Forum Discussion

EllaHarris's avatar
EllaHarris
Copper Contributor
Aug 01, 2024

USB Device Task Trigger

I need guidance on creating an XML filter that will activate a task whenever a UNIQUE USB drive is connected. Despite several attempts, integrating the LifetimeID and InstanceID components has proven challenging. How should I update the XML code to include these identifiers?

 

Original XML:

<QueryList>

<Query Id="0" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">

<Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[Provider[@Name='Microsoft-Windows-DriverFrameworks-UserMode'] and EventID=2101]] and *[UserData[UMDFHostDeviceRequest[InstanceID=SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_SANDISK&PROD_ULTRA_LUXE&REV_1.00#0401541BBF5130DCEB261125DABC6ADAC9E64C0769F7BCA89389DE7F531B9A4#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}"]]]]</Select>

</Query>

</QueryList>

 

Complete Event Log:

XML:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2e35aaeb-857f-4beb-a418-2e6c0e54d988}" />

<EventID>2101</EventID>

<Version>1</Version>

<Level>4</Level>

<Task>37</Task>

<Opcode>2</Opcode>

<Keywords>0x8000000000000000</Keywords>

<TimeCreated SystemTime="2023-12-23T23:57:41.981685900Z" />

<EventRecordID>14</EventRecordID>

<Correlation />

<Execution ProcessID="2632" ThreadID="10192" />

<Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>

<Computer>KARC</Computer>

<Security UserID="S-1-5-19" />

</System>

<UserData>

<UMDFHostDeviceRequest xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">

<LifetimeId>{bb9ecb99-c430-4a39-89b7-f197286b362d}</LifetimeId>

<InstanceId>SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_SANDISK&PROD_ULTRA_LUXE&REV_1.00#0401541BBF5130DCEB261125DABC6ADAC9E64C0769F7BCA89389DE7F531B9A4#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}</InstanceId>

<RequestMajorCode>27</RequestMajorCode>

<RequestMinorCode>9</RequestMinorCode>

<Argument1>0x2c000010040</Argument1>

<Argument2>0xffffffffffffffff</Argument2>

<Argument3>0x100000000</Argument3>

<Argument4>0x400000004</Argument4>

<Status>0</Status>

</UMDFHostDeviceRequest>

</UserData>

</Event>

No RepliesBe the first to reply

Resources