Zulgrib
Reputation: 638
Scheduled tasks invalid filter using XML
I try to make a trigger using XML on the Window's task scheduler, but the tool tells me a filter is invalid and i was unable to find what is wrong.
My current XML is
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and Task = 12801 and (EventID=4656) ]] and
*[EventData[Data[@Name='SubjectUserSid' and (Data='S-1-5-18')]] and
[Data[@Name='ObjectType' and (Data=Key) ]]]
</Select>
</Query>
</QueryList>
When I remove
and
[Data[@Name='ObjectType' and (Data=Key) ]]
The XML is accepted without error. As I don't understand what is wrong on my last line I'm stuck.
Upvotes: 0
Views: 488
Answers (1)
leonard1664
Reputation: 26
There are some missing closing square brackets around the SubjectUserSid and ObjectType attributes, the "*[EventData" missing from the last query line, and missing quotes around the Data value "Key". This works in my EventViewer:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and Task = 12801 and (EventID=4656) ]] and
*[EventData[Data[@Name='SubjectUserSid'] and (Data='S-1-5-18') ]] and
*[EventData[Data[@Name='ObjectType'] and (Data='Key') ]]
</Select>
</Query>
</QueryList>
Upvotes: 1
Related Questions
- xpath event filter not working
- Filter list of scheduled tasks by taskname
- XPath Query for Scheduled Task
- Windows Task Scheduler XPath for filtering event on hour of day
- Filter list of scheduled tasks that contain specific string in Task To Run
- Register scheduled task from XML source
- Error importing Scheduled Task xml with Powershell
- Why will this XPath work in PowerShell but not Task Scheduler?
- Scheduled Task will not run returns e0434f4d as last result
- Task Schedule Refusal