0

On my machine when a program crashes, an Application Error event (id=1000) is logged. It contains EventData\Data elements with Name attributes:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" Guid="{a0e9b465-b939-57d7-b27d-95d8e925ff57}" /> 
    <EventID>1000</EventID> 
    <Version>0</Version> 
    <Level>2</Level> 
    <Task>100</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x8000000000000000</Keywords> 
    <TimeCreated SystemTime="2023-11-23T07:21:17.8580874Z" /> 
    <EventRecordID>115450</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="40036" ThreadID="30520" /> 
    <Channel>Application</Channel> 
    <Computer>COMPUTER</Computer> 
    <Security UserID="S-1-5-21-3767373869-1191893141-2221839827-9409" /> 
  </System>
  <EventData>
    <Data Name="AppName">explorer.exe</Data> 
    <Data Name="AppVersion">10.0.22621.2715</Data> 
    <Data Name="AppTimeStamp">29e0887d</Data> 
    <Data Name="ModuleName">ntdll.dll</Data> 
    <Data Name="ModuleVersion">10.0.22621.2506</Data> 
    <Data Name="ModuleTimeStamp">bced4b82</Data> 
    <Data Name="ExceptionCode">c0000005</Data> 
    <Data Name="FaultingOffset">0000000000033aca</Data> 
    <Data Name="ProcessId">0x7f30</Data> 
    <Data Name="ProcessCreationTime">0x1da1ddd33a534b8</Data> 
    <Data Name="AppPath">C:\WINDOWS\explorer.exe</Data> 
    <Data Name="ModulePath">C:\WINDOWS\SYSTEM32\ntdll.dll</Data> 
    <Data Name="IntegratorReportId">9b4b87a8-7f38-494b-8d48-b451b07baf2c</Data> 
    <Data Name="PackageFullName" /> 
    <Data Name="PackageRelativeAppId" /> 
  </EventData>
</Event>

Querying for these for a specific application via XPath is easy enough: look for the events where Data['AppName'] == 'MyApp.exe'.

However on a different machine, I get events without any name attributes. This makes the querying difficult. What is it that makes the attributes appear/not appear in these logs? Is the order/count of data elements guaranteed to be fixed for a specific ID, e.g. that an Application Error (id=1000) event always has the same data in the same order?

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
    <Provider Name="Application Error" /> 
    <EventID Qualifiers="0">1000</EventID> 
    <Version>0</Version> 
    <Level>2</Level> 
    <Task>100</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x80000000000000</Keywords> 
    <TimeCreated SystemTime="2023-11-23T07:31:42.9685382Z" /> 
    <EventRecordID>306438</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="0" ThreadID="0" /> 
    <Channel>Application</Channel> 
    <Computer>OTHERCOMPUTER</Computer> 
    <Security /> 
  </System>
  <EventData>
    <Data>explorer.exe</Data> 
    <Data>10.0.22621.2715</Data> 
    <Data>29e0887d</Data> 
    <Data>ntdll.dll</Data> 
    <Data>10.0.22621.2506</Data> 
    <Data>bced4b82</Data> 
    <Data>c0000005</Data> 
    <Data>0000000000033aca</Data> 
    <Data>c00000fd</Data> 
    <Data>00007ffd56b4fd5a</Data> 
    <Data>3a20</Data> 
    <Data>01da1ddc5cb4da50</Data> 
    <Data>C:\WINDOWS\explorer.exe</Data> 
    <Data>C:\WINDOWS\SYSTEM32\ntdll.dll</Data> 
    <Data>c6e1d9d7-5bdb-405d-aa92-73d7d44d6fca</Data> 
    <Data /> 
    <Data /> 
  </EventData>
</Event>

Edit: to clarify: this question is about finding documentation from microsoft part, not about coding (programming-wise I have made what may or may not be a brittle solution, I just need to know how brittle).

Improve this question
2
  • On Windows 10 I get the same XML data as in your second example. Seems like the first example is the real exception.
    – harrymc
    Commented Nov 23, 2023 at 9:56
  • You'd then hope the index of each value is well defined. But I can't find any information about that. Basically I need to know if can I change a query that scans for Data[@Name='Something'] == '...' into using Data[N] = '...' and that the next version of windows won't throw in a new entry in the middle, shifting everything down.
    – Anders Forsgren
    Commented Nov 23, 2023 at 10:29

1 Answer 1

Reset to default
0

On Windows 10 I get the same XML data as in your second example. I think that you can't depend on the Name attribute being present on the <Data> tag, but need to find a general solution.

I'm not an XPath specialist, but you could use, instead of Data['AppName'] == 'MyApp.exe', search for a <Data> tag that contains strings that are indicative of a process name, such as ".exe" or ".dll".

One reference article I found is Definition of Xpath Contains. Perhaps this post will also help.

Improve this answer
7
  • sadly for many of them it's just a number/offset/address that can be a valid value for many of the entries. For example: I must confirm that item #11 of a crash event is always the method offset. Otherwise I can't use that number. If it's not well defined then the data is pretty useless so it seems likely that it IS indeed well defined. But potentially it could be well defined for specific versions of windows or specific circumstances (e.g a .NET app crashing vs a different app). That's the documentation I need.
    – Anders Forsgren
    Commented Nov 24, 2023 at 7:57
  • Unfortunately this documentation does not exist, at least publicly. Microsoft does not document areas for which it prefers to be free to change without notice. You will need to change your search to something that's perhaps similar to what I have outlined.
    – harrymc
    Commented Nov 24, 2023 at 9:54
  • There is no way of telling a method address from a method offset because they are both just numbers. If it's truly "this is subject to change" or "this order should not be relied on" etc. then perhaps that fact might be documented somewhere? Otherwise the answer could be either this "this isn't documented, and not even the fact that it isn't documented isn't documented" is the answer to my question.
    – Anders Forsgren
    Commented Nov 24, 2023 at 9:59
  • I'm trying to find you a method that works, rather than giving a negative answer.
    – harrymc
    Commented Nov 24, 2023 at 11:05
  • Thanks. The problem is solved. I have all the suggestions implemented (match value when possible, use index when impossible and so on) But it could be brittle. Or it could be future proof. I don't know. The question now is basically "what will make this break?"
    – Anders Forsgren
    Commented Nov 24, 2023 at 14:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .