark Theme′)]], I suspect the issue is the same.
Try *[EventData[Data[#Name='TaskName'] and (Data='\Visual Studio Dark Theme')]]
Related
Good afternoon,
In our company, we are trying to change one of our current custom services, from NSSM to a custon-made with PS.
This code, already works on W7 and W10 1607 machines. But the same code, fails to start con machines with W10 1809.
This is the code (With other non related stuff):
$params = #{
Name = "CertFix"
BinaryPathName = "c:\winhttpcertcfg.exe -g -c LOCAL_MACHINE\MY -s HOSTNAME -a USER"
DependsOn = "NetLogon"
DisplayName = "certfix"
StartupType = "Automatic"
Description = "Service to give USER permission on the machine certificate"
}
New-Service #params
The error that it gives is:
Log Name: System
Source: Service Control Manager
Date: 18/01/2023 18:28:35
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: hostname.store.domain.grp
Description:
The certfix service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2023-01-18T17:28:35.711754000Z" />
<EventRecordID>31657</EventRecordID>
<Correlation />
<Execution ProcessID="124" ThreadID="1664" />
<Channel>System</Channel>
<Computer>hostname.store.domain.grp</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">certfix</Data>
<Data Name="param2">%%1053</Data>
<Binary>63006500720074006600690078000000</Binary>
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 18/01/2023 18:28:35
Event ID: 7009
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: hostname.store.domain.grp
Description:
A timeout was reached (30000 milliseconds) while waiting for the certfix service to connect.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7009</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2023-01-18T17:28:35.711754000Z" />
<EventRecordID>31656</EventRecordID>
<Correlation />
<Execution ProcessID="124" ThreadID="1664" />
<Channel>System</Channel>
<Computer>hostname.store.domain.grp</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">30000</Data>
<Data Name="param2">certfix</Data>
<Binary>63006500720074006600690078000000</Binary>
</EventData>
</Event>
The service is working on previous builds. But we are unable to make it work on 1809. Any advice would be great. Thanks in advance
I tried changing various ways on the BinaryPathName parameter, to fit the advice on the
oficial New-Service page
but without success.
I've got a Web API 2 project set up using Code First. The publish dialog was detecting the DB and allowing me to use Code First Migrations.
I then added a second DB connection using the steps here.
Now when I publish, the dialog only detects the new database and does not give me any options for the original one.
I removed every reference to the second DB that I can find, but the Publish dialog is still showing references to it (and not to the original DB). I've compared my current revision to the one before I added the second DB, and the pubxml for my publishing profile is different, but VS auto-generates the part that is different:
Before:
<PublishDatabaseSettings>
<Objects>
<ObjectGroup Name="DefaultConnection" Order="1" Enabled="True">
<Destination Path="" />
<Object Type="DbCodeFirst">
<Source Path="DBMigration" DbContext="Project.Models.ApplicationDbContext, Project" MigrationConfiguration="Project.Migrations.Configuration, Project" Origin="Convention" />
</Object>
</ObjectGroup>
</Objects>
</PublishDatabaseSettings>
...
<ItemGroup>
<MSDeployParameterValue Include="$(DeployParameterPrefix)DefaultConnection-Web.config Connection String">
<ParameterValue>Data Source=localhost;Initial Catalog=OriginalDB;User ID=user;Password=password</ParameterValue>
</MSDeployParameterValue>
</ItemGroup>
<ItemGroup>
<_ConnectionStringsToInsert Include="DefaultConnection" />
</ItemGroup>
After:
<PublishDatabaseSettings>
<Objects>
<ObjectGroup Name="NewDatabase" Order="2" Enabled="False" xmlns="">
<Destination Path="" />
<Object Type="DbDacFx">
<PreSource Path="Data Source=(localdb)\MSSQLLocalDB;Initial Catalog=newcatalog;Integrated Security=True;Application Name=EntityFramework" includeData="False" />
<Source Path="$(IntermediateOutputPath)AutoScripts\NewDatabase_IncrementalSchemaOnly.dacpac" dacpacAction="Deploy" />
</Object>
<UpdateFrom Type="Web.Config">
<Source MatchValue="data source=(localdb)\MSSQLLocalDB;initial catalog=newcatalog;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework" MatchAttributes="$(UpdateFromConnectionStringAttributes)" />
</UpdateFrom>
</ObjectGroup>
</Objects>
</PublishDatabaseSettings>
...
<ItemGroup>
<MSDeployParameterValue Include="$(DeployParameterPrefix)NewDatabase-Web.config Connection String" />
</ItemGroup>
I'm not sure where this is being generated from, how would I go about getting this to work with both databases, or failing that, getting it back to the point where it works with the original DB?
I'm making an application that runs in XULRunner on Windows.
There I created the browser-toolbar binding that will be used in different places. While the binding needs to look the same it should execute different commands on button clicks.
I'm trying to accomplish it like this (code is simplified, namespaces are dropped):
<binding id="custom-browser-type-a">
<content>
<commandset>
<command id="TypeA:Home" oncommand="home()"/>
<command id="TypeA:Back" oncommand="back()"/>
</commandset>
<browser-toolbar cmd_home="TypeA:Home" cmd_back="TypeA:Back" ... />
<browser/>
</content>
<implementation>
...
</implementation>
</binding>
<binding id="browser-toolbar">
<content>
<toolbar>
<toolbarbutton label="Home" xbl:inherits="command=cmd_home"/>
<toolbarbutton label="Back" xbl:inherits="command=cmd_back"/>
...
</toolbar>
</content>
</binding>
Once clicked a toolbarbutton execute an assigned command just fine. The problem is when I disable a command it doesn't affect the disabled state of a corresponding toolbarbutton, it stays enabled. Does anyone have any idea why that is not working?
Thank you!
I am aware of the WM_TIMECHANGE message in the Win32 API, but is it possible to find out which application or process is changing the time?
I have an application (Windows XP) where I'm logging events and the time logged with the events is changing unexpectedly.
I have already checked: Daylight Savings adjustment is turned off, and automatic syncing with an internet time server is also turned off.
Is there a process in the Windows OS (except for DST changes and NTP) that could set the system time?
Time changes are saved to the Windows Event Log, specifically, they're saved to the security log. Now, this isn't guaranteed to work; admins can clear the security log, but it's a way to find the PID and the file name of the process that called SetSystemTime.
This answer talks about finding the event in the System log; however, you should also be able to find it in the Security log by looking for event ID 4616. I've added a sample record here (with various bits redacted):
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4616</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12288</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2013-10-07T18:55:08.999738200Z" />
<EventRecordID>29419283</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5460" />
<Channel>Security</Channel>
<Computer>some computer ID</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-SID_REDACTED</Data>
<Data Name="SubjectUserName">UserName</Data>
<Data Name="SubjectDomainName">DOMAIN</Data>
<Data Name="SubjectLogonId">0xBADDFOOD</Data>
<Data Name="PreviousTime">2013-10-07T18:55:08.996254000Z</Data>
<Data Name="NewTime">2013-10-07T18:55:09.000000000Z</Data>
<Data Name="ProcessId">0xPID</Data>
<Data Name="ProcessName">C:\Windows\System32\dllhost.exe</Data>
</EventData>
</Event>
Note that the process name is stored explicitly.
I am getting this windows event on some machines that run this service but not all and during periods of no activity in terms of software usage. My problem is I have no idea what in the C++ code for the service might not be correctly handled. How can I relate event 7011 back into the C++ code...any ideas what this event actually means:
Log Name: System
Source: Service Control Manager
Date: 2/6/2018 9:54:03 AM
Event ID: 7011
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: LEGNCOA02.calegis.net
Description:
A timeout (120000 milliseconds) was reached while waiting for a transaction
response from the App Server service.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-
26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7011</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2018-02-06T17:54:03.979566000Z" />
<EventRecordID>1654065</EventRecordID>
<Correlation />
<Execution ProcessID="660" ThreadID="186984" />
<Channel>System</Channel>
<Computer>LEGNCOA02.calegis.net</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">120000</Data>
<Data Name="param2">App Server</Data>
</EventData>
</Event>
The service does start and function correctly. The timeout for these events was extended in the registry but that just increased the time between events by the amount of timeout increase. In short it looks like windows is never getting what it expects.
I worked this out...
Where the service handles SERVICE_CONTROL_STOP
also handle from winsvc.h
SERVICE_CONTROL_PAUSE
SERVICE_CONTROL_CONTINUE
SERVICE_CONTROL_INTERROGATE
SERVICE_CONTROL_PARAMCHANGE
SERVICE_CONTROL_NETBINDADD
SERVICE_CONTROL_NETBINDREMOVE
SERVICE_CONTROL_NETBINDENABLE
SERVICE_CONTROL_NETBINDDISABLE
SERVICE_CONTROL_DEVICEEVENT
SERVICE_CONTROL_HARDWAREPROFILECHANGE
SERVICE_CONTROL_POWEREVENT
SERVICE_CONTROL_SESSIONCHANGE
SERVICE_CONTROL_PRESHUTDOWN
SERVICE_CONTROL_INTERROGATE was the one that windows was generating, no idea why it was doing that but responding as RUNNING seemed to handle it.