Return to Question

Clarified the question

Source Link

edited Nov 29, 2023 at 12:27

However on a different machine, I get events without any name attributes. This makes the querying difficult. What is it that makes the attributes appear/not appear in these logs? How can I work with the data in this form? Is the order/count of data elements guaranteed to be fixed for a specific ID, e.g. that an Application Error (id=1000) event always has the same data in the same order?

Edit: to clarify: this question is about finding documentation from microsoft part, not about coding (programming-wise I have made what may or may not be a brittle solution, I just need to know how brittle).

Source Link

asked Nov 23, 2023 at 8:30

Anders Forsgren

Missing Name attributes on Application Error Event Log Data

On my machine when a program crashes, an Application Error event (id=1000) is logged. It contains EventData\Data elements with Name attributes:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" Guid="{a0e9b465-b939-57d7-b27d-95d8e925ff57}" /> 
    <EventID>1000</EventID> 
    <Version>0</Version> 
    <Level>2</Level> 
    <Task>100</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x8000000000000000</Keywords> 
    <TimeCreated SystemTime="2023-11-23T07:21:17.8580874Z" /> 
    <EventRecordID>115450</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="40036" ThreadID="30520" /> 
    <Channel>Application</Channel> 
    <Computer>COMPUTER</Computer> 
    <Security UserID="S-1-5-21-3767373869-1191893141-2221839827-9409" /> 
  </System>
  <EventData>
    <Data Name="AppName">explorer.exe</Data> 
    <Data Name="AppVersion">10.0.22621.2715</Data> 
    <Data Name="AppTimeStamp">29e0887d</Data> 
    <Data Name="ModuleName">ntdll.dll</Data> 
    <Data Name="ModuleVersion">10.0.22621.2506</Data> 
    <Data Name="ModuleTimeStamp">bced4b82</Data> 
    <Data Name="ExceptionCode">c0000005</Data> 
    <Data Name="FaultingOffset">0000000000033aca</Data> 
    <Data Name="ProcessId">0x7f30</Data> 
    <Data Name="ProcessCreationTime">0x1da1ddd33a534b8</Data> 
    <Data Name="AppPath">C:\WINDOWS\explorer.exe</Data> 
    <Data Name="ModulePath">C:\WINDOWS\SYSTEM32\ntdll.dll</Data> 
    <Data Name="IntegratorReportId">9b4b87a8-7f38-494b-8d48-b451b07baf2c</Data> 
    <Data Name="PackageFullName" /> 
    <Data Name="PackageRelativeAppId" /> 
  </EventData>
</Event>

Querying for these for a specific application via XPath is easy enough: look for the events where Data['AppName'] == 'MyApp.exe'.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
    <Provider Name="Application Error" /> 
    <EventID Qualifiers="0">1000</EventID> 
    <Version>0</Version> 
    <Level>2</Level> 
    <Task>100</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x80000000000000</Keywords> 
    <TimeCreated SystemTime="2023-11-23T07:31:42.9685382Z" /> 
    <EventRecordID>306438</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="0" ThreadID="0" /> 
    <Channel>Application</Channel> 
    <Computer>OTHERCOMPUTER</Computer> 
    <Security /> 
  </System>
  <EventData>
    <Data>explorer.exe</Data> 
    <Data>10.0.22621.2715</Data> 
    <Data>29e0887d</Data> 
    <Data>ntdll.dll</Data> 
    <Data>10.0.22621.2506</Data> 
    <Data>bced4b82</Data> 
    <Data>c0000005</Data> 
    <Data>0000000000033aca</Data> 
    <Data>c00000fd</Data> 
    <Data>00007ffd56b4fd5a</Data> 
    <Data>3a20</Data> 
    <Data>01da1ddc5cb4da50</Data> 
    <Data>C:\WINDOWS\explorer.exe</Data> 
    <Data>C:\WINDOWS\SYSTEM32\ntdll.dll</Data> 
    <Data>c6e1d9d7-5bdb-405d-aa92-73d7d44d6fca</Data> 
    <Data /> 
    <Data /> 
  </EventData>
</Event>

windows event-log