I'm using Windows 7 Pro x64. I'm trying to create a custom view in Event Viewer that will contain only resume events for unknown reasons (WakeSourceType=0).
Here's the query I'm using:
<QueryList>
<Query Id="0" Path="System">
<Select Path="System">
*[System[Provider[@Name='Microsoft-Windows-Power-Troubleshooter'] and (EventID=1)]]
and
*[EventData[Data[@Name='WakeSourceType'] and (Data='0')]]
</Select>
</Query>
</QueryList>
This query needs to find all events in the System log with the "Power-Troubleshooter" source and Event ID=1 for which the "WakeSourceType" is 0.
When I use the above syntax, it finds events with Power-Troubleshooter as the source, Event ID=1, andany WakeSourceType as long as any data value in the Event Data section is zero.
How can the Event Viewer query be restricted to WakeSourceType=0 name/value pairs?
(This was posted on December 10, 2015 to the Windows Desktop Development> Windows Desktop Perfmon and Diagnostic tools forum, where it received no replies.)