On my machine when a program crashes, an Application Error
event (id=1000) is logged. It contains EventData\Data
elements with Name
attributes:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" Guid="{a0e9b465-b939-57d7-b27d-95d8e925ff57}" />
<EventID>1000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>100</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2023-11-23T07:21:17.8580874Z" />
<EventRecordID>115450</EventRecordID>
<Correlation />
<Execution ProcessID="40036" ThreadID="30520" />
<Channel>Application</Channel>
<Computer>COMPUTER</Computer>
<Security UserID="S-1-5-21-3767373869-1191893141-2221839827-9409" />
</System>
<EventData>
<Data Name="AppName">explorer.exe</Data>
<Data Name="AppVersion">10.0.22621.2715</Data>
<Data Name="AppTimeStamp">29e0887d</Data>
<Data Name="ModuleName">ntdll.dll</Data>
<Data Name="ModuleVersion">10.0.22621.2506</Data>
<Data Name="ModuleTimeStamp">bced4b82</Data>
<Data Name="ExceptionCode">c0000005</Data>
<Data Name="FaultingOffset">0000000000033aca</Data>
<Data Name="ProcessId">0x7f30</Data>
<Data Name="ProcessCreationTime">0x1da1ddd33a534b8</Data>
<Data Name="AppPath">C:\WINDOWS\explorer.exe</Data>
<Data Name="ModulePath">C:\WINDOWS\SYSTEM32\ntdll.dll</Data>
<Data Name="IntegratorReportId">9b4b87a8-7f38-494b-8d48-b451b07baf2c</Data>
<Data Name="PackageFullName" />
<Data Name="PackageRelativeAppId" />
</EventData>
</Event>
Querying for these for a specific application via XPath is easy enough: look for the events where Data['AppName'] == 'MyApp.exe'.
However on a different machine, I get events without any name attributes. This makes the querying difficult. What is it that makes the attributes appear/not appear in these logs? Is the order/count of data elements guaranteed to be fixed for a specific ID, e.g. that an Application Error (id=1000) event always has the same data in the same order?
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>100</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2023-11-23T07:31:42.9685382Z" />
<EventRecordID>306438</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>OTHERCOMPUTER</Computer>
<Security />
</System>
<EventData>
<Data>explorer.exe</Data>
<Data>10.0.22621.2715</Data>
<Data>29e0887d</Data>
<Data>ntdll.dll</Data>
<Data>10.0.22621.2506</Data>
<Data>bced4b82</Data>
<Data>c0000005</Data>
<Data>0000000000033aca</Data>
<Data>c00000fd</Data>
<Data>00007ffd56b4fd5a</Data>
<Data>3a20</Data>
<Data>01da1ddc5cb4da50</Data>
<Data>C:\WINDOWS\explorer.exe</Data>
<Data>C:\WINDOWS\SYSTEM32\ntdll.dll</Data>
<Data>c6e1d9d7-5bdb-405d-aa92-73d7d44d6fca</Data>
<Data />
<Data />
</EventData>
</Event>
Edit: to clarify: this question is about finding documentation from microsoft part, not about coding (programming-wise I have made what may or may not be a brittle solution, I just need to know how brittle).
Data[@Name='Something'] == '...'
into usingData[N] = '...'
and that the next version of windows won't throw in a new entry in the middle, shifting everything down.