Edit C:\Windows\System32\RacRules.xml
<?xml version="1.0" encoding="utf-8" ?> <RacRules timestamp="1390953600"> <RacUploadRules> <!-- Windows 7 values --> <GlobalUploadRules> <ExpireOn date="1920070400" /> <RacUploadFrequency days="3" /> </GlobalUploadRules> </RacUploadRules> <EventCollectionRules> <AlgorithmDatasets> <Algorithm Id="1327"> <Dataset Id="401" /> </Algorithm> </AlgorithmDatasets> <ApplicationSets> <ApplicationSet ModelId="1" AppId="2"> <DatasetGroup> <Dataset Id="1" /> <Dataset Id="9" /> <Dataset Id="12" /> <!--Legacy Start--> <Dataset Id="14" /> <!--Legacy End--> <Dataset Id="15" /> <Dataset Id="19" /> <Dataset Id="21" /> <Dataset Id="25" /> <Dataset Id="29" /> <Dataset Id="30" /> <Dataset Id="32" /> <Dataset Id="35" /> <!--Legacy Start--> <Dataset Id="36" /> <!--Legacy End--> <Dataset Id="41" /> <Dataset Id="43" /> <Dataset Id="47" /> <!--Legacy Start--> <Dataset Id="54" /> <!--Legacy End--> <Dataset Id="80" /> <Dataset Id="82" /> <Dataset Id="86" /> <Dataset Id="89" /> <Dataset Id="90" /> <Dataset Id="92" /> <Dataset Id="93" /> <Dataset Id="95" /> <Dataset Id="103" /> <Dataset Id="104" /> <Dataset Id="115" /> <Dataset Id="116" /> <Dataset Id="117" /> <Dataset Id="118" /> <Dataset Id="119" /> <Dataset Id="120" /> <Dataset Id="128" /> <Dataset Id="129" /> <Dataset Id="133" /> <Dataset Id="134" /> <Dataset Id="135" /> <Dataset Id="147" /> <Dataset Id="148" /> <Dataset Id="149" /> <!--Legacy Start--> <Dataset Id="150" /> <Dataset Id="151" /> <Dataset Id="152" /> <!--Legacy End--> <Dataset Id="171" /> <Dataset Id="172" /> <Dataset Id="180" /> <Dataset Id="181" /> <Dataset Id="209" /> <Dataset Id="210" /> <Dataset Id="211" /> <Dataset Id="212" /> <Dataset Id="213" /> <Dataset Id="214" /> <Dataset Id="215" /> <Dataset Id="216" /> <Dataset Id="217" /> <Dataset Id="218" /> <Dataset Id="219" /> <Dataset Id="220" /> <Dataset Id="221" /> <Dataset Id="222" /> <Dataset Id="223" /> <Dataset Id="224" /> <Dataset Id="225" /> <Dataset Id="226" /> <Dataset Id="227" /> <Dataset Id="228" /> <Dataset Id="229" /> <Dataset Id="230" /> <Dataset Id="231" /> <Dataset Id="232" /> <Dataset Id="233" /> <Dataset Id="234" /> <Dataset Id="235" /> <Dataset Id="236" /> <Dataset Id="237" /> <Dataset Id="238" /> <Dataset Id="239" /> <Dataset Id="240" /> <Dataset Id="241" /> <Dataset Id="242" /> <Dataset Id="243" /> <Dataset Id="244" /> <Dataset Id="245" /> <Dataset Id="246" /> <Dataset Id="247" /> <Dataset Id="248" /> <Dataset Id="249" /> <Dataset Id="258" /> <Dataset Id="259" /> <Dataset Id="260" /> <Dataset Id="261" /> <Dataset Id="311" /> <Dataset Id="312" /> <Dataset Id="314" /> <Dataset Id="315" /> <Dataset Id="328" /> <Dataset Id="329" /> <Dataset Id="330" /> <Dataset Id="331" /> <Dataset Id="332" /> <Dataset Id="333" /> <Dataset Id="334" /> <Dataset Id="335" /> <Dataset Id="336" /> <Dataset Id="337" /> <Dataset Id="338" /> <Dataset Id="511" /> <Dataset Id="512" /> <Dataset Id="339" /> <Dataset Id="340" /> <Dataset Id="341" /> <Dataset Id="342" /> <Dataset Id="343" /> <Dataset Id="344" /> <Dataset Id="345" /> <Dataset Id="346" /> <Dataset Id="347" /> <Dataset Id="348" /> <Dataset Id="349" /> <Dataset Id="350" /> <Dataset Id="477" /> <Dataset Id="478" /> <Dataset Id="479" /> <Dataset Id="480" /> <Dataset Id="481" /> </DatasetGroup> <AlgorithmGroup> <Algorithm Id="1002" /> <Algorithm Id="1005" /> <Algorithm Id="1009" /> <Algorithm Id="1010" /> <Algorithm Id="1011" /> <Algorithm Id="1012" /> <Algorithm Id="1017" /> <Algorithm Id="1018" /> <Algorithm Id="1019" /> <Algorithm Id="1020" /> <Algorithm Id="1021" /> <Algorithm Id="1024" /> <Algorithm Id="1025" /> <Algorithm Id="1026" /> <Algorithm Id="1031" /> <Algorithm Id="1032" /> <Algorithm Id="1033" /> <Algorithm Id="1034" /> <Algorithm Id="1035" /> <Algorithm Id="1036" /> <Algorithm Id="1051" /> <Algorithm Id="1052" /> <Algorithm Id="1053" /> <Algorithm Id="1054" /> <Algorithm Id="1055" /> <Algorithm Id="1056" /> <Algorithm Id="1057" /> <Algorithm Id="1058" /> <Algorithm Id="1161" /> <Algorithm Id="1165" /> </AlgorithmGroup> </ApplicationSet> <ApplicationSet ModelId="2" AppId="4"> <DatasetGroup> <Dataset Id="65" NameMatch="true" /> <Dataset Id="66" NameMatch="true" /> <Dataset Id="67" NameMatch="true" /> <Dataset Id="68" NameMatch="true" /> <Dataset Id="73" NameMatch="true" /> <Dataset Id="74" NameMatch="true" /> <Dataset Id="75" NameMatch="true" /> <Dataset Id="76" NameMatch="true" /> <Dataset Id="77" NameMatch="true" /> <Dataset Id="79" NameMatch="true" /> <Dataset Id="81" NameMatch="true" /> <Dataset Id="82" NameMatch="true" /> <Dataset Id="83" NameMatch="true" /> <Dataset Id="84" NameMatch="true" /> <Dataset Id="197" NameMatch="true" /> <Dataset Id="199" NameMatch="true" /> <Dataset Id="201" NameMatch="true" /> <Dataset Id="202" NameMatch="true" /> <Dataset Id="257" NameMatch="true" /> <Dataset Id="314" /> </DatasetGroup> <AlgorithmGroup> <Algorithm Id="1002" /> <Algorithm Id="1005" /> <Algorithm Id="1009" /> <Algorithm Id="1035" /> <Algorithm Id="1052" /> <Algorithm Id="1161" /> <Algorithm Id="1162" /> <Algorithm Id="1165" /> <Algorithm Id="1166" /> <Algorithm Id="1167" /> <Algorithm Id="1168" /> <Algorithm Id="1169" /> <Algorithm Id="1170" /> <Algorithm Id="1171" /> <Algorithm Id="1172" /> <Algorithm Id="1173" /> <Algorithm Id="1174" /> <Algorithm Id="1175" /> </AlgorithmGroup> </ApplicationSet> <ApplicationSet ModelId="3" AppId="4"> <DatasetGroup> <Dataset Id="271" NameMatch="true" /> </DatasetGroup> <AlgorithmGroup> <Algorithm Id="1324" /> </AlgorithmGroup> </ApplicationSet> <ApplicationSet ModelId="3" AppId="1"> <DatasetGroup> <Dataset Id="12" /> <Dataset Id="21" /> <Dataset Id="30" /> <Dataset Id="32" /> <Dataset Id="86" /> <Dataset Id="89" /> <Dataset Id="90" /> <Dataset Id="101" /> <Dataset Id="102" /> <Dataset Id="103" /> <Dataset Id="104" /> <Dataset Id="105" /> <Dataset Id="106" /> <Dataset Id="107" /> <Dataset Id="108" /> <Dataset Id="109" /> <Dataset Id="110" /> <Dataset Id="111" /> <Dataset Id="112" /> <Dataset Id="113" /> <Dataset Id="114" /> <Dataset Id="115" /> <Dataset Id="128" /> <Dataset Id="129" /> <Dataset Id="134" /> <Dataset Id="205" /> <Dataset Id="206" /> <Dataset Id="207" /> <Dataset Id="208" /> <Dataset Id="258" /> <Dataset Id="259" /> <Dataset Id="260" /> <Dataset Id="261" /> <Dataset Id="271" /> <Dataset Id="333" /> <Dataset Id="334" /> <Dataset Id="335" /> <Dataset Id="336" /> <Dataset Id="337" /> <Dataset Id="338" /> <Dataset Id="511" /> <Dataset Id="512" /> <Dataset Id="401" /> </DatasetGroup> <AlgorithmGroup> <Algorithm Id="1184" /> <Algorithm Id="1185" /> <Algorithm Id="1191" /> <Algorithm Id="1214" /> <Algorithm Id="1218" /> <Algorithm Id="1219" /> <Algorithm Id="1222" /> <Algorithm Id="1223" /> <Algorithm Id="1226" /> <Algorithm Id="1227" /> <Algorithm Id="1228" /> <Algorithm Id="1229" /> <Algorithm Id="1230" /> <Algorithm Id="1231" /> <Algorithm Id="1232" /> <Algorithm Id="1233" /> <Algorithm Id="1234" /> <Algorithm Id="1235" /> <Algorithm Id="1236" /> <Algorithm Id="1237" /> <Algorithm Id="1238" /> <Algorithm Id="1239" /> <Algorithm Id="1240" /> <Algorithm Id="1241" /> <Algorithm Id="1242" /> <Algorithm Id="1243" /> <Algorithm Id="1244" /> <Algorithm Id="1245" /> <Algorithm Id="1246" /> <Algorithm Id="1327" /> </AlgorithmGroup> </ApplicationSet> <ApplicationSet ModelId="5" AppId="3"> <DatasetGroup> <Dataset Id="1" /> <Dataset Id="9" /> <Dataset Id="12" /> <Dataset Id="14" /> <Dataset Id="15" /> <Dataset Id="19" /> <Dataset Id="21" /> <Dataset Id="25" /> <Dataset Id="30" /> <Dataset Id="32" /> <Dataset Id="35" /> <Dataset Id="36" /> <Dataset Id="41" /> <Dataset Id="43" /> <Dataset Id="47" /> <Dataset Id="54" /> <Dataset Id="86" /> <Dataset Id="89" /> <Dataset Id="90" /> <Dataset Id="92" /> <Dataset Id="93" /> <Dataset Id="95" /> <Dataset Id="101" /> <Dataset Id="102" /> <Dataset Id="103" /> <Dataset Id="104" /> <Dataset Id="105" /> <Dataset Id="106" /> <Dataset Id="107" /> <Dataset Id="108" /> <Dataset Id="109" /> <Dataset Id="110" /> <Dataset Id="111" /> <Dataset Id="112" /> <Dataset Id="113" /> <Dataset Id="114" /> <Dataset Id="115" /> <Dataset Id="116" /> <Dataset Id="117" /> <Dataset Id="118" /> <Dataset Id="119" /> <Dataset Id="120" /> <Dataset Id="128" /> <Dataset Id="129" /> <Dataset Id="133" /> <Dataset Id="134" /> <Dataset Id="135" /> <Dataset Id="147" /> <Dataset Id="148" /> <Dataset Id="149" /> <Dataset Id="150" /> <Dataset Id="151" /> <Dataset Id="152" /> <Dataset Id="171" /> <Dataset Id="172" /> <Dataset Id="180" /> <Dataset Id="181" /> <Dataset Id="197" /> <Dataset Id="199" /> <Dataset Id="205" /> <Dataset Id="206" /> <Dataset Id="207" /> <Dataset Id="208" /> <Dataset Id="209" /> <Dataset Id="210" /> <Dataset Id="211" /> <Dataset Id="212" /> <Dataset Id="213" /> <Dataset Id="214" /> <Dataset Id="215" /> <Dataset Id="216" /> <Dataset Id="217" /> <Dataset Id="218" /> <Dataset Id="219" /> <Dataset Id="220" /> <Dataset Id="221" /> <Dataset Id="222" /> <Dataset Id="223" /> <Dataset Id="224" /> <Dataset Id="225" /> <Dataset Id="226" /> <Dataset Id="227" /> <Dataset Id="228" /> <Dataset Id="229" /> <Dataset Id="230" /> <Dataset Id="231" /> <Dataset Id="232" /> <Dataset Id="233" /> <Dataset Id="234" /> <Dataset Id="235" /> <Dataset Id="236" /> <Dataset Id="237" /> <Dataset Id="238" /> <Dataset Id="239" /> <Dataset Id="240" /> <Dataset Id="241" /> <Dataset Id="242" /> <Dataset Id="243" /> <Dataset Id="244" /> <Dataset Id="245" /> <Dataset Id="246" /> <Dataset Id="247" /> <Dataset Id="248" /> <Dataset Id="249" /> <Dataset Id="257" /> <Dataset Id="258" /> <Dataset Id="259" /> <Dataset Id="260" /> <Dataset Id="261" /> <Dataset Id="262" /> <Dataset Id="263" /> <Dataset Id="265" /> <Dataset Id="271" /> <Dataset Id="280" /> <Dataset Id="281" /> <Dataset Id="303" /> <Dataset Id="311" /> <Dataset Id="312" /> <Dataset Id="314" /> <Dataset Id="315" /> <Dataset Id="316" /> <Dataset Id="317" /> <Dataset Id="318" /> <Dataset Id="320" /> <Dataset Id="321" /> <Dataset Id="322" /> <Dataset Id="325" /> <Dataset Id="326" /> <Dataset Id="327" /> <Dataset Id="328" /> <Dataset Id="329" /> <Dataset Id="330" /> <Dataset Id="331" /> <Dataset Id="332" /> <Dataset Id="333" /> <Dataset Id="334" /> <Dataset Id="335" /> <Dataset Id="336" /> <Dataset Id="337" /> <Dataset Id="338" /> <Dataset Id="511" /> <Dataset Id="512" /> <Dataset Id="339" /> <Dataset Id="340" /> <Dataset Id="341" /> <Dataset Id="343" /> <Dataset Id="344" /> <Dataset Id="346" /> <Dataset Id="347" /> <Dataset Id="349" /> <Dataset Id="350" /> <Dataset Id="361" /> <Dataset Id="362" /> <Dataset Id="363" /> <Dataset Id="364" /> <Dataset Id="384" /> <Dataset Id="385" /> <Dataset Id="386" /> <Dataset Id="387" /> <Dataset Id="388" /> <Dataset Id="389" /> <Dataset Id="390" /> <Dataset Id="391" /> <Dataset Id="392" /> <Dataset Id="393" /> <Dataset Id="394" /> <Dataset Id="395" /> <Dataset Id="396" /> <Dataset Id="399" /> <Dataset Id="405" /> <Dataset Id="409" /> <Dataset Id="410" /> <Dataset Id="411" /> <Dataset Id="412" /> <Dataset Id="413" /> <Dataset Id="414" /> <Dataset Id="415" /> <Dataset Id="416" /> <Dataset Id="417" /> <Dataset Id="418" /> <Dataset Id="419" /> <Dataset Id="420" /> <Dataset Id="421" /> <Dataset Id="422" /> <Dataset Id="423" /> <Dataset Id="424" /> <Dataset Id="425" /> <Dataset Id="426" /> <Dataset Id="427" /> <Dataset Id="428" /> <Dataset Id="429" /> <Dataset Id="430" /> <Dataset Id="431" /> <Dataset Id="432" /> <Dataset Id="433" /> <Dataset Id="434" /> <Dataset Id="435" /> <Dataset Id="436" /> <Dataset Id="437" /> <Dataset Id="438" /> <Dataset Id="439" /> <Dataset Id="440" /> <Dataset Id="441" /> <Dataset Id="442" /> <Dataset Id="443" /> <Dataset Id="444" /> <Dataset Id="445" /> <Dataset Id="446" /> <Dataset Id="447" /> <Dataset Id="448" /> <Dataset Id="449" /> <Dataset Id="450" /> <Dataset Id="451" /> <Dataset Id="452" /> <Dataset Id="453" /> <Dataset Id="454" /> <Dataset Id="455" /> <Dataset Id="456" /> <Dataset Id="457" /> <Dataset Id="458" /> <Dataset Id="459" /> <Dataset Id="460" /> <Dataset Id="476" /> <Dataset Id="477" /> <Dataset Id="478" /> <Dataset Id="479" /> <Dataset Id="480" /> <Dataset Id="481" /> <Dataset Id="482" /> <Dataset Id="483" /> <Dataset Id="484" /> <Dataset Id="490" /> <Dataset Id="491" /> <Dataset Id="492" /> <Dataset Id="493" /> <Dataset Id="494" /> <Dataset Id="495" /> <Dataset Id="496" /> <Dataset Id="497" /> <Dataset Id="498" /> <Dataset Id="499" /> <Dataset Id="502" /> <Dataset Id="503" /> <Dataset Id="504" /> <Dataset Id="505" /> <Dataset Id="506" /> <Dataset Id="507" /> <Dataset Id="510" /> <Dataset Id="513" /> <Dataset Id="518" /> <Dataset Id="521" /> <Dataset Id="522" /> <Dataset Id="528" /> <Dataset Id="529" /> <Dataset Id="530" /> <Dataset Id="531" /> </DatasetGroup> <AlgorithmGroup> <Algorithm Id="0" /> </AlgorithmGroup> </ApplicationSet> <ApplicationSet ModelId="6" AppId="4"> <DatasetGroup> <!-- process model ETW events are automagically added here --> <Dataset Id="30" NameMatch="true" VersionMatch="true" /> <Dataset Id="86" NameMatch="true" VersionMatch="true" /> <Dataset Id="314" /> <Dataset Id="510" NameMatch="true" /> </DatasetGroup> <AlgorithmGroup> <Algorithm Id="1161" /> <Algorithm Id="1170" /> <Algorithm Id="1176" /> <Algorithm Id="1177" /> <Algorithm Id="1178" /> <Algorithm Id="1179" /> <Algorithm Id="1180" /> <Algorithm Id="1183" /> <Algorithm Id="1326" /> <Algorithm Id="1328" /> <Algorithm Id="1329" /> <Algorithm Id="1330" /> <Algorithm Id="1331" /> </AlgorithmGroup> </ApplicationSet> </ApplicationSets> <LogEntries> <LogEntry Id="-1" Channel="ETW"/> <LogEntry Id="0" Required="1" Channel="System" /> <LogEntry Id="1" Required="1" Channel="Application" /> <LogEntry Id="2" Channel="Microsoft-Windows-Diagnosis-DPS/Operational" /> <LogEntry Id="3" Channel="Microsoft-Windows-Resource-Exhaustion-Detector/Operational" /> <LogEntry Id="4" Channel="Microsoft-Windows-Resource-Exhaustion-Resolver/Operational" /> <LogEntry Id="5" Channel="Microsoft-Windows-Resource-Leak-Diagnostic/Operational" /> <LogEntry Id="7" Channel="Microsoft-Windows-ReliabilityAnalysisComponent/Operational" /> <LogEntry Id="8" Channel="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant" /> <LogEntry Id="10" Channel="Microsoft-Windows-Application-Experience/Program-Telemetry" /> <LogEntry Id="11" Channel="Microsoft-Windows-Application-Experience/Program-Inventory" /> <LogEntry Id="12" Channel="Microsoft-Windows-Kernel-EventTracing/Admin" /> <LogEntry Id="14" Channel="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter" /> <LogEntry Id="15" Channel="Microsoft-Windows-Fault-Tolerant-Heap/Operational" /> <LogEntry Id="16" Channel="Microsoft-Windows-Audio/Operational" /> <LogEntry Id="17" Channel="Microsoft-Windows-Kernel-ShimEngine/Operational" /> <LogEntry Id="18" Channel="Microsoft-Windows-AppXDeploymentServer/Operational" /> <LogEntry Id="19" Channel="Microsoft-Windows-AppHost/Admin" /> <LogEntry Id="20" Channel="Microsoft-Windows-CodeIntegrity/Operational" /> <LogEntry Id="21" Channel="Microsoft-Windows-OOBE-Machine-DUI/Operational" /> <LogEntry Id="22" Channel="Microsoft-Windows-Ntfs/Operational" /> </LogEntries> <EventRules> <EventRule Id="1" LogId="0" EventId="3261" Source="Workstation" /> <EventRule Id="9" LogId="0" EventId="6012" Source="EventLog" /> <EventRule Id="12" LogId="0" EventId="1001" Source="Microsoft-Windows-WER-SystemErrorReporting"> <LegacyData Position="1" /> <LegacyData Position="3" PIIFilter="0x10000" /> </EventRule> <EventRule Id="14" LogId="0" EventId="6006" Source="EventLog"> <LegacyData Position="1" /> <LegacyData Position="2" /> </EventRule> <EventRule Id="15" LogId="0" EventId="1073" Source="User32" /> <EventRule Id="19" LogId="0" EventId="6008" Source="EventLog"> <LegacyData Position="1" /> <LegacyData Position="2" /> <LegacyData Position="3" /> <LegacyData Position="4" /> <LegacyData Position="5" /> <LegacyData Position="6" /> <LegacyData Position="7" /> <LegacyData Position="8" /> <LegacyData Position="9" /> <LegacyData Position="10" /> </EventRule> <EventRule Id="21" LogId="0" EventId="1006" Source="Microsoft-Windows-WER-SystemErrorReporting" /> <EventRule Id="25" LogId="0" EventId="1075" Source="User32" /> <EventRule Id="29" LogId="0" EventId="6013" Source="EventLog" /> <EventRule Id="30" LogId="1" EventId="1000" Source="Application Error" LegacyNameMatch="1" LegacyVersionMatch="2"> <LegacyData Position="1" /> <LegacyData Position="2" /> <LegacyData Position="3" PIIFilter="0x4000" /> <LegacyData Position="4" /> <LegacyData Position="5" /> <LegacyData Position="6" PIIFilter="0x4000" /> <LegacyData Position="7" PIIFilter="0x4000" /> <LegacyData Position="8"/> <LegacyData Position="9" PIIFilter="0x4000"/> <LegacyData Position="10" PIIFilter="0x4000"/> <LegacyData Position="13" PIIFilter="0x10000" /> <LegacyData Position="14" /> <LegacyData Position="15" /> </EventRule> <EventRule Id="32" LogId="0" EventId="1000" Source="Microsoft-Windows-WER-SystemErrorReporting"> <LegacyData Position="1" /> </EventRule> <EventRule Id="35" LogId="0" EventId="1076" Source="User32"> <LegacyData Position="2" PIIFilter="0x4000" /> </EventRule> <EventRule Id="36" LogId="0" EventId="6005" Source="EventLog"> <LegacyData Position="1" /> <LegacyData Position="2" /> <LegacyData Position="3" /> </EventRule> <EventRule Id="41" LogId="0" EventId="6011" Source="EventLog" /> <EventRule Id="43" LogId="1" EventId="1015" Source="Microsoft-Windows-Wininit"> <LegacyData Position="1" PIIFilter="0x3" /> <LegacyData Position="2" PIIFilter="0x4000" /> </EventRule> <EventRule Id="47" LogId="0" EventId="3260" Source="Workstation" /> <EventRule Id="54" LogId="0" EventId="6009" Source="EventLog"> <LegacyData Position="1" /> <LegacyData Position="2" PIIFilter="0x2000" /> <LegacyData Position="3" /> <LegacyData Position="4" /> <LegacyData Position="5" PIIFilter="0x2000" /> </EventRule> <EventRule Id="65" LogId="0" EventId="7000" Source="Service Control Manager" LegacyNameMatch="1"> <LegacyData Position="1" PIIFilter="0x40" /> <LegacyData Position="2" /> </EventRule> <EventRule Id="66" LogId="0" EventId="7001" Source="Service Control Manager" LegacyNameMatch="1"> <LegacyData Position="1" PIIFilter="0x40" /> <LegacyData Position="2" PIIFilter="0x40" /> <LegacyData Position="3" /> </EventRule> <EventRule Id="67" LogId="0" EventId="7002" Source="Service Control Manager" LegacyNameMatch="1" /> <EventRule Id="68" LogId="0" EventId="7003" Source="Service Control Manager" LegacyNameMatch="1" /> <EventRule Id="73" LogId="0" EventId="7019" Source="Service Control Manager" LegacyNameMatch="1" /> <EventRule Id="74" LogId="0" EventId="7020" Source="Service Control Manager" LegacyNameMatch="1" /> <EventRule Id="75" LogId="0" EventId="7022" Source="Service Control Manager" LegacyNameMatch="1"> <LegacyData Position="1" PIIFilter="0x40" /> </EventRule> <EventRule Id="76" LogId="0" EventId="7023" Source="Service Control Manager" LegacyNameMatch="1"> <LegacyData Position="1" PIIFilter="0x40" /> <LegacyData Position="2" /> </EventRule> <EventRule Id="77" LogId="0" EventId="7024" Source="Service Control Manager" LegacyNameMatch="1"> <LegacyData Position="1" PIIFilter="0x40" /> <LegacyData Position="2" /> </EventRule> <EventRule Id="79" LogId="0" EventId="7031" Source="Service Control Manager" LegacyNameMatch="1"> <LegacyData Position="1" PIIFilter="0x40" /> <LegacyData Position="2" PIIFilter="0x2000" /> </EventRule> <EventRule Id="80" LogId="0" EventId="7033" Source="Service Control Manager" /> <EventRule Id="81" LogId="0" EventId="7034" Source="Service Control Manager" LegacyNameMatch="1"> <LegacyData Position="1" PIIFilter="0x40" /> <LegacyData Position="2" PIIFilter="0x2000" /> </EventRule> <EventRule Id="82" LogId="0" EventId="7036" Source="Service Control Manager" LegacyNameMatch="1"> <LegacyMatch Position="1" cchMatch="7" Match="running" /> </EventRule> <EventRule Id="83" LogId="0" EventId="7036" Source="Service Control Manager" LegacyNameMatch="1"> <LegacyMatch Position="1" cchMatch="7" Match="stopped" /> </EventRule> <EventRule Id="84" LogId="0" EventId="7038" Source="Service Control Manager" LegacyNameMatch="1" /> <EventRule Id="86" LogId="1" EventId="1002" Source="Application Hang" LegacyNameMatch="1" LegacyVersionMatch="2"> <LegacyData Position="1" /> <LegacyData Position="2" /> <LegacyData Position="3" PIIFilter="0x4000" /> <LegacyData Position="5" PIIFilter="0x2000" /> <LegacyData Position="7" PIIFilter="0x10000" /> <LegacyData Position="8" /> <LegacyData Position="9" /> </EventRule> <EventRule Id="89" LogId="0" EventId="7" Source="Disk" /> <EventRule Id="90" LogId="0" EventId="52" Source="Disk" /> <EventRule Id="92" LogId="0" EventId="21" Source="Microsoft-Windows-WindowsUpdateClient" > <CrimsonData Id="376" XPath="Event/UserData/updatelist" /> </EventRule> <EventRule Id="93" LogId="0" EventId="22" Source="Microsoft-Windows-WindowsUpdateClient" > <CrimsonData Id="377" XPath="Event/EventData/Data[@Name='restarttime']" /> <CrimsonData Id="378" XPath="Event/EventData/Data[@Name='updatelist']" /> </EventRule> <EventRule Id="95" LogId="0" EventId="19" Source="Microsoft-Windows-WindowsUpdateClient" > <CrimsonData Id="373" XPath="Event/EventData/Data[@Name='updateTitle']" /> <CrimsonData Id="525" XPath="Event/EventData/Data[@Name='updateGuid']" /> <CrimsonData Id="526" XPath="Event/EventData/Data[@Name='updateRevisionNumber']" /> </EventRule> <EventRule Id="101" LogId="3" EventId="1001" Source="Microsoft-Windows-Resource-Exhaustion-Detector" /> <EventRule Id="102" LogId="3" EventId="1002" Source="Microsoft-Windows-Resource-Exhaustion-Detector" /> <EventRule Id="103" LogId="3" EventId="1003" Source="Microsoft-Windows-Resource-Exhaustion-Detector"> <CrimsonData Id="173" XPath="Event/UserData/CommitLimitExhaustion/SystemCommitCharge" /> <CrimsonData Id="174" XPath="Event/UserData/CommitLimitExhaustion/SystemCommitLimit" /> </EventRule> <EventRule Id="104" LogId="0" EventId="2004" Source="Microsoft-Windows-Resource-Exhaustion-Detector"> <CrimsonData Id="601" XPath="Event/UserData/MemoryExhaustionInfo/SystemInfo/SystemCommitLimit" /> <CrimsonData Id="602" XPath="Event/UserData/MemoryExhaustionInfo/SystemInfo/SystemCommitCharge" /> <CrimsonData Id="603" XPath="Event/UserData/MemoryExhaustionInfo/SystemInfo/ProcessCommitCharge" /> <CrimsonData Id="604" XPath="Event/UserData/MemoryExhaustionInfo/SystemInfo/PagedPoolUsage" /> <CrimsonData Id="605" XPath="Event/UserData/MemoryExhaustionInfo/SystemInfo/PhysicalMemorySize" /> <CrimsonData Id="606" XPath="Event/UserData/MemoryExhaustionInfo/SystemInfo/PhysicalMemoryUsage" /> <CrimsonData Id="607" XPath="Event/UserData/MemoryExhaustionInfo/SystemInfo/NonPagedPoolUsage" /> <CrimsonData Id="608" XPath="Event/UserData/MemoryExhaustionInfo/SystemInfo/Processes" /> <CrimsonData Id="609" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_1/Name" PIIFilter="0x2" /> <CrimsonData Id="610" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_1/ID" /> <CrimsonData Id="611" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_1/CreationTime" /> <CrimsonData Id="612" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_1/CommitCharge" /> <CrimsonData Id="613" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_1/HandleCount" /> <CrimsonData Id="614" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_1/Version" /> <CrimsonData Id="615" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_1/TypeInfo" /> <CrimsonData Id="616" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_2/Name" PIIFilter="0x2" /> <CrimsonData Id="617" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_2/ID" /> <CrimsonData Id="618" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_2/CreationTime" /> <CrimsonData Id="619" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_2/CommitCharge" /> <CrimsonData Id="620" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_2/HandleCount" /> <CrimsonData Id="621" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_2/Version" /> <CrimsonData Id="622" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_2/TypeInfo" /> <CrimsonData Id="623" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_3/Name" PIIFilter="0x2" /> <CrimsonData Id="624" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_3/ID" /> <CrimsonData Id="625" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_3/CreationTime" /> <CrimsonData Id="626" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_3/CommitCharge" /> <CrimsonData Id="627" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_3/HandleCount" /> <CrimsonData Id="628" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_3/Version" /> <CrimsonData Id="629" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_3/TypeInfo" /> <CrimsonData Id="630" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_4/Name" PIIFilter="0x2" /> <CrimsonData Id="631" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_4/ID" /> <CrimsonData Id="632" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_4/CreationTime" /> <CrimsonData Id="633" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_4/CommitCharge" /> <CrimsonData Id="634" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_4/HandleCount" /> <CrimsonData Id="635" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_4/Version" /> <CrimsonData Id="636" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_4/TypeInfo" /> <CrimsonData Id="637" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_5/Name" PIIFilter="0x2" /> <CrimsonData Id="638" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_5/ID" /> <CrimsonData Id="640" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_5/CommitCharge" /> <CrimsonData Id="641" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_5/HandleCount" /> <CrimsonData Id="642" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_5/Version" /> <CrimsonData Id="643" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_5/TypeInfo" /> <CrimsonData Id="644" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_6/Name" PIIFilter="0x2" /> <CrimsonData Id="645" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_6/ID" /> <CrimsonData Id="647" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_6/CommitCharge" /> <CrimsonData Id="648" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_6/HandleCount" /> <CrimsonData Id="649" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_6/Version" /> <CrimsonData Id="650" XPath="Event/UserData/MemoryExhaustionInfo/ProcessInfo/Process_6/TypeInfo" /> <CrimsonData Id="651" XPath="Event/UserData/MemoryExhaustionInfo/PagedPoolInfo/Tag_1/Name" /> <CrimsonData Id="652" XPath="Event/UserData/MemoryExhaustionInfo/PagedPoolInfo/Tag_1/PoolUsed" /> <CrimsonData Id="653" XPath="Event/UserData/MemoryExhaustionInfo/PagedPoolInfo/Tag_2/Name" /> <CrimsonData Id="654" XPath="Event/UserData/MemoryExhaustionInfo/PagedPoolInfo/Tag_2/PoolUsed" /> <CrimsonData Id="655" XPath="Event/UserData/MemoryExhaustionInfo/PagedPoolInfo/Tag_3/Name" /> <CrimsonData Id="656" XPath="Event/UserData/MemoryExhaustionInfo/PagedPoolInfo/Tag_3/PoolUsed" /> <CrimsonData Id="657" XPath="Event/UserData/MemoryExhaustionInfo/NonPagedPoolInfo/Tag_1/Name" /> <CrimsonData Id="658" XPath="Event/UserData/MemoryExhaustionInfo/NonPagedPoolInfo/Tag_1/PoolUsed" /> <CrimsonData Id="659" XPath="Event/UserData/MemoryExhaustionInfo/NonPagedPoolInfo/Tag_2/Name" /> <CrimsonData Id="660" XPath="Event/UserData/MemoryExhaustionInfo/NonPagedPoolInfo/Tag_2/PoolUsed" /> <CrimsonData Id="661" XPath="Event/UserData/MemoryExhaustionInfo/NonPagedPoolInfo/Tag_3/Name" /> <CrimsonData Id="662" XPath="Event/UserData/MemoryExhaustionInfo/NonPagedPoolInfo/Tag_3/PoolUsed" /> <CrimsonData Id="663" XPath="Event/UserData/MemoryExhaustionInfo/ExhaustionEventInfo/Time" /> </EventRule> <EventRule Id="105" LogId="3" EventId="1005" Source="Microsoft-Windows-Resource-Exhaustion-Detector"> <CrimsonData Id="182" XPath="Event/UserData/ErrorData/ErrorCode" /> </EventRule> <EventRule Id="106" LogId="3" EventId="1006" Source="Microsoft-Windows-Resource-Exhaustion-Detector"> <CrimsonData Id="183" XPath="Event/UserData/ErrorData/ErrorCode" /> </EventRule> <EventRule Id="107" LogId="3" EventId="1007" Source="Microsoft-Windows-Resource-Exhaustion-Detector"> <CrimsonData Id="185" XPath="Event/UserData/MemoryAllocationFailure/RequestSize" /> <CrimsonData Id="186" XPath="Event/UserData/MemoryAllocationFailure/ErrorCode" /> </EventRule> <EventRule Id="108" LogId="3" EventId="1008" Source="Microsoft-Windows-Resource-Exhaustion-Detector"> <CrimsonData Id="184" XPath="Event/UserData/ErrorData/ErrorCode" /> </EventRule> <EventRule Id="109" LogId="4" EventId="1001" Source="Microsoft-Windows-Resource-Exhaustion-Resolver" /> <EventRule Id="110" LogId="4" EventId="1002" Source="Microsoft-Windows-Resource-Exhaustion-Resolver" /> <EventRule Id="111" LogId="4" EventId="1005" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="505" XPath="Event/UserData/ErrorData/ErrorCode" /> </EventRule> <EventRule Id="112" LogId="4" EventId="1006" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="506" XPath="Event/UserData/ErrorData/ErrorCode" /> </EventRule> <EventRule Id="113" LogId="4" EventId="1007" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="201" XPath="Event/UserData/MemoryAllocationFailure/RequestSize" /> <CrimsonData Id="202" XPath="Event/UserData/MemoryAllocationFailure/ErrorCode" /> </EventRule> <EventRule Id="114" LogId="4" EventId="1008" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="507" XPath="Event/UserData/ErrorData/ErrorCode" /> </EventRule> <EventRule Id="115" LogId="4" EventId="1009" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="492" XPath="Event/UserData/UICloseInfo/DisplayUpTime" /> <CrimsonData Id="493" XPath="Event/UserData/UICloseInfo/UserAction" /> <CrimsonData Id="494" XPath="Event/UserData/UICloseInfo/MaxCommit" /> </EventRule> <EventRule Id="116" LogId="0" EventId="2018" Source="srv" /> <EventRule Id="117" LogId="0" EventId="2020" Source="srv" /> <EventRule Id="118" LogId="0" EventId="2017" Source="srv" /> <EventRule Id="119" LogId="0" EventId="2019" Source="srv" /> <EventRule Id="120" LogId="0" EventId="243" Source="Win32k" /> <EventRule Id="128" LogId="4" EventId="1003" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="187" XPath="Event/UserData/InvalidCommitLimitExhaustion/TimeSinceLastUI" /> <CrimsonData Id="188" XPath="Event/UserData/InvalidCommitLimitExhaustion/ExhaustionTime" /> <CrimsonData Id="189" XPath="Event/UserData/InvalidCommitLimitExhaustion/EventType" /> <CrimsonData Id="190" XPath="Event/UserData/InvalidCommitLimitExhaustion/DropReasonCode" /> <CrimsonData Id="191" XPath="Event/UserData/InvalidCommitLimitExhaustion/Notifications" /> <CrimsonData Id="192" XPath="Event/UserData/InvalidCommitLimitExhaustion/MaxCommit" /> </EventRule> <EventRule Id="129" LogId="4" EventId="1004" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="664" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_1/Name" PIIFilter="0x2" /> <CrimsonData Id="665" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_1/ID" /> <CrimsonData Id="666" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_1/CreationTime" /> <CrimsonData Id="667" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_1/Version" /> <CrimsonData Id="668" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_2/Name" PIIFilter="0x2" /> <CrimsonData Id="669" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_2/ID" /> <CrimsonData Id="670" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_2/CreationTime" /> <CrimsonData Id="671" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_2/Version" /> <CrimsonData Id="672" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_3/Name" PIIFilter="0x2" /> <CrimsonData Id="673" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_3/ID" /> <CrimsonData Id="674" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_3/CreationTime" /> <CrimsonData Id="675" XPath="Event/UserData/ResolverDisplayInfo/ProcessInfo/Process_3/Version" /> <CrimsonData Id="676" XPath="Event/UserData/ResolverDisplayInfo/ExhaustionEventInfo/ResolverID" /> <CrimsonData Id="677" XPath="Event/UserData/ResolverDisplayInfo/ExhaustionEventInfo/Time" /> </EventRule> <EventRule Id="133" LogId="1" EventId="1002" Source="Microsoft-Windows-Winlogon" /> <EventRule Id="134" LogId="0" EventId="1003" Source="Microsoft-Windows-WER-SystemErrorReporting" /> <EventRule Id="135" LogId="1" EventId="1001" Source="Windows Error Reporting"> <LegacyData Position="1" /> <LegacyData Position="2" PIIFilter="0x2000" /> <LegacyData Position="3" /> <LegacyData Position="6" /> <LegacyData Position="7" /> <LegacyData Position="8" /> <LegacyData Position="9" /> <LegacyData Position="10" /> <LegacyData Position="11" /> <LegacyData Position="12" /> <LegacyData Position="13" /> <LegacyData Position="14" /> <LegacyData Position="15" /> <LegacyData Position="18" /> <LegacyData Position="19" PIIFilter="0x2000" /> <LegacyData Position="20" PIIFilter="0x10000" /> <LegacyData Position="21" PIIFilter="0x2000" /> <LegacyData Position="5" PIIFilter="0x800" /> <LegacyData Position="4" /> </EventRule> <EventRule Id="147" LogId="0" EventId="1001" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="3" XPath="Event/UserData/SrtSummary/StartTime" /> <CrimsonData Id="4" XPath="Event/UserData/SrtSummary/EndTime" /> <CrimsonData Id="5" XPath="Event/UserData/SrtSummary/NumAttempts" /> <CrimsonData Id="6" XPath="Event/UserData/SrtSummary/NumRootCauses" /> <CrimsonData Id="7" XPath="Event/UserData/SrtSummary/LaunchType" /> </EventRule> <EventRule Id="148" LogId="0" EventId="1002" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="8" XPath="Event/UserData/SrtSummary/StartTime" /> <CrimsonData Id="9" XPath="Event/UserData/SrtSummary/EndTime" /> <CrimsonData Id="10" XPath="Event/UserData/SrtSummary/NumAttempts" /> <CrimsonData Id="11" XPath="Event/UserData/SrtSummary/NumRootCauses" /> <CrimsonData Id="12" XPath="Event/UserData/SrtSummary/LaunchType" /> </EventRule> <EventRule Id="149" LogId="0" EventId="1101" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="150" LogId="0" EventId="6005" Source="EventLog"> <LegacyData Position="1" /> <LegacyData Position="2" /> <LegacyData Position="3" /> </EventRule> <EventRule Id="151" LogId="0" EventId="6005" Source="EventLog"> <LegacyData Position="1" /> <LegacyData Position="2" /> <LegacyData Position="3" /> </EventRule> <EventRule Id="152" LogId="0" EventId="6005" Source="EventLog"> <LegacyData Position="1" /> <LegacyData Position="2" /> <LegacyData Position="3" /> </EventRule> <EventRule Id="171" LogId="0" EventId="1074" Source="User32"> <LegacyData Position="4" PIIFilter="0x4000" /> <LegacyData Position="5" /> </EventRule> <EventRule Id="172" LogId="0" EventId="1074" Source="User32"> <LegacyData Position="4" PIIFilter="0x4000" /> <LegacyData Position="5" /> </EventRule> <EventRule Id="180" LogId="0" EventId="20" Source="Microsoft-Windows-WindowsUpdateClient"> <CrimsonData Id="374" XPath="Event/EventData/Data[@Name='errorCode']" /> <CrimsonData Id="375" XPath="Event/EventData/Data[@Name='updateTitle']" /> <CrimsonData Id="527" XPath="Event/EventData/Data[@Name='updateGuid']" /> <CrimsonData Id="528" XPath="Event/EventData/Data[@Name='updateRevisionNumber']" /> </EventRule> <EventRule Id="181" LogId="0" EventId="24" Source="Microsoft-Windows-WindowsUpdateClient"> <CrimsonData Id="380" XPath="Event/EventData/Data[@Name='errorCode']" /> <CrimsonData Id="381" XPath="Event/EventData/Data[@Name='updatelist']" /> <CrimsonData Id="531" XPath="Event/EventData/Data[@Name='updateGuid']" /> <CrimsonData Id="532" XPath="Event/EventData/Data[@Name='updateRevisionNumber']" /> </EventRule> <EventRule Id="197" LogId="0" EventId="7009" Source="Service Control Manager" LegacyNameMatch="2"> <LegacyData Position="1" PIIFilter="0x2000" /> <LegacyData Position="2" PIIFilter="0x40" /> </EventRule> <EventRule Id="199" LogId="0" EventId="7011" Source="Service Control Manager" LegacyNameMatch="2"> <LegacyData Position="1" PIIFilter="0x2000" /> <LegacyData Position="2" PIIFilter="0x40" /> </EventRule> <EventRule Id="201" LogId="0" EventId="7017" Source="Service Control Manager" LegacyNameMatch="1" /> <EventRule Id="202" LogId="0" EventId="7041" Source="Service Control Manager" LegacyNameMatch="1" /> <EventRule Id="203" LogId="-1" EventId="217" Source="RAC_PS_ETW_PROVIDER" /> <EventRule Id="204" LogId="-1" EventId="219" Source="RAC_PS_ETW_PROVIDER" /> <EventRule Id="205" LogId="4" EventId="1010" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="495" XPath="Event/UserData/ResolutionInfo/ReasonCode" /> <CrimsonData Id="496" XPath="Event/UserData/ResolutionInfo/UserAction" /> <CrimsonData Id="497" XPath="Event/UserData/ResolutionInfo/MaxCommit" /> </EventRule> <EventRule Id="206" LogId="4" EventId="1011" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="498" XPath="Event/UserData/ResolutionInfo/ReasonCode" /> <CrimsonData Id="499" XPath="Event/UserData/ResolutionInfo/UserAction" /> <CrimsonData Id="500" XPath="Event/UserData/ResolutionInfo/MaxCommit" /> </EventRule> <EventRule Id="207" LogId="4" EventId="1012" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="501" XPath="Event/UserData/NotificationInfo/Notifications" /> <CrimsonData Id="502" XPath="Event/UserData/NotificationInfo/UserAction" /> </EventRule> <EventRule Id="208" LogId="4" EventId="1013" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="503" XPath="Event/UserData/NotificationInfo/Notifications" /> <CrimsonData Id="504" XPath="Event/UserData/NotificationInfo/UserAction" /> </EventRule> <EventRule Id="209" LogId="0" EventId="1102" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="210" LogId="0" EventId="1103" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="211" LogId="0" EventId="1104" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="212" LogId="0" EventId="1105" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="213" LogId="0" EventId="1106" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="214" LogId="0" EventId="1107" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="215" LogId="0" EventId="1108" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="216" LogId="0" EventId="1109" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="217" LogId="0" EventId="1110" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="22" XPath="Event/UserData/RootCause/Info" PIIFilter="0x3" /> </EventRule> <EventRule Id="218" LogId="0" EventId="1112" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="23" XPath="Event/UserData/RootCause/Info" PIIFilter="0x3" /> </EventRule> <EventRule Id="219" LogId="0" EventId="1113" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="220" LogId="0" EventId="1114" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="221" LogId="0" EventId="1115" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="222" LogId="0" EventId="1116" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="223" LogId="0" EventId="1117" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="28" XPath="Event/UserData/RootCause/Info" /> </EventRule> <EventRule Id="224" LogId="0" EventId="1118" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="225" LogId="0" EventId="1119" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="226" LogId="0" EventId="1120" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="31" XPath="Event/UserData/RootCause/Info" PIIFilter="0x3" /> </EventRule> <EventRule Id="227" LogId="0" EventId="1121" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="32" XPath="Event/UserData/RootCause/Info" PIIFilter="0x3" /> </EventRule> <EventRule Id="228" LogId="0" EventId="1122" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="229" LogId="0" EventId="1123" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="34" XPath="Event/UserData/RootCause/Info" /> </EventRule> <EventRule Id="230" LogId="0" EventId="1124" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="231" LogId="0" EventId="1125" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="232" LogId="0" EventId="1126" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="37" XPath="Event/UserData/RootCause/Info" /> </EventRule> <EventRule Id="233" LogId="0" EventId="1127" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="38" XPath="Event/UserData/RootCause/Info" PIIFilter="0x3" /> </EventRule> <EventRule Id="234" LogId="0" EventId="1128" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="39" XPath="Event/UserData/RootCause/Info" /> </EventRule> <EventRule Id="235" LogId="0" EventId="1129" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="40" XPath="Event/UserData/RootCause/Info" /> </EventRule> <EventRule Id="236" LogId="0" EventId="1130" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="237" LogId="0" EventId="1131" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="238" LogId="0" EventId="1132" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="239" LogId="0" EventId="1201" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="44" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="240" LogId="0" EventId="1202" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="45" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="241" LogId="0" EventId="1203" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="46" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="242" LogId="0" EventId="1204" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="47" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="243" LogId="0" EventId="1205" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="48" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="244" LogId="0" EventId="1206" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="49" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="245" LogId="0" EventId="1207" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="50" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="246" LogId="0" EventId="1208" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="51" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="247" LogId="0" EventId="1209" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="52" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="248" LogId="0" EventId="1210" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="53" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="249" LogId="0" EventId="1211" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="54" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="257" LogId="0" EventId="7042" Source="Service Control Manager" LegacyNameMatch="1" /> <EventRule Id="258" LogId="0" EventId="9" Source="Microsoft-Windows-Kernel-Power"> <CrimsonData Id="408" XPath="Event/EventData/Data[@Name='AppName']" PIIFilter="0x13" /> </EventRule> <EventRule Id="259" LogId="0" EventId="10" Source="Microsoft-Windows-Kernel-Power" /> <EventRule Id="260" LogId="0" EventId="40" Source="Microsoft-Windows-Kernel-Power"> <CrimsonData Id="413" XPath="Event/EventData/Data[@Name='DriverName']" PIIFilter="0x8" /> <CrimsonData Id="415" XPath="Event/EventData/Data[@Name='InstanceName']" PIIFilter="0x20" /> </EventRule> <EventRule Id="261" LogId="0" EventId="41" Source="Microsoft-Windows-Kernel-Power"> <CrimsonData Id="912" XPath="Event/EventData/Data[@Name='BugcheckCode']" /> <CrimsonData Id="916" XPath="Event/EventData/Data[@Name='BugcheckParameter1']" /> <CrimsonData Id="917" XPath="Event/EventData/Data[@Name='BugcheckParameter2']" /> <CrimsonData Id="918" XPath="Event/EventData/Data[@Name='BugcheckParameter3']" /> <CrimsonData Id="919" XPath="Event/EventData/Data[@Name='BugcheckParameter4']" /> <CrimsonData Id="914" XPath="Event/EventData/Data[@Name='SleepInProgress']" /> <CrimsonData Id="915" XPath="Event/EventData/Data[@Name='PowerButtonTimestamp']" /> </EventRule> <EventRule Id="262" LogId="5" EventId="1003" Source="Microsoft-Windows-Resource-Leak-Diagnostic"> <CrimsonData Id="251" XPath="Event/UserData/ProcessInfo/ProcessImageName" PIIFilter="0x2" /> <CrimsonData Id="252" XPath="Event/UserData/ProcessInfo/ProcessCreationTime" /> <CrimsonData Id="253" XPath="Event/UserData/ProcessInfo/ProcessId" /> </EventRule> <EventRule Id="263" LogId="5" EventId="1004" Source="Microsoft-Windows-Resource-Leak-Diagnostic"> <CrimsonData Id="254" XPath="Event/UserData/ProcessInfo/ProcessImageName" PIIFilter="0x2" /> <CrimsonData Id="255" XPath="Event/UserData/ProcessInfo/ProcessCreationTime" /> <CrimsonData Id="256" XPath="Event/UserData/ProcessInfo/ProcessId" /> </EventRule> <EventRule Id="265" LogId="0" EventId="23" Source="Microsoft-Windows-WindowsUpdateClient"> <CrimsonData Id="379" XPath="Event/EventData/Data[@Name='updateTitle']" /> <CrimsonData Id="529" XPath="Event/EventData/Data[@Name='updateGuid']" /> <CrimsonData Id="530" XPath="Event/EventData/Data[@Name='updateRevisionNumber']" /> </EventRule> <EventRule Id="271" LogId="4" EventId="1014" Source="Microsoft-Windows-Resource-Exhaustion-Resolver" > <CrimsonData Id="257" XPath="Event/UserData/DroppedLeakDiagnosisEventInfo/ProcessImageName" PIIFilter="0x2" /> <CrimsonData Id="258" XPath="Event/UserData/DroppedLeakDiagnosisEventInfo/ProcessId" /> <CrimsonData Id="259" XPath="Event/UserData/DroppedLeakDiagnosisEventInfo/ProcessCreationTime" /> <CrimsonData Id="260" XPath="Event/UserData/DroppedLeakDiagnosisEventInfo/DropReasonCode" /> </EventRule> <EventRule Id="280" LogId="0" EventId="17" Source="Microsoft-Windows-WindowsUpdateClient" /> <EventRule Id="281" LogId="0" EventId="18" Source="Microsoft-Windows-WindowsUpdateClient" /> <EventRule Id="303" LogId="2" EventId="5" Source="Microsoft-Windows-Diagnosis-DPS"> <CrimsonData Id="327" XPath="Event/EventData/Data[@Name='ScenarioId']" /> </EventRule> <EventRule Id="311" LogId="-1" EventId="213" Source="RAC_PS_ETW_PROVIDER" /> <EventRule Id="312" LogId="-1" EventId="215" Source="RAC_PS_ETW_PROVIDER" /> <EventRule Id="314" LogId="0" EventId="1" Source="Microsoft-Windows-Kernel-General"> <CrimsonData Id="298" XPath="Event/EventData/Data[@Name='NewTime']" /> <CrimsonData Id="299" XPath="Event/EventData/Data[@Name='OldTime']" /> </EventRule> <EventRule Id="315" LogId="0" EventId="20001" Source="Microsoft-Windows-UserPnp"> <CrimsonMatch XPath="Event/UserData/InstallDeviceID/RebootOption" cchMatch="1" Match="0"/> <CrimsonData Id="300" XPath="Event/UserData/InstallDeviceID/DriverName" PIIFilter="0x13" /> <CrimsonData Id="301" XPath="Event/UserData/InstallDeviceID/DriverVersion" /> <CrimsonData Id="302" XPath="Event/UserData/InstallDeviceID/DriverProvider" PIIFilter="0x8" /> <CrimsonData Id="303" XPath="Event/UserData/InstallDeviceID/DeviceInstanceID" PIIFilter="0x20" /> <CrimsonData Id="304" XPath="Event/UserData/InstallDeviceID/SetupClass" /> <CrimsonData Id="305" XPath="Event/UserData/InstallDeviceID/RebootOption" /> <CrimsonData Id="306" XPath="Event/UserData/InstallDeviceID/UpgradeDevice" /> <CrimsonData Id="307" XPath="Event/UserData/InstallDeviceID/InstallStatus" /> <CrimsonData Id="594" XPath="Event/UserData/InstallDeviceID/DriverDescription" /> </EventRule> <EventRule Id="339" LogId="0" EventId="20001" Source="Microsoft-Windows-UserPnp"> <CrimsonMatch XPath="Event/UserData/InstallDeviceID/RebootOption" cchMatch="1" Match="1"/> <CrimsonData Id="515" XPath="Event/UserData/InstallDeviceID/DriverName" PIIFilter="0x13" /> <CrimsonData Id="516" XPath="Event/UserData/InstallDeviceID/DriverVersion" /> <CrimsonData Id="517" XPath="Event/UserData/InstallDeviceID/DriverProvider" PIIFilter="0x8" /> <CrimsonData Id="518" XPath="Event/UserData/InstallDeviceID/DeviceInstanceID" PIIFilter="0x20" /> <CrimsonData Id="519" XPath="Event/UserData/InstallDeviceID/SetupClass" /> <CrimsonData Id="520" XPath="Event/UserData/InstallDeviceID/RebootOption" /> <CrimsonData Id="521" XPath="Event/UserData/InstallDeviceID/UpgradeDevice" /> <CrimsonData Id="522" XPath="Event/UserData/InstallDeviceID/InstallStatus" /> <CrimsonData Id="595" XPath="Event/UserData/InstallDeviceID/DriverDescription" /> </EventRule> <EventRule Id="316" LogId="0" EventId="20002" Source="Microsoft-Windows-UserPnp" /> <EventRule Id="317" LogId="0" EventId="20003" Source="Microsoft-Windows-UserPnp"> <CrimsonData Id="316" XPath="Event/UserData/AddServiceID/ServiceName" PIIFilter="0x40" /> <CrimsonData Id="317" XPath="Event/UserData/AddServiceID/DriverFileName" PIIFilter="0x13" /> <CrimsonData Id="318" XPath="Event/UserData/AddServiceID/DeviceInstanceID" PIIFilter="0x20" /> <CrimsonData Id="319" XPath="Event/UserData/AddServiceID/PrimaryService" /> <CrimsonData Id="320" XPath="Event/UserData/AddServiceID/AddServiceStatus" /> </EventRule> <EventRule Id="318" LogId="0" EventId="20004" Source="Microsoft-Windows-UserPnp" /> <EventRule Id="320" LogId="0" EventId="1" Source="Microsoft-Windows-DiskDiagnostic"> <CrimsonData Id="726" XPath="Event/EventData/Data[@Name='HardwareID']" /> </EventRule> <EventRule Id="321" LogId="1" EventId="10001" Source="Microsoft-Windows-Winsrv"> <CrimsonData Id="391" XPath="Event/UserData/VetoAppEvent/AppName" PIIFilter="0x2" /> <CrimsonData Id="557" XPath="Event/UserData/VetoAppEvent/ResponseTime" /> </EventRule> <EventRule Id="322" LogId="1" EventId="10002" Source="Microsoft-Windows-Winsrv"> <CrimsonData Id="392" XPath="Event/UserData/HungAppEvent/AppName" PIIFilter="0x2" /> </EventRule> <EventRule Id="325" LogId="4" EventId="1015" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="486" XPath="Event/UserData/EventInfo/Event" /> </EventRule> <EventRule Id="326" LogId="4" EventId="1016" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="487" XPath="Event/UserData/GenericResolutionFailure/ResolutionAttempted" /> <CrimsonData Id="488" XPath="Event/UserData/GenericResolutionFailure/ErrorCode" /> </EventRule> <EventRule Id="327" LogId="4" EventId="1017" Source="Microsoft-Windows-Resource-Exhaustion-Resolver"> <CrimsonData Id="489" XPath="Event/UserData/UICloseInfo/DisplayUpTime" /> <CrimsonData Id="490" XPath="Event/UserData/UICloseInfo/UserAction" /> <CrimsonData Id="491" XPath="Event/UserData/UICloseInfo/MaxCommit" /> </EventRule> <EventRule Id="328" LogId="0" EventId="1133" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="329" LogId="0" EventId="1134" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="330" LogId="0" EventId="1135" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="331" LogId="0" EventId="1212" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="511" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="332" LogId="0" EventId="1213" Source="Microsoft-Windows-StartupRepair"> <CrimsonData Id="513" XPath="Event/UserData/Repair/RepairStatus" /> </EventRule> <EventRule Id="333" LogId="0" EventId="42" Source="Microsoft-Windows-Kernel-Power"> <CrimsonMatch XPath="Event/EventData/Data[@Name='TargetState']" cchMatch="1" Match="2" /> </EventRule> <EventRule Id="334" LogId="0" EventId="42" Source="Microsoft-Windows-Kernel-Power"> <CrimsonMatch XPath="Event/EventData/Data[@Name='TargetState']" cchMatch="1" Match="4" /> </EventRule> <EventRule Id="335" LogId="0" EventId="42" Source="Microsoft-Windows-Kernel-Power"> <CrimsonMatch XPath="Event/EventData/Data[@Name='TargetState']" cchMatch="1" Match="5" /> </EventRule> <EventRule Id="336" LogId="0" EventId="1" Source="Microsoft-Windows-Power-Troubleshooter"> <CrimsonMatch XPath="Event/EventData/Data[@Name='TargetState']" cchMatch="1" Match="2" /> </EventRule> <EventRule Id="337" LogId="0" EventId="1" Source="Microsoft-Windows-Power-Troubleshooter"> <CrimsonMatch XPath="Event/EventData/Data[@Name='TargetState']" cchMatch="1" Match="4" /> </EventRule> <EventRule Id="338" LogId="0" EventId="1" Source="Microsoft-Windows-Power-Troubleshooter"> <CrimsonMatch XPath="Event/EventData/Data[@Name='TargetState']" cchMatch="1" Match="5" /> </EventRule> <EventRule Id="340" LogId="1" EventId="1033" Source="MsiInstaller" > <LegacyMatch Position="4" Match="0" /> <LegacyData Position="1" PIIFilter="0x104" /> <LegacyData Position="2" /> <LegacyData Position="3" PIIFilter="0x2000" /> <LegacyData Position="4" PIIFilter="0x2000" /> <LegacyData Position="5" /> </EventRule> <EventRule Id="346" LogId="1" EventId="1033" Source="MsiInstaller" > <LegacyMatch Position="4" cchMatch="0xfffffffe" Match="0" /> <LegacyData Position="1" PIIFilter="0x104" /> <LegacyData Position="2" /> <LegacyData Position="3" PIIFilter="0x2000" /> <LegacyData Position="4" PIIFilter="0x2000" /> <LegacyData Position="5" /> </EventRule> <EventRule Id="341" LogId="1" EventId="1034" Source="MsiInstaller" > <LegacyMatch Position="4" Match="0" /> <LegacyData Position="1" PIIFilter="0x104" /> <LegacyData Position="2" /> <LegacyData Position="3" PIIFilter="0x2000" /> <LegacyData Position="4" PIIFilter="0x2000" /> <LegacyData Position="5" /> </EventRule> <EventRule Id="347" LogId="1" EventId="1034" Source="MsiInstaller" > <LegacyMatch Position="4" cchMatch="0xfffffffe" Match="0" /> <LegacyData Position="1" PIIFilter="0x104" /> <LegacyData Position="2" /> <LegacyData Position="3" PIIFilter="0x2000" /> <LegacyData Position="4" PIIFilter="0x2000" /> <LegacyData Position="5" /> </EventRule> <EventRule Id="342" LogId="1" EventId="1035" Source="MsiInstaller" > <LegacyMatch Position="4" Match="0" /> </EventRule> <EventRule Id="348" LogId="1" EventId="1035" Source="MsiInstaller" > <LegacyMatch Position="4" cchMatch="0xfffffffe" Match="0" /> </EventRule> <EventRule Id="343" LogId="1" EventId="1036" Source="MsiInstaller" > <LegacyMatch Position="5" Match="0" /> <LegacyData Position="1" PIIFilter="0x104" /> <LegacyData Position="2" /> <LegacyData Position="3" PIIFilter="0x2000" /> <LegacyData Position="4" PIIFilter="0x104" /> <LegacyData Position="5" PIIFilter="0x2000" /> <LegacyData Position="6" /> </EventRule> <EventRule Id="349" LogId="1" EventId="1036" Source="MsiInstaller" > <LegacyMatch Position="5" cchMatch="0xfffffffe" Match="0" /> <LegacyData Position="1" PIIFilter="0x104" /> <LegacyData Position="2" /> <LegacyData Position="3" PIIFilter="0x2000" /> <LegacyData Position="4" PIIFilter="0x104" /> <LegacyData Position="5" PIIFilter="0x2000" /> <LegacyData Position="6" /> </EventRule> <EventRule Id="344" LogId="1" EventId="1037" Source="MsiInstaller" > <LegacyMatch Position="5" Match="0" /> <LegacyData Position="1" PIIFilter="0x104" /> <LegacyData Position="2" /> <LegacyData Position="3" PIIFilter="0x2000" /> <LegacyData Position="4" PIIFilter="0x104" /> <LegacyData Position="5" PIIFilter="0x2000" /> <LegacyData Position="6" /> </EventRule> <EventRule Id="350" LogId="1" EventId="1037" Source="MsiInstaller" > <LegacyMatch Position="5" cchMatch="0xfffffffe" Match="0" /> <LegacyData Position="1" PIIFilter="0x104" /> <LegacyData Position="2" /> <LegacyData Position="3" PIIFilter="0x2000" /> <LegacyData Position="4" PIIFilter="0x104" /> <LegacyData Position="5" PIIFilter="0x2000" /> <LegacyData Position="6" /> </EventRule> <EventRule Id="345" LogId="1" EventId="1038" Source="MsiInstaller" /> <EventRule Id="361" LogId="7" EventId="2004" Source="Microsoft-Windows-Reliability-Analysis-Engine"> <CrimsonData Id="597" XPath="Event/UserData/ProcessInfo/RacError" /> <CrimsonData Id="598" XPath="Event/UserData/ProcessInfo/WinError" /> </EventRule> <EventRule Id="362" LogId="7" EventId="2005" Source="Microsoft-Windows-Reliability-Analysis-Engine"> <CrimsonData Id="599" XPath="Event/UserData/ProcessInfo/Stability" /> <CrimsonData Id="600" XPath="Event/UserData/ProcessInfo/Date" /> </EventRule> <EventRule Id="363" LogId="0" EventId="1801" Source="Application Popup"> <LegacyMatch Position="1" Match="0xc0000709" /> <LegacyMatch Position="2" Match="0x127" /> <LegacyData Position="1" /> <LegacyData Position="2" /> <LegacyData Position="3" /> <LegacyData Position="4" /> </EventRule> <EventRule Id="364" LogId="0" EventId="1801" Source="Application Popup"> <LegacyMatch Position="1" Match="0xc0000709" /> <LegacyMatch Position="2" Match="0x12b" /> <LegacyData Position="1" /> <LegacyData Position="2" /> <LegacyData Position="3" /> <LegacyData Position="4" /> </EventRule> <EventRule Id="384" LogId="10" EventId="500" Source="Microsoft-Windows-Application-Experience"> <CrimsonData Id="693" XPath="Event/UserData/CompatibilityFixEvent/StartTime" /> <CrimsonData Id="694" XPath="Event/UserData/CompatibilityFixEvent/FixID" /> <CrimsonData Id="695" XPath="Event/UserData/CompatibilityFixEvent/Flags" /> <CrimsonData Id="696" XPath="Event/UserData/CompatibilityFixEvent/FixName" /> <CrimsonData Id="718" XPath="Event/UserData/CompatibilityFixEvent/ExePath" PIIFilter="0x200" /> <CrimsonData Id="719" XPath="Event/UserData/CompatibilityFixEvent/ProcessId" /> <CrimsonData Id="727" XPath="Event/UserData/CompatibilityFixEvent/ExePath" PIIFilter="0x400" /> </EventRule> <EventRule Id="385" LogId="0" EventId="25" Source="Microsoft-Windows-Eventlog"> <CrimsonData Id="697" XPath="Event/UserData/InitChannelMovedCorruptLog/ChannelPath" /> </EventRule> <EventRule Id="386" LogId="0" EventId="29" Source="Microsoft-Windows-Eventlog"> <CrimsonData Id="698" XPath="Event/UserData/PrimaryChannelFatalError/Error/@Code" /> <CrimsonData Id="699" XPath="Event/UserData/PrimaryChannelFatalError/ChannelPath" /> </EventRule> <EventRule Id="387" LogId="0" EventId="104" Source="Microsoft-Windows-Eventlog"> <CrimsonData Id="700" XPath="Event/UserData/LogFileCleared/Channel" /> </EventRule> <EventRule Id="388" LogId="0" EventId="106" Source="Microsoft-Windows-Eventlog"> <CrimsonData Id="701" XPath="Event/UserData/LogDataLoss/Channel" /> </EventRule> <EventRule Id="389" LogId="0" EventId="6000" Source="Microsoft-Windows-Eventlog"> <CrimsonData Id="702" XPath="Event/UserData/LogFull/Channel" /> </EventRule> <EventRule Id="390" LogId="1" EventId="3002" Source="Wininit" /> <EventRule Id="391" LogId="1" EventId="3003" Source="Wininit" /> <EventRule Id="392" LogId="1" EventId="3004" Source="Wininit" /> <EventRule Id="393" LogId="1" EventId="3005" Source="Wininit" /> <EventRule Id="394" LogId="1" EventId="4005" Source="Winlogon" /> <EventRule Id="395" LogId="0" EventId="7043" Source="Service Control Manager"> <LegacyData Position="1" PIIFilter="0x40" /> </EventRule> <EventRule Id="396" LogId="0" EventId="7044" Source="Service Control Manager"> <LegacyData Position="1" PIIFilter="0x40" /> <LegacyData Position="2" PIIFilter="0x2000" /> </EventRule> <EventRule Id="399" LogId="0" EventId="2003" Source="Microsoft-Windows-Setup"> <CrimsonData Id="797" XPath="Event/EventData/Data[@Name='Host OS Name']" /> <CrimsonData Id="798" XPath="Event/EventData/Data[@Name='Install was an upgrade']" /> <CrimsonData Id="799" XPath="Event/EventData/Data[@Name='Host OS was Windows PE']" /> <CrimsonData Id="800" XPath="Event/EventData/Data[@Name='Host OS major version']" /> <CrimsonData Id="801" XPath="Event/EventData/Data[@Name='Host OS minor version']" /> <CrimsonData Id="802" XPath="Event/EventData/Data[@Name='Host OS build version']" /> <CrimsonData Id="803" XPath="Event/EventData/Data[@Name='Host OS service pack Name']" /> <CrimsonData Id="804" XPath="Event/EventData/Data[@Name='Host OS service pack major version']" /> <CrimsonData Id="805" XPath="Event/EventData/Data[@Name='Host OS service pack minor version']" /> </EventRule> <EventRule Id="401" LogId="-1" EventId="221" Source="RAC_PS_ETW_PROVIDER" /> <EventRule Id="402" LogId="-1" EventId="223" Source="RAC_PS_ETW_PROVIDER" /> <EventRule Id="403" LogId="-1" EventId="225" Source="RAC_PS_ETW_PROVIDER" /> <EventRule Id="405" LogId="0" EventId="4101" Source="Display"> <LegacyData Position="1" /> </EventRule> <EventRule Id="409" LogId="12" EventId="0" Source="Microsoft-Windows-Kernel-EventTracing"> <CrimsonData Id="752" XPath="Event/EventData/Data[@Name='SessionName']" PIIFilter="0x1" /> <CrimsonData Id="754" XPath="Event/EventData/Data[@Name='ErrorCode']" /> </EventRule> <EventRule Id="410" LogId="12" EventId="1" Source="Microsoft-Windows-Kernel-EventTracing"> <CrimsonData Id="755" XPath="Event/EventData/Data[@Name='SessionName']" PIIFilter="0x1" /> <CrimsonData Id="756" XPath="Event/EventData/Data[@Name='ErrorCode']" /> <CrimsonData Id="757" XPath="Event/EventData/Data[@Name='LoggingMode']" /> </EventRule> <EventRule Id="411" LogId="12" EventId="2" Source="Microsoft-Windows-Kernel-EventTracing"> <CrimsonData Id="758" XPath="Event/EventData/Data[@Name='SessionName']" PIIFilter="0x1" /> <CrimsonData Id="760" XPath="Event/EventData/Data[@Name='ErrorCode']" /> <CrimsonData Id="761" XPath="Event/EventData/Data[@Name='LoggingMode']" /> </EventRule> <EventRule Id="412" LogId="12" EventId="3" Source="Microsoft-Windows-Kernel-EventTracing"> <CrimsonData Id="762" XPath="Event/EventData/Data[@Name='SessionName']" PIIFilter="0x1" /> <CrimsonData Id="764" XPath="Event/EventData/Data[@Name='ErrorCode']" /> <CrimsonData Id="765" XPath="Event/EventData/Data[@Name='LoggingMode']" /> </EventRule> <EventRule Id="413" LogId="12" EventId="4" Source="Microsoft-Windows-Kernel-EventTracing"> <CrimsonData Id="766" XPath="Event/EventData/Data[@Name='SessionName']" PIIFilter="0x1" /> <CrimsonData Id="768" XPath="Event/EventData/Data[@Name='ErrorCode']" /> <CrimsonData Id="769" XPath="Event/EventData/Data[@Name='LoggingMode']" /> <CrimsonData Id="770" XPath="Event/EventData/Data[@Name='MaxFileSize']" /> </EventRule> <EventRule Id="414" LogId="0" EventId="86" Source="Microsoft-Windows-Kernel-Power" /> <EventRule Id="415" LogId="0" EventId="88" Source="Microsoft-Windows-Kernel-Power" /> <EventRule Id="416" LogId="0" EventId="5" Source="Microsoft-Windows-Kernel-General" /> <EventRule Id="417" LogId="0" EventId="6" Source="Microsoft-Windows-Kernel-General" /> <EventRule Id="418" LogId="0" EventId="6" Source="Microsoft-Windows-CorruptedFileRecovery-Server"> <CrimsonData Id="771" XPath="Event/EventData/Data[@Name='FileName']" PIIFilter="0x3" /> <CrimsonData Id="772" XPath="Event/EventData/Data[@Name='AppName']" PIIFilter="0x3" /> <CrimsonData Id="773" XPath="Event/EventData/Data[@Name='ErrorCode']" /> </EventRule> <EventRule Id="419" LogId="0" EventId="8" Source="Microsoft-Windows-CorruptedFileRecovery-Server"> <CrimsonData Id="774" XPath="Event/EventData/Data[@Name='FileName']" PIIFilter="0x3" /> <CrimsonData Id="775" XPath="Event/EventData/Data[@Name='AppName']" PIIFilter="0x3" /> </EventRule> <EventRule Id="420" LogId="0" EventId="10" Source="Microsoft-Windows-CorruptedFileRecovery-Server"> <CrimsonData Id="776" XPath="Event/EventData/Data[@Name='FileName']" PIIFilter="0x3" /> <CrimsonData Id="777" XPath="Event/EventData/Data[@Name='AppName']" PIIFilter="0x3" /> <CrimsonData Id="778" XPath="Event/EventData/Data[@Name='ErrorCode']" /> </EventRule> <EventRule Id="421" LogId="0" EventId="11" Source="Microsoft-Windows-CorruptedFileRecovery-Server"> <CrimsonData Id="779" XPath="Event/EventData/Data[@Name='FileName']" PIIFilter="0x3" /> <CrimsonData Id="780" XPath="Event/EventData/Data[@Name='AppName']" PIIFilter="0x3" /> </EventRule> <EventRule Id="422" LogId="0" EventId="12" Source="Microsoft-Windows-CorruptedFileRecovery-Server"> <CrimsonData Id="781" XPath="Event/EventData/Data[@Name='FilePath']" PIIFilter="0x3" /> <CrimsonData Id="782" XPath="Event/EventData/Data[@Name='AppName']" PIIFilter="0x3" /> <CrimsonData Id="783" XPath="Event/EventData/Data[@Name='ProductName']" PIIFilter="0x104" /> <CrimsonData Id="784" XPath="Event/EventData/Data[@Name='ProductVersion']" /> </EventRule> <EventRule Id="423" LogId="0" EventId="14" Source="Microsoft-Windows-CorruptedFileRecovery-Server"> <CrimsonData Id="785" XPath="Event/EventData/Data[@Name='FileName']" PIIFilter="0x3" /> <CrimsonData Id="786" XPath="Event/EventData/Data[@Name='AppName']" PIIFilter="0x3" /> </EventRule> <EventRule Id="424" LogId="0" EventId="130" Source="Ntfs" /> <EventRule Id="425" LogId="0" EventId="131" Source="Ntfs" /> <EventRule Id="426" LogId="0" EventId="132" Source="Ntfs" /> <EventRule Id="427" LogId="0" EventId="133" Source="Ntfs" /> <EventRule Id="428" LogId="0" EventId="10000" Source="Microsoft-Windows-DriverFrameworks-UserMode"> <CrimsonData Id="787" XPath="Event/UserData/UMDFDeviceInstallBegin/DeviceId" PIIFilter="0x20" /> <CrimsonData Id="788" XPath="Event/UserData/UMDFDeviceInstallBegin/@version" /> </EventRule> <EventRule Id="429" LogId="0" EventId="10100" Source="Microsoft-Windows-DriverFrameworks-UserMode"> <CrimsonData Id="789" XPath="Event/UserData/UMDFDeviceInstallEnd/FinalStatus" /> </EventRule> <EventRule Id="430" LogId="0" EventId="10101" Source="Microsoft-Windows-DriverFrameworks-UserMode"> <CrimsonData Id="790" XPath="Event/UserData/UMDFDeviceInstallEnd/FinalStatus" /> </EventRule> <EventRule Id="431" LogId="0" EventId="10110" Source="Microsoft-Windows-DriverFrameworks-UserMode" /> <EventRule Id="432" LogId="0" EventId="10111" Source="Microsoft-Windows-DriverFrameworks-UserMode" /> <EventRule Id="433" LogId="0" EventId="10112" Source="Microsoft-Windows-DriverFrameworks-UserMode" /> <EventRule Id="434" LogId="0" EventId="1" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="435" LogId="0" EventId="2" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="436" LogId="0" EventId="3" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="437" LogId="0" EventId="16" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="438" LogId="0" EventId="17" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="439" LogId="0" EventId="18" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="440" LogId="0" EventId="19" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="441" LogId="0" EventId="20" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="442" LogId="0" EventId="21" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="443" LogId="0" EventId="22" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="444" LogId="0" EventId="23" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="445" LogId="0" EventId="24" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="446" LogId="0" EventId="25" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="447" LogId="0" EventId="26" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="448" LogId="0" EventId="27" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="449" LogId="0" EventId="38" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="450" LogId="0" EventId="39" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="451" LogId="0" EventId="40" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="452" LogId="0" EventId="41" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="453" LogId="0" EventId="42" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="454" LogId="0" EventId="43" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="455" LogId="0" EventId="44" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="456" LogId="0" EventId="45" Source="Microsoft-Windows-WHEA-Logger" /> <EventRule Id="457" LogId="1" EventId="3005" Source="Microsoft-Windows-Wininit" /> <EventRule Id="458" LogId="0" EventId="244" Source="Win32k" /> <EventRule Id="459" LogId="0" EventId="1137" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="460" LogId="0" EventId="1138" Source="Microsoft-Windows-StartupRepair" /> <EventRule Id="476" LogId="0" EventId="7026" Source="Service Control Manager"> <LegacyData Position="1" PIIFilter="0x40" /> </EventRule> <EventRule Id="477" LogId="0" EventId="12" Source="Microsoft-Windows-Kernel-General"> <CrimsonMatch XPath="Event/EventData/Data[@Name='BootMode']" cchMatch="1" Match="0" /> <CrimsonData Id="883" XPath="Event/EventData/Data[@Name='MajorVersion']" /> <CrimsonData Id="884" XPath="Event/EventData/Data[@Name='MinorVersion']" /> <CrimsonData Id="885" XPath="Event/EventData/Data[@Name='BuildVersion']" /> <CrimsonData Id="886" XPath="Event/EventData/Data[@Name='QfeVersion']" /> <CrimsonData Id="887" XPath="Event/EventData/Data[@Name='ServiceVersion']" /> <CrimsonData Id="888" XPath="Event/EventData/Data[@Name='BootMode']" /> <CrimsonData Id="889" XPath="Event/EventData/Data[@Name='StartTime']" /> </EventRule> <EventRule Id="478" LogId="0" EventId="13" Source="Microsoft-Windows-Kernel-General"> <CrimsonData Id="890" XPath="Event/EventData/Data[@Name='StopTime']" /> </EventRule> <EventRule Id="479" LogId="0" EventId="12" Source="Microsoft-Windows-Kernel-General"> <CrimsonMatch XPath="Event/EventData/Data[@Name='BootMode']" cchMatch="1" Match="1" /> <CrimsonData Id="891" XPath="Event/EventData/Data[@Name='MajorVersion']" /> <CrimsonData Id="892" XPath="Event/EventData/Data[@Name='MinorVersion']" /> <CrimsonData Id="893" XPath="Event/EventData/Data[@Name='BuildVersion']" /> <CrimsonData Id="894" XPath="Event/EventData/Data[@Name='QfeVersion']" /> <CrimsonData Id="895" XPath="Event/EventData/Data[@Name='ServiceVersion']" /> <CrimsonData Id="896" XPath="Event/EventData/Data[@Name='BootMode']" /> <CrimsonData Id="897" XPath="Event/EventData/Data[@Name='StartTime']" /> </EventRule> <EventRule Id="480" LogId="0" EventId="12" Source="Microsoft-Windows-Kernel-General"> <CrimsonMatch XPath="Event/EventData/Data[@Name='BootMode']" cchMatch="1" Match="2" /> <CrimsonData Id="898" XPath="Event/EventData/Data[@Name='MajorVersion']" /> <CrimsonData Id="899" XPath="Event/EventData/Data[@Name='MinorVersion']" /> <CrimsonData Id="900" XPath="Event/EventData/Data[@Name='BuildVersion']" /> <CrimsonData Id="901" XPath="Event/EventData/Data[@Name='QfeVersion']" /> <CrimsonData Id="902" XPath="Event/EventData/Data[@Name='ServiceVersion']" /> <CrimsonData Id="903" XPath="Event/EventData/Data[@Name='BootMode']" /> <CrimsonData Id="904" XPath="Event/EventData/Data[@Name='StartTime']" /> </EventRule> <EventRule Id="481" LogId="0" EventId="12" Source="Microsoft-Windows-Kernel-General"> <CrimsonMatch XPath="Event/EventData/Data[@Name='BootMode']" cchMatch="1" Match="3" /> <CrimsonData Id="905" XPath="Event/EventData/Data[@Name='MajorVersion']" /> <CrimsonData Id="906" XPath="Event/EventData/Data[@Name='MinorVersion']" /> <CrimsonData Id="907" XPath="Event/EventData/Data[@Name='BuildVersion']" /> <CrimsonData Id="908" XPath="Event/EventData/Data[@Name='QfeVersion']" /> <CrimsonData Id="909" XPath="Event/EventData/Data[@Name='ServiceVersion']" /> <CrimsonData Id="910" XPath="Event/EventData/Data[@Name='BootMode']" /> <CrimsonData Id="911" XPath="Event/EventData/Data[@Name='StartTime']" /> </EventRule> <EventRule Id="482" LogId="15" EventId="1003" Source="Microsoft-Windows-Fault-Tolerant-Heap"> <CrimsonData Id="920" XPath="Event/UserData/FTHDisplayInfo/FthEnabledPID" /> <CrimsonData Id="921" XPath="Event/UserData/FTHDisplayInfo/FthEnabledProcessName" /> <CrimsonData Id="922" XPath="Event/UserData/FTHDisplayInfo/FthEnabledProcessStartup" /> </EventRule> <EventRule Id="483" LogId="16" EventId="18" Source="Microsoft-Windows-Audio" /> <EventRule Id="484" LogId="0" EventId="225" Source="Microsoft-Windows-Kernel-PnP"> <CrimsonData Id="923" XPath="Event/EventData/Data[@Name='ProcessId']" /> <CrimsonData Id="924" XPath="Event/EventData/Data[@Name='ProcessName']" PIIFilter="0x3" /> <CrimsonData Id="925" XPath="Event/EventData/Data[@Name='DeviceInstance']" PIIFilter="0x20" /> </EventRule> <EventRule Id="488" LogId="1" EventId="1" Source="Application-Addon-Event-Provider" /> <EventRule Id="489" LogId="1" EventId="2" Source="Application-Addon-Event-Provider" /> <EventRule Id="490" LogId="0" EventId="1006" Source="Microsoft Antimalware"> <LegacyData Position="11" /> </EventRule> <EventRule Id="491" LogId="0" EventId="1116" Source="Microsoft Antimalware"> <LegacyData Position="8" /> </EventRule> <EventRule Id="492" LogId="0" EventId="1007" Source="Microsoft Antimalware"> <LegacyData Position="11" /> <LegacyData Position="20" /> </EventRule> <EventRule Id="493" LogId="0" EventId="1117" Source="Microsoft Antimalware"> <LegacyData Position="8" /> <LegacyData Position="31" /> </EventRule> <EventRule Id="494" LogId="0" EventId="1008" Source="Microsoft Antimalware"> <LegacyData Position="11" /> <LegacyData Position="20" /> <LegacyData Position="21" /> </EventRule> <EventRule Id="495" LogId="0" EventId="1118" Source="Microsoft Antimalware"> <LegacyData Position="8" /> <LegacyData Position="31" /> <LegacyData Position="33" /> </EventRule> <EventRule Id="496" LogId="0" EventId="1000" Source="Microsoft Antimalware" /> <EventRule Id="497" LogId="0" EventId="1001" Source="Microsoft Antimalware" /> <EventRule Id="498" LogId="0" EventId="1002" Source="Microsoft Antimalware" /> <EventRule Id="499" LogId="0" EventId="1005" Source="Microsoft Antimalware" /> <EventRule Id="502" LogId="17" EventId="3" Source="Microsoft-Windows-Kernel-ShimEngine"> <CrimsonData Id="926" XPath="Event/EventData/Data[@Name='DriverName']" /> <CrimsonData Id="927" XPath="Event/EventData/Data[@Name='ShimSource']" /> <CrimsonData Id="928" XPath="Event/EventData/Data[@Name='ShimCount']" /> <CrimsonData Id="929" XPath="Event/EventData/Data[@Name='AppliedGuids']" /> </EventRule> <EventRule Id="503" LogId="17" EventId="4" Source="Microsoft-Windows-Kernel-ShimEngine"> <CrimsonData Id="930" XPath="Event/EventData/Data[@Name='DeviceName']" /> <CrimsonData Id="931" XPath="Event/EventData/Data[@Name='DeviceClass']"/> <CrimsonData Id="932" XPath="Event/EventData/Data[@Name='FlagSource']" /> <CrimsonData Id="933" XPath="Event/EventData/Data[@Name='Flags']" /> </EventRule> <EventRule Id="504" LogId="18" EventId="400" Source="Microsoft-Windows-AppXDeployment-Server"> <CrimsonMatch XPath="Event/EventData/Data[@Name='DeploymentOperation']" cchMatch="1" Match="1"/> <CrimsonData Id="934" XPath="Event/EventData/Data[@Name='PackageFullName']" /> </EventRule> <EventRule Id="505" LogId="18" EventId="400" Source="Microsoft-Windows-AppXDeployment-Server"> <CrimsonMatch XPath="Event/EventData/Data[@Name='DeploymentOperation']" cchMatch="1" Match="2"/> <CrimsonData Id="935" XPath="Event/EventData/Data[@Name='PackageFullName']" /> </EventRule> <EventRule Id="506" LogId="18" EventId="400" Source="Microsoft-Windows-AppXDeployment-Server"> <CrimsonMatch XPath="Event/EventData/Data[@Name='DeploymentOperation']" cchMatch="1" Match="3"/> <CrimsonData Id="936" XPath="Event/EventData/Data[@Name='PackageFullName']" /> </EventRule> <EventRule Id="507" LogId="18" EventId="401" Source="Microsoft-Windows-AppXDeployment-Server"> <CrimsonData Id="938" XPath="Event/EventData/Data[@Name='DeploymentOperation']" /> <CrimsonData Id="939" XPath="Event/EventData/Data[@Name='PackageFullName']" /> <CrimsonData Id="940" XPath="Event/EventData/Data[@Name='ErrorCode']" /> </EventRule> <EventRule Id="508" LogId="-1" EventId="11" Source="RAC_PS_ETW_PROVIDER" /> <EventRule Id="509" LogId="-1" EventId="12" Source="RAC_PS_ETW_PROVIDER" /> <EventRule Id="510" LogId="19" EventId="112" Source="Microsoft-Windows-AppHost"> <CrimsonMatch XPath="Event/UserData/WWAJSERacReportEvent/param4" cchMatch="-2" Match="FFFFFFFB"/> <CrimsonData Id="941" XPath="Event/UserData/WWAJSERacReportEvent/param1" /> <CrimsonData Id="942" XPath="Event/UserData/WWAJSERacReportEvent/PID" /> <CrimsonData Id="943" XPath="Event/UserData/WWAJSERacReportEvent/ProcessCreationTime" /> <CrimsonData Id="945" XPath="Event/UserData/WWAJSERacReportEvent/ApplicationBinaryPath" PIIFilter="0x13" /> <CrimsonData Id="946" XPath="Event/UserData/WWAJSERacReportEvent/param2" /> <CrimsonData Id="947" XPath="Event/UserData/WWAJSERacReportEvent/param3" /> <CrimsonData Id="948" XPath="Event/UserData/WWAJSERacReportEvent/param4" /> <CrimsonData Id="959" XPath="Event/UserData/WWAJSERacReportEvent/ReportId" PIIFilter="0x10000" /> </EventRule> <EventRule Id="511" LogId="0" EventId="1" Source="Microsoft-Windows-Power-Troubleshooter"> <CrimsonMatch XPath="Event/EventData/Data[@Name='TargetState']" cchMatch="1" Match="6" /> </EventRule> <EventRule Id="512" LogId="0" EventId="42" Source="Microsoft-Windows-Kernel-Power"> <CrimsonMatch XPath="Event/EventData/Data[@Name='TargetState']" cchMatch="1" Match="6" /> </EventRule> <EventRule Id="513" LogId="18" EventId="400" Source="Microsoft-Windows-AppXDeployment-Server"> <CrimsonMatch XPath="Event/EventData/Data[@Name='DeploymentOperation']" cchMatch="1" Match="6"/> <CrimsonData Id="949" XPath="Event/EventData/Data[@Name='PackageFullName']" /> </EventRule> <EventRule Id="518" LogId="20" EventId="3002" Source="Microsoft-Windows-CodeIntegrity"> <CrimsonData Id="950" XPath="Event/EventData/Data[@Name='FileNameLength']" /> <CrimsonData Id="951" XPath="Event/EventData/Data[@Name='FileNameBuffer']" /> </EventRule> <EventRule Id="521" LogId="0" EventId="2005" Source="Microsoft-Windows-SetupPlatform"> <CrimsonData Id="807" XPath="Event/EventData/Data[@Name='Installation choice']" /> <CrimsonData Id="808" XPath="Event/EventData/Data[@Name='Host OS Major version']" /> <CrimsonData Id="809" XPath="Event/EventData/Data[@Name='Host OS Minor version']" /> <CrimsonData Id="810" XPath="Event/EventData/Data[@Name='Host OS Build number']" /> <CrimsonData Id="812" XPath="Event/EventData/Data[@Name='Host OS Service pack major number']" /> <CrimsonData Id="813" XPath="Event/EventData/Data[@Name='Host OS Service pack minor number']" /> </EventRule> <EventRule Id="522" LogId="19" EventId="112" Source="Microsoft-Windows-AppHost"> <CrimsonMatch XPath="Event/UserData/WWAJSERacReportEvent/param4" cchMatch="8" Match="FFFFFFFB"/> <CrimsonData Id="952" XPath="Event/UserData/WWAJSERacReportEvent/param1" /> <CrimsonData Id="953" XPath="Event/UserData/WWAJSERacReportEvent/PID" /> <CrimsonData Id="954" XPath="Event/UserData/WWAJSERacReportEvent/ProcessCreationTime" /> <CrimsonData Id="955" XPath="Event/UserData/WWAJSERacReportEvent/ApplicationBinaryPath" PIIFilter="0x13" /> <CrimsonData Id="956" XPath="Event/UserData/WWAJSERacReportEvent/param2" /> <CrimsonData Id="957" XPath="Event/UserData/WWAJSERacReportEvent/param3" /> <CrimsonData Id="958" XPath="Event/UserData/WWAJSERacReportEvent/param4" /> <CrimsonData Id="960" XPath="Event/UserData/WWAJSERacReportEvent/ReportId" PIIFilter="0x10000" /> </EventRule> <EventRule Id="528" LogId="0" EventId="506" Source="Microsoft-Windows-Kernel-Power"> <CrimsonData Id="966" XPath="Event/EventData/Data[@Name='Reason']" /> </EventRule> <EventRule Id="529" LogId="21" EventId="5500" Source="Microsoft-Windows-OOBE-Machine-DUI" /> <EventRule Id="530" LogId="22" EventId="141" Source="Microsoft-Windows-Ntfs"> <CrimsonData Id="967" XPath="Event/EventData/Data[@Name='VolumeGuid']" /> <CrimsonData Id="968" XPath="Event/EventData/Data[@Name='VolumeNameLength']" /> <CrimsonData Id="969" XPath="Event/EventData/Data[@Name='VolumeName']" /> <CrimsonData Id="970" XPath="Event/EventData/Data[@Name='ProcessNameLength']" /> <CrimsonData Id="971" XPath="Event/EventData/Data[@Name='ProcessName']" PIIFilter="0x13" /> <CrimsonData Id="972" XPath="Event/EventData/Data[@Name='IsBootVolume']" /> <CrimsonData Id="973" XPath="Event/EventData/Data[@Name='FreeSpaceInBytes']" /> <CrimsonData Id="974" XPath="Event/EventData/Data[@Name='PageFileSizeInBytes']" /> </EventRule> <EventRule Id="531" LogId="22" EventId="142" Source="Microsoft-Windows-Ntfs"> <CrimsonData Id="975" XPath="Event/EventData/Data[@Name='VolumeGuid']" /> <CrimsonData Id="976" XPath="Event/EventData/Data[@Name='VolumeNameLength']" /> <CrimsonData Id="977" XPath="Event/EventData/Data[@Name='VolumeName']" /> <CrimsonData Id="978" XPath="Event/EventData/Data[@Name='LowestFreeSpaceInBytes']" /> <CrimsonData Id="979" XPath="Event/EventData/Data[@Name='HighestFreeSpaceInBytes']" /> <CrimsonData Id="980" XPath="Event/EventData/Data[@Name='IsBootVolume']" /> <CrimsonData Id="981" XPath="Event/EventData/Data[@Name='PageFileSizeInBytes']" /> </EventRule> </EventRules> <GenericEvents> <FilterString Name="APPCRASH" /> <FilterString Name="APPCRASH64" /> <FilterString Name="AppHang" /> <FilterString Name="AppHangB1" /> <FilterString Name="AppHangXProcB1" /> <FilterString Name="AutoVerifier" /> <FilterString Name="AutoVerifierV2" /> <FilterString Name="BEX" /> <FilterString Name="BEX64" /> <FilterString Name="clr20r2" /> <FilterString Name="clr20r3" /> <FilterString Name="Crash32" /> <FilterString Name="DynaCrash32" /> <FilterString Name="FaultTolerantHeap" /> <FilterString Name="InPageError" /> <FilterString Name="KernelHang" /> <FilterString Name="KernelHangB1" /> <FilterString Name="MoAppCrash" /> <FilterString Name="MoAppHang" /> <FilterString Name="MoAppHangXProc" /> <FilterString Name="MoAutoVerifier" /> <FilterString Name="MoBEX" /> <FilterString Name="MsSearchTerminateProcess" /> <FilterString Name="NXInfo" /> <FilterString Name="OfficeLifeBoatHang" /> <FilterString Name="OfficeReportException" /> <FilterString Name="ServiceHang" /> <FilterString Name="VSAppVerifier" /> <FilterString Name="WWAJSE" /> <FilterString Name="PnpDeviceProblemCode" /> <FilterString Name="PnpDriverImportError" /> <FilterString Name="PnpDriverInstallError" /> <FilterString Name="PnpDriverNotFound" /> <FilterString Name="PnpGenericDriverFound" /> <FilterString Name="PnpRequestAdditionalSoftware" /> <FilterString Name="RADAR_LEAK_32" /> <FilterString Name="RADAR_LEAK_64" /> <FilterString Name="RADAR_LEAK_WOW64" /> <FilterString Name="RADAR_PRE_LEAK_32" /> <FilterString Name="RADAR_PRE_LEAK_64" /> <FilterString Name="RADAR_PRE_LEAK_WOW64" /> </GenericEvents> <Protocols> <FilterString Name="http:" /> <FilterString Name="https:" /> <FilterString Name="ftp:" /> <FilterString Name="mailto:" /> <FilterString Name="ldap:" /> <FilterString Name="file:" /> <FilterString Name="news:" /> <FilterString Name="gopher:" /> <FilterString Name="telnet:" /> <FilterString Name="data:" /> </Protocols> <FileExtensions> <FilterString Name="386" /> <FilterString Name="sys" /> <FilterString Name="drv" /> <FilterString Name="inf" /> <FilterString Name="exe" /> <FilterString Name="dll" /> <FilterString Name="msi" /> <FilterString Name="msp" /> <FilterString Name="msu" /> <FilterString Name="nfo" /> <FilterString Name="ocx" /> <FilterString Name="pnf" /> <FilterString Name="rll" /> <FilterString Name="cpl" /> <FilterString Name="msc" /> <FilterString Name="mui" /> <FilterString Name="cpi" /> <FilterString Name="nls" /> <FilterString Name="efi" /> <FilterString Name="ax" /> <FilterString Name="scr" /> </FileExtensions> <ServiceNames> <FilterString Name="ADAM_" /> <FilterString Name="AGRESSO 5_5 SERVER -" /> <FilterString Name="ASANYS_" /> <FilterString Name="BTSSVC$" /> <FilterString Name="FAH@" /> <FilterString Name="FIREBIRDGUARDIAN" /> <FilterString Name="FIREBIRDSERVER" /> <FilterString Name="FVBS_ASS_" /> <FilterString Name="GRAYPIGEON" /> <FilterString Name="GUPTA SQLBASE" /> <FilterString Name="IT IONA_SERVICES_" /> <FilterString Name="LOTUS DOMINO SERVER (" /> <FilterString Name="MSFTESQL$" /> <FilterString Name="MSOLAP$" /> <FilterString Name="MSSQL$" /> <FilterString Name="NS$" /> <FilterString Name="ORACLEDBCONSOLE" /> <FilterString Name="ORACLESERVICE" /> <FilterString Name="PHLINGMYPC_" /> <FilterString Name="REPORTSERVER$" /> <FilterString Name="SQLAGENT$" /> <FilterString Name="SQLANYS_" /> <FilterString Name="SYBBCK" /> <FilterString Name="SYBMON" /> <FilterString Name="SYBSQL" /> </ServiceNames> <MSIApplications> <FilterString Name="INSTALLAWARE LICENSING" /> </MSIApplications> <PnPPrefixIdentifiers> <FilterString Name="UUID:" /> <FilterString Name="IDE\DISK" /> <FilterString Name="FTDIBUS\VID_0403+PID_" /> <FilterString Name="ACTIVESYNCWPDENUMERATOR\UMB" /> <FilterString Name="WPDBUSENUMROOT\UMB" /> <FilterString Name="USBSTOR\DISK&VEN_" /> <FilterString Name="USBSTOR\CDROM&VEN_" /> </PnPPrefixIdentifiers> <ProcessExclusionList> </ProcessExclusionList> </EventCollectionRules> </RacRules>
Ms-Dos/Windows
Unix
Write backup
jsp File Browser version 1.2 by
www.vonloesch.de