Forum Discussion
USB Device Task Trigger
I need guidance on creating an XML filter that will activate a task whenever a UNIQUE USB drive is connected. Despite several attempts, integrating the LifetimeID and InstanceID components has proven challenging. How should I update the XML code to include these identifiers?
Original XML:
<QueryList>
<Query Id="0" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">
<Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[Provider[@Name='Microsoft-Windows-DriverFrameworks-UserMode'] and EventID=2101]] and *[UserData[UMDFHostDeviceRequest[InstanceID=SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_SANDISK&PROD_ULTRA_LUXE&REV_1.00#0401541BBF5130DCEB261125DABC6ADAC9E64C0769F7BCA89389DE7F531B9A4#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}"]]]]</Select>
</Query>
</QueryList>
Complete Event Log:
XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2e35aaeb-857f-4beb-a418-2e6c0e54d988}" />
<EventID>2101</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>37</Task>
<Opcode>2</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2023-12-23T23:57:41.981685900Z" />
<EventRecordID>14</EventRecordID>
<Correlation />
<Execution ProcessID="2632" ThreadID="10192" />
<Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>
<Computer>KARC</Computer>
<Security UserID="S-1-5-19" />
</System>
<UserData>
<UMDFHostDeviceRequest xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
<LifetimeId>{bb9ecb99-c430-4a39-89b7-f197286b362d}</LifetimeId>
<InstanceId>SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_SANDISK&PROD_ULTRA_LUXE&REV_1.00#0401541BBF5130DCEB261125DABC6ADAC9E64C0769F7BCA89389DE7F531B9A4#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}</InstanceId>
<RequestMajorCode>27</RequestMajorCode>
<RequestMinorCode>9</RequestMinorCode>
<Argument1>0x2c000010040</Argument1>
<Argument2>0xffffffffffffffff</Argument2>
<Argument3>0x100000000</Argument3>
<Argument4>0x400000004</Argument4>
<Status>0</Status>
</UMDFHostDeviceRequest>
</UserData>
</Event>