I'm running AppLocker and would like to filter out some noise from the events being logged in Event Viewer using XPath. Specifically, I want to hide any events which related to CMD.exe

Here's an example entry I want to get rid of:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
        <Provider Name="Microsoft-Windows-AppLocker" Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" /> 
        <TimeCreated SystemTime="2014-05-29T05:47:09.625405200Z" /> 
        <Correlation /> 
        <Execution ProcessID="1108" ThreadID="2652" /> 
        <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel> 
        <Security UserID="S-1-5-21-123456789-123456789-123456789-123456" /> 
        <RuleAndFileData xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/">

I want something to the effect of: Hide event if FilePath is equal to "%SYSTEM32%\CMD.EXE"

I've tried something along the line of:

  <Query Id="0" Path="Microsoft-Windows-AppLocker/EXE and DLL">
    <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*[System[(Level=1  or Level=2 or Level=3)]]</Select>
    <Suppress Path="Microsoft-Windows-AppLocker/EXE and DLL">*[UserData[FileAndFileData[FilePath = '%SYSTEM32%\CMD.EXE' ]]]</Suppress>

But this doesn't seem to do anything. I've been looking at random XPath examples online (including similar questions on Server Fault), but most are written when the XML in question is listed under "EventData" instead of "UserData", and the target tag is directly under that EventData, and not below yet another tag (in this example 'RuleAndFileData').

Has anyone got an example XPath code I could give a go?

2 Answers2


It looks like you have used wrong xpath tag in suppress section, check your code for any error.




  • 11
  • 2

Resurrecting old question, but as I struggled with the same problem today, I might as well document my findings for future reference.

Correct syntax for filtering events based on nested element is to use forward slash / as the path separator:


Multiple expressions can be combined simply by concatenating them. For example, this will perform logical AND with the two expressions:

*[System[(Level=1 or Level=2 or Level=3)]][UserData/RuleAndFileData[FilePath='%SYSTEM32%\CMD.EXE']]

In the following example, Query Id 1 will select all Information events from "Exe and DLL" log where FilePath is "%SYSTEM32%\CMD.EXE" and RuleName is not "(Default Rule) All files". Only one EventID, 8002, will match because other ids are actually information events from other AppLocker logs. The "TimeCreated" part is optional, as well as one of its boundaries, but included here for syntax reference.

Query Id 2 uses timediff() function to select from "MSI and Script" log Warning events that occured during past 7 days (604800000 milliseconds). Again, only one EventID, 8006, will match because other EventIDs do not exists in that log. Microsoft's Filter XPath 1.0 Extensions has documentation for timediff: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/4533bef3-5a74-4a72-a03a-7fd5c1470554

  <Query Id="1">
    <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*[System[(EventID=8002 or EventID=8005 or EventID=8020 or EventID=8023) and TimeCreated[@SystemTime &gt;= '0001-01-01T00:00:00.0000000Z' and @SystemTime &lt;= '9999-12-31T21:59:59.9999999Z']]][UserData/RuleAndFileData[FilePath='%SYSTEM32%\CMD.EXE']]</Select>
    <Suppress Path="Microsoft-Windows-AppLocker/EXE and DLL">*[UserData/RuleAndFileData[RuleName='(Default Rule) All files']]</Suppress>
  <Query Id="2">
    <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*[System[(EventID=8003 or EventID=8006 or EventID=8021 or EventID=8024) and TimeCreated[timediff(@SystemTime) &lt; 604800000]]]</Select>

According to Windows Event Log Query Schema, Id and Path attributes of the Query element are optional. https://docs.microsoft.com/en-us/windows/win32/wes/queryschema-schema

It's also worth noting that Windows Event Log does not support wildcards in the attribute value nor does it support XPath's contains() function. Wildcards are supported in the node path only. Thus if you want to do substring filtering, you must do it after the query, e.g in PowerShell. https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events

XPath 1.0 Limitations:

Windows Event Log supports a subset of XPath 1.0. There are limitations to what functions work in the query. For instance, you can use the "position", "Band", and "timediff" functions within the query but other functions like "starts-with" and "contains" are not currently supported.

More examples and information about Event Log XPath syntax can be found at Consuming Events (Windows Event Log) page: https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events

  • 1
  • 3