Windows event log query for domain joined network connection

This Windows Event Viewer query looks through the Network Profile/Operational log for network connection events (EventID=10000) where the “Category” equals “2”, which equates to “Domain Authenticated”. The neat part about this XML query is that it looks into the event details for additional criteria, which isn’t available through the filter GUI.

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational">
    <Select Path="Microsoft-Windows-NetworkProfile/Operational">*[System[(EventID=10000)]] and *[EventData[Data[@Name='Category'] and (Data='2')]]</Select>
  </Query>
</QueryList>

I use it as the custom query trigger for a scheduled task that initiates a few actions each time the computer is powered on/woken up while on the domain network, or has its network connection reestablished. A similar query without the Category=2 criteria would be triggered twice each time the computer is powered on: once when the network connection is established but on the public firewall profile (or something like that), and a second time when the connection changes to use the domain firewall profile (again, I’m not exactly clear).

For a good explanation of how to construct custom queries with examples, see the TechNet blog post at Advanced XML filtering in the Windows Event Viewer.

2 thoughts on “Windows event log query for domain joined network connection

  1. Alexe

    I have tried the query, strangely it doesnt work when i turn in the computer on and let it be for several minutes and then connect to domain, the event ID will be not generated.

    If I connect to domain (via VPN) immediately then the event ID will be generated, any ideas?

Comments are closed.