0X00003AAD

Event Viewer Filter Error 0X00003AAD Fix

Windows Errors Beginner 👁 0 views 📅 May 26, 2026

ERROR_EVT_FILTER_UNEXPECTEDTOKEN means your Event Viewer filter has a typo or bad syntax. Fix the filter query and it goes away.

When You'll See This Error

You're in Event Viewer, trying to create a custom filter or modify an existing one. Maybe you're filtering by Event ID 4625 (failed logins) or looking for specific error codes. You type your filter, click OK, and instead of getting results, you get: ERROR_EVT_FILTER_UNEXPECTEDTOKEN (0X00003AAD). The dialog might say something like "The token encountered was unexpected." This pops up most often when you've manually typed an XML filter or copied one from a forum post that had a typo.

What Caused It (Plain English)

Windows Event Viewer uses an XML-based query language to filter events. When you create a custom filter, you're really building an XML snippet. If that XML has a syntax mistake—a missing bracket, a misspelled attribute, or an extra character—Windows can't parse it. It hits the unexpected token and throws error 0X00003AAD. The biggest culprit is a mismatched closing tag or an attribute value that's not wrapped in quotes.

Think of it like a typo in a search box: if you type "EventID == 4625" instead of "EventID = 4625", the search engine chokes. Same deal here.

How to Fix It (Step by Step)

Step 1: Close the Error and Reopen the Filter

Click OK on the error. Then in Event Viewer, right-click the custom view (or the log you're filtering) and choose Properties. Don't click "Create Custom View" again—you'll lose your changes.

After this step: You should see the Filter tab with your broken query still loaded.

Step 2: Switch to the XML Tab

In the Filter tab, at the bottom, there's a button labeled XML. Click it. Event Viewer will warn you that editing the XML directly might break things. Click Yes to proceed.

After this step: You'll see the raw XML query. It'll look something like this:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[EventID=4625]]</Select>
  </Query>
</QueryList>

Step 3: Spot the Error

Look for these common problems:

  • Missing closing tag: <Select...> without </Select> at the end.
  • Extra characters: A stray bracket or slash that doesn't belong.
  • Unquoted attribute values: Like Path=Security instead of Path="Security".
  • Wrong operator: Using == instead of = in the XPath expression.

If you copied this from a third-party site, check their example against the official Microsoft documentation. I've seen forums use dashes or weird Unicode characters that don't work.

After this step: You should have a clear idea of what's wrong. If not, skip to Step 5.

Step 4: Correct the XML

Fix the error you found. For example, if your XML had:

<Select Path="Security>*[System[EventID=4625]]</Select>

That's missing a closing quote after "Security". Change it to:

<Select Path="Security">*[System[EventID=4625]]</Select>

If you're unsure what the correct format should be, start from scratch: click Clear to delete the XML, then go back to the Filter tab and rebuild your filter using the GUI. That way Windows generates correct XML for you.

After this step: Click OK to save. If the XML is valid, the error disappears and your filter works.

Step 5: Validate Without the Custom View

If you can't fix the XML, delete the broken custom view entirely. In Event Viewer, right-click the custom view under Custom Views and select Delete. Then create a fresh one from scratch using only the GUI (Filter tab), not the XML tab.

After this step: The error should not appear because you're using clean, auto-generated XML.

If It Still Fails

Two things to check. First, make sure you're not running Event Viewer as a restricted user who can't modify views. Right-click Event Viewer and choose Run as administrator, then try again.

Second, corruption in the Windows event log store can cause weird behavior. Open an admin Command Prompt and run:

wevtutil gl Security

If it returns gibberish or an error, you might need to clear the Security log. Run wevtutil cl Security (this removes all security events, so do it only if you're okay losing that history). After clearing, reboot and recreate your filter.

I've seen this error once when a user had a huge number of custom views (over 50). Cleaning out old ones fixed it. If nothing else works, check if you have too many custom views and delete a few.

Was this solution helpful?

0X00003AAD ERROR_EVT_FILTER_UNEXPECTEDTOKEN Event Viewer filter error Windows event log filter unexpected token 0x00003AAD fix eventvwr filter error XML event filter syntax error Windows 10 event viewer error Windows 11 event viewer error event log custom view error event filter malformed