Yikes, this is something I should have figured out years ago, but never did. I’m talking about customized views in Windows Event Viewer. Thinking back, I guess I just always filtered on the fly and never bothered to do anything more.
But, today was the day I decided to do some searching to find a way to hone in on a specific faulting application, and be able to keep checking on it.
Background
I run Windows 10 on work and home machines and use WSL2/Terminal/Ubuntu as my main command line environment. Occasionally, my work laptop would reboot on its own overnight. These reboots correlated with wslservice.exe faulting.
I found the correlation in the Application event logs just by searching for errors, like I had always done. I saw no application fault errors when I initiated a reboot, with or without Ubuntu running, so I figured the service might be the culprit.
Since I had the desire to rebuild my Ubuntu host, I figured I’d just start fresh and learn a bit about building up the command line environment. So, I wiped all the tools from the system and reinstalled them (learned a ton, BTW). Time passed and all was well, for a bit, until I noticed another reboot this morning.
So, I went back to Event Viewer to see if wslservice.exe had faulted again, and thought to myself, “It would be nice if it was easy to find again.”
Old Docs to the Rescue
After a quick search of the internet, I landed here: Microsoft Learn Docs
Using their instructions, I was able to create a custom filter that looks for errors and the exact faulting application name, with the following XPath query:
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">
*[System[Provider[@Name='Application Error'] and (Level=2)] and
EventData[Data and (Data='wslservice.exe')]]
</Select>
</Query>
</QueryList>
The first line of the query is to look for events that are errors.
The second line locates the specific string name of the application in the EventData body of the event.