Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <ViewerConfig><QueryConfig><QueryParams><Simple><BySource>False</BySource><Channel>Application,Security,Setup,System,ForwardedEvents,HardwareEvents,Internet Explorer,Key Management Service,Media Center,Microsoft-Windows-API-Tracing/Operational,Microsoft-Windows-AppID/Operational,Microsoft-Windows-Application Server-Applications/Admin,Microsoft-Windows-Application Server-Applications/Operational,Microsoft-Windows-Application-Experience/Problem-Steps-Recorder,Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant,Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter,Microsoft-Windows-Application-Experience/Program-Inventory,Microsoft-Windows-Application-Experience/Program-Telemetry,Microsoft-Windows-AppLocker/EXE and DLL,Microsoft-Windows-AppLocker/MSI and Script,Microsoft-Windows-Audio/CaptureMonitor,Microsoft-Windows-Audio/Operational,Microsoft-Windows-Authentication/ProtectedUser-Client,Microsoft-Windows-Authentication User Interface/Operational,Microsoft-Windows-Backup,Microsoft-Windows-Biometrics/Operational,Microsoft-Windows-Bits-Client/Analytic,Microsoft-Windows-Bits-Client/Operational,Microsoft-Windows-Bluetooth-MTPEnum/Operational,Microsoft-Windows-BranchCache/Operational,Microsoft-Windows-BranchCacheSMB/Operational,Microsoft-Windows-CAPI2/Operational,Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational,Microsoft-Windows-CertPoleEng/Operational,Microsoft-Windows-CodeIntegrity/Operational,Microsoft-Windows-Compat-Appraiser/Operational,Microsoft-Windows-CorruptedFileRecovery-Client/Operational,Microsoft-Windows-CorruptedFileRecovery-Server/Operational,Microsoft-Windows-DateTimeControlPanel/Operational,Microsoft-Windows-DeviceSync/Operational,Microsoft-Windows-Dhcp-Client/Admin,Microsoft-Windows-Dhcp-Client/Operational,Microsoft-Windows-DhcpNap/Admin,Microsoft-Windows-DhcpNap/Operational,Microsoft-Windows-Dhcpv6-Client/Operational,Microsoft-Windows-Dhcpv6-Client/Admin,Microsoft-Windows-Diagnosis-DPS/Operational,Microsoft-Windows-Diagnosis-PCW/Operational,Microsoft-Windows-Diagnosis-PLA/Operational,Microsoft-Windows-Diagnosis-Scheduled/Operational,Microsoft-Windows-Diagnosis-Scripted/Admin,Microsoft-Windows-Diagnosis-Scripted/Operational,Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational,Microsoft-Windows-Diagnostics-Networking/Operational,Microsoft-Windows-Diagnostics-Performance/Operational,Microsoft-Windows-DiskDiagnostic/Operational,Microsoft-Windows-DiskDiagnosticDataCollector/Operational,Microsoft-Windows-DiskDiagnosticResolver/Operational,Microsoft-Windows-DisplayColorCalibration/Operational,Microsoft-Windows-DNS-Client/Operational,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-EapHost/Operational,Microsoft-Windows-EventCollector/Operational,Microsoft-Windows-Forwarding/Operational,Microsoft-Windows-Fault-Tolerant-Heap/Operational,Microsoft-Windows-FMS/Operational,Microsoft-Windows-Folder Redirection/Operational,Microsoft-Windows-GroupPolicy/Operational,Microsoft-Windows-Help/Operational,Microsoft-Windows-HomeGroup Control Panel/Operational,Microsoft-Windows-HomeGroup Provider Service/Operational,Microsoft-Windows-HomeGroup Listener Service/Operational,Microsoft-Windows-HttpService/Trace,Microsoft-Windows-International/Operational,Microsoft-Windows-International-RegionalOptionsControlPanel/Operational,Microsoft-Windows-Iphlpsvc/Operational,Microsoft-Windows-Kernel-EventTracing/Admin,Microsoft-Windows-Kernel-Power/Thermal-Operational,Microsoft-Windows-Kernel-StoreMgr/Operational,Microsoft-Windows-Kernel-WDI/Operational,Microsoft-Windows-Kernel-WHEA/Errors,Microsoft-Windows-Kernel-WHEA/Operational,Microsoft-Windows-Known Folders API Service,Microsoft-Windows-LanguagePackSetup/Operational,Microsoft-Windows-LSA/Operational,Microsoft-Windows-MCT/Operational,Microsoft-Windows-MemoryDiagnostics-Results/Debug,Microsoft-Windows-MSPaint/Admin,Microsoft-Windows-MUI/Admin,Microsoft-Windows-MUI/Operational,Microsoft-Windows-NCSI/Operational,Microsoft-Windows-NDIS/Operational,Microsoft-Windows-NetworkAccessProtection/Operational,Microsoft-Windows-NetworkAccessProtection/WHC,Microsoft-Windows-NetworkProfile/Operational,Microsoft-Windows-NlaSvc/Operational,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-OfflineFiles/Operational,Microsoft-Windows-ParentalControls/Operational,Microsoft-Windows-PeopleNearMe/Operational,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-NetworkLocationWizard/Operational,Microsoft-Windows-PrintService/Admin,Microsoft-Windows-PrintService/Operational,Microsoft-Windows-ReadyBoost/Operational,Microsoft-Windows-ReadyBoostDriver/Operational,Microsoft-Windows-Recovery/Operational,Microsoft-Windows-ReliabilityAnalysisComponent/Operational,Microsoft-Windows-RemoteApp and Desktop Connections/Admin,Microsoft-Windows-RemoteApp and Desktop Connections/Operational,Microsoft-Windows-RemoteAssistance/Admin,Microsoft-Windows-RemoteAssistance/Operational,microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin,Microsoft-Windows-Resource-Exhaustion-Detector/Operational,Microsoft-Windows-Resource-Exhaustion-Resolver/Operational,Microsoft-Windows-Resource-Leak-Diagnostic/Operational,Microsoft-Windows-RestartManager/Operational,Microsoft-Windows-Security-Audit-Configuration-Client/Operational,Microsoft-Windows-Security-IdentityListener/Operational,Microsoft-Windows-ServiceReportingApi/Debug,Microsoft-Windows-StickyNotes/Admin,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TerminalServices-RDPClient/Operational,Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin,Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational,Microsoft-Windows-TerminalServices-LocalSessionManager/Admin,Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,Microsoft-Windows-TerminalServices-PnPDevices/Admin,Microsoft-Windows-TerminalServices-PnPDevices/Operational,Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin,Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational,Microsoft-Windows-TZUtil/Operational,Microsoft-Windows-UAC/Operational,Microsoft-Windows-UAC-FileVirtualization/Operational,Microsoft-Windows-User Profile Service/Operational,Microsoft-Windows-VDRVROOT/Operational,Microsoft-Windows-VHDMP/Operational,Microsoft-Windows-WebIO-NDF/Diagnostic,Microsoft-Windows-WER-Diag/Operational,Microsoft-Windows-IKE/Operational,Microsoft-Windows-WFP/Operational,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC,Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity,Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose,Microsoft-Windows-Windows Firewall With Advanced Security/Firewall,Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose,Microsoft-Windows-WinRM/Operational,Microsoft-Windows-WindowsBackup/ActionCenter,Microsoft-Windows-WindowsColorSystem/Operational,Microsoft-Windows-WindowsSystemAssessmentTool/Operational,Microsoft-Windows-WindowsUpdateClient/Operational,Microsoft-Windows-WinHTTP-NDF/Diagnostic,Microsoft-Windows-Winlogon/Operational,Microsoft-Windows-Winsock-WS2HELP/Operational,Microsoft-Windows-Winsock-AFD/Operational,Microsoft-Windows-Wired-AutoConfig/Operational,Microsoft-Windows-WLAN-AutoConfig/Operational,Microsoft-Windows-Wordpad/Admin,Microsoft-Windows-WPD-ClassInstaller/Operational,Microsoft-Windows-WPD-CompositeClassDriver/Operational,Microsoft-Windows-WPD-MTPClassDriver/Operational,ODiag,OSession,Windows PowerShell</Channel><FromDate>635634468000000000</FromDate><Level>1,2,3,4,0,5</Level><ToDate>635634540109990000</ToDate><RelativeTimeInfo>6</RelativeTimeInfo></Simple></QueryParams><QueryNode><Name>eventidinotte</Name><QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Setup">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="System">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="ForwardedEvents">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="HardwareEvents">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Internet Explorer">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Key Management Service">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Media Center">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-API-Tracing/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-AppID/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Application Server-Applications/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Application Server-Applications/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Application-Experience/Problem-Steps-Recorder">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-AppLocker/MSI and Script">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Audio/CaptureMonitor">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Audio/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Authentication/ProtectedUser-Client">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Authentication User Interface/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Backup">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Biometrics/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Bits-Client/Analytic">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Bits-Client/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Bluetooth-MTPEnum/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-BranchCache/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-BranchCacheSMB/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-CAPI2/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-CertPoleEng/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-CodeIntegrity/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Compat-Appraiser/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-CorruptedFileRecovery-Client/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-CorruptedFileRecovery-Server/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-DateTimeControlPanel/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-DeviceSync/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Dhcp-Client/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-DhcpNap/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-DhcpNap/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Dhcpv6-Client/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Diagnosis-DPS/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Diagnosis-PCW/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Diagnosis-PLA/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Diagnosis-Scheduled/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Diagnosis-Scripted/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Diagnostics-Networking/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Diagnostics-Performance/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-DiskDiagnostic/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-DiskDiagnosticDataCollector/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-DiskDiagnosticResolver/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-DisplayColorCalibration/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-EapHost/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-EventCollector/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Forwarding/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Fault-Tolerant-Heap/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-FMS/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Folder Redirection/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Help/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-HomeGroup Control Panel/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-HomeGroup Provider Service/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-HomeGroup Listener Service/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-HttpService/Trace">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-International/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-International-RegionalOptionsControlPanel/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Iphlpsvc/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Kernel-Power/Thermal-Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Kernel-StoreMgr/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Kernel-WDI/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Kernel-WHEA/Errors">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Kernel-WHEA/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Known Folders API Service">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-LanguagePackSetup/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-LSA/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-MCT/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-MemoryDiagnostics-Results/Debug">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-MSPaint/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-MUI/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-MUI/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-NCSI/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-NDIS/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-NetworkAccessProtection/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-NetworkAccessProtection/WHC">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-NetworkProfile/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-NlaSvc/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-NTLM/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-OfflineFiles/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-ParentalControls/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-PeopleNearMe/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-NetworkLocationWizard/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-PrintService/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-PrintService/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-ReadyBoost/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-ReadyBoostDriver/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Recovery/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-ReliabilityAnalysisComponent/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-RemoteAssistance/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-RemoteAssistance/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Resource-Exhaustion-Detector/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Resource-Exhaustion-Resolver/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Resource-Leak-Diagnostic/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-RestartManager/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Security-Audit-Configuration-Client/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Security-IdentityListener/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-ServiceReportingApi/Debug">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-StickyNotes/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-TaskScheduler/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-TZUtil/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-UAC/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-UAC-FileVirtualization/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-User Profile Service/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-VDRVROOT/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-VHDMP/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WebIO-NDF/Diagnostic">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WER-Diag/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-IKE/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WFP/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WinRM/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WindowsBackup/ActionCenter">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WindowsColorSystem/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WindowsSystemAssessmentTool/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WinHTTP-NDF/Diagnostic">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Winlogon/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Winsock-WS2HELP/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Winsock-AFD/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Wired-AutoConfig/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WLAN-AutoConfig/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-Wordpad/Admin">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WPD-ClassInstaller/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WPD-CompositeClassDriver/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Microsoft-Windows-WPD-MTPClassDriver/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="ODiag">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="OSession">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select><Select Path="Windows PowerShell">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2015-03-31T23:00:00.000Z' and @SystemTime<='2015-04-01T01:00:10.999Z']]]</Select></Query></QueryList></QueryNode></QueryConfig><ResultsConfig><Columns><Column Name="Livello" Type="System.String" Path="Event/System/Level" Visible="">182</Column><Column Name="Parole chiave" Type="System.String" Path="Event/System/Keywords">70</Column><Column Name="Data e ora" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">232</Column><Column Name="Origine" Type="System.String" Path="Event/System/Provider/@Name" Visible="">142</Column><Column Name="ID evento" Type="System.UInt32" Path="Event/System/EventID" Visible="">142</Column><Column Name="Categoria attività" Type="System.String" Path="Event/System/Task" Visible="">143</Column><Column Name="Utente" Type="System.String" Path="Event/System/Security/@UserID">50</Column><Column Name="Codice operativo" Type="System.String" Path="Event/System/Opcode">110</Column><Column Name="Registro" Type="System.String" Path="Event/System/Channel">80</Column><Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column><Column Name="ID processo" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column><Column Name="ID thread" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column><Column Name="ID processore" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column><Column Name="ID sessione" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column><Column Name="Tempo kernel" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column><Column Name="Tempo utente" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column><Column Name="Tempo processore" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column><Column Name="ID di correlazione" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column><Column Name="ID di correlazione relativo" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column><Column Name="Nome origine eventi" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column></Columns></ResultsConfig></ViewerConfig>
Add Comment
Please, Sign In to add comment
