none
EvtQuery() failed with ErrCode 15001 when more the 23 expresssions are addded in Structrued Query format RRS feed

  • Question

  • Hi,

     

    I am creating a MFC application to display event log records which are recorded by system (alike  Windows Event Log viewer). To reading event log records I am using Windows Event Log Functions. (Reference: http://msdn.microsoft.com/en-us/library/aa385784(v=VS.85).asp).

     

    The Specification of my development environment are as follow:

    OS : Windows server 2008 R2 Standard

    Complier: Microsoft Visual studio 2008

     

    In my application I have also provided the Filter functionality. Records can be filtered on criteria such as User Name, Source Name, etc. To get the filtered records from the EVTX I have used ::EvtQuery() function and fires the query on EVTX file. Based on the selected filter criteria initially I used normal query  format to create the query and passed to ::EvtQuery() function. Its works fine when query contains less then 23 expression but if expressions are equal to 23 or more then 23 then ::EvtQuery() function fails.

    The error code I get on failure is 15001 which means “The specified query is invalid”. As per the latest MSDN documentation, if expression are more then 20 then Structured Query format should be used. As of requirement and MSDN documentation I later created the query using Structured Query format and with expressions more then 23. How ever the result is same. ::EvtQuery() function failed with same error (Code:15001).

     

    To check the behavior of Windows Event Log Viewer I also tried filtering records with more then 23 expressions and a strange results were observed. Even Windows Event Log Viewer also displayed the message as query is invalid, How ever the query is created by Windows Event Log Viewer itself. I edited the query manually and passed to Windows Event Log Viewer again but the results are same. Please find below the sample of normal query and structured query that I used in my aaplication.

     

    [Normal Query with one expression]

    LPWSTR pQuery = L"Event/UserData/EventLog[Source = 'Test::Audit']";

     

    [Structure Query with three expression]

    LPWSTR pQuery = L"<QueryList><Query Id=\"0\" Path=\"System\"><Select Path=\"System\">*[System[Provider[@Name ='Application Popup' or @Name ='Microsoft-Windows-Application-Experience' or @Name ='Microsoft-Windows-DHCPv6-Client']]]</Select></Query></QueryList>";

     

    Please let me what is wrong in this case whether queries are not supported more then 23  or not. And how can I fetch the records from EVTX file in case if expressions are more then 23.

     

    Note: Similar kind of results are observed on Windows-7 also.

     

    Sincerely, thanks in advance,

    Ganesh Paul


    • Edited by GaneshPaul Friday, December 2, 2011 2:06 PM
    Friday, December 2, 2011 1:49 PM