windows-event-forwarding icon indicating copy to clipboard operation
windows-event-forwarding copied to clipboard

Published 20 hours ago verified publisher icon palantir

Software-Restriction-Policies.xml incorrect syntax

Open appelboom opened this issue 3 years ago • 2 comments

XPATH should be <Select Path="Application">*[System[(EventID=865 or EventID=866 or EventID=867 or EventID=868 or EventID=882)]]</Select>

Not <Select Path="Application">*[Application[Provider[@Name='Microsoft-Windows-SoftwareRestrictionPolicies'] and (EventID=865 or EventID=866 or EventID=867 or EventID=868 or EventID=882)]]</Select>

appelboom avatar Nov 23 '20 04:11 appelboom

I don't think this is correct as this page shows this event in the Microsoft-Windows-SoftwareRestrictionPolicies channel: http://intelligentsystemsmonitoring.com/knowledgebase/windows-operating-system/event-id-software-restriction-policy-notification-13844/#:~:text=Windows%20Operating%20System-,Event%20ID%20865%20%E2%80%94%20Software%20Restriction%20Policy%20Notification,not%20allowed%20by%20the%20policy.

clong avatar Jan 23 '21 04:01 clong

I have checked this in the log manifest on a test system , all referenced events appear in the Application channel. Also as @appelboom has pointed out, the Subscription Query is incorrect. The first selector (*[Application[) in the XPath query string does not reference the channel, but the system header of the event XML. This header, including the provider specification, is always located in the System element. Therefore the query should be as follows:

*[System[Provider[@Name='Microsoft-Windows-SoftwareRestrictionPolicies'] and (EventID=865 or EventID=866 or EventID=867 or EventID=868 or EventID=882)]]

b1t-hunter avatar Mar 29 '22 12:03 b1t-hunter