Fix ERROR_EVT_FILTER_ALREADYSCOPED (0X00003AA6) on Windows
This error hits when a Windows event filter is scoped twice. I'll show you how to clear it fast and stop it coming back.
What you're dealing with
You're staring at a cryptic error in Event Viewer—probably a custom view or a filtered log—and it says something about an event filter already being scoped. Yeah, it's annoying. But I've seen this on half a dozen client machines over the last year, and the fix is usually dead simple.
The fix: clear the offender with wevtutil
Open a Command Prompt as Administrator. Don't mess around with the GUI—it'll just frustrate you. Run this:
wevtutil gl "Application"That lists the current configuration for the Application log. If the error is tied to a specific log (like System or Security), swap the name. But here's the real move: we need to clear the filter that's scoped twice. The problem is often in a custom view or a subscription. Run this to list all custom views:
wevtutil el | findstr /i "Custom"If you spot one that looks wrong (like one you created and then modified), delete it with:
wevtutil cl "Your Custom View Name"Replace "Your Custom View Name" with the actual name. That nukes the view and its filter. After that, recreate it fresh—don't copy/paste the old filter query. Manually rebuild it in the Event Viewer GUI.
Why this happens
Here's the ugly truth: Event Viewer stores filter queries in XML inside the registry (under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EventViewer). When you edit a custom view, sometimes the old filter scope doesn't get cleared, so the new scope gets added on top. The error code 0X00003AA6 literally means "the filter is already scoped"—it's a duplicate reference. I had a client last month whose print queue monitoring script kept crashing because of this; they'd imported a custom view from an old export, and it left a ghost scope.
Less common variations
Sometimes the error isn't in a custom view but in an Event Viewer subscription (used for forwarding logs). If you use Windows Event Forwarding, check the subscriptions:
wevtutil gl "ForwardedEvents"If the error pops there, delete and recreate the subscription. Another scenario: when you use PowerShell to create a filter with Get-WinEvent -FilterXPath and then pipe it into a custom view. The XPath can get corrupted. In that case, just restart the Windows Event Log service:
net stop EventLog && net start EventLogThat flushes the in-memory cache. If it's still broken, check the registry path I mentioned earlier and export/backup the EventViewer key, then delete the offending subkeys. But I'd only do that if you're comfortable editing the registry—one wrong move and you'll lose all custom views.
Prevention
Don't import custom views from old Windows versions or different machines without testing first. I always tell my clients: create custom views from scratch, and if you need to share them, export the XML but manually inspect it in Notepad for duplicate <Scope> nodes. Also, avoid editing a custom view's filter more than once without a reboot—the GUI sometimes leaves trash behind. If you're automating with PowerShell, use New-WinEvent or Register-ObjectEvent instead of relying on custom views for long-running scripts. Saves you this headache.
Was this solution helpful?