Sysmon - Event filtering with & symbol error RRS feed

  • Question

  • I'm using the very latest Sysmon v9.0.

    I've tried using & and the filter is not filtering it correctly

    But, if I use & I'm receieving this error below. How do I go about escaping the & ?

    The event log query specified is invalid.

    Here's the XML event filter I'm using:

      <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
        <Select Path="Microsoft-Windows-Sysmon/Operational">
         *[EventData[Data[@Name='Image'] = '\\\NAS Storage\Programs & Windows Apps\winutilityapp.exe']]

    Tuesday, May 28, 2019 9:14 PM

All replies