problem with Event register

sennin · June 13, 2021, 2:12pm

i want to Generate Log into Event viewer
when i install manifest file everything is good and i see my provider create in event viewer
but when i go to register event in filterDriver i get failed
this is manifest file content i used:
#?xml version=‘1.0’ encoding=‘utf-8’ standalone=‘yes’?#
#instrumentationManifest
xmlns=“http://schemas.microsoft.com/win/2004/08/events”
xmlns:win=“http://manifests.microsoft.com/win/2004/08/windows/events”
xmlns:xs=“http://www.w3.org/2001/XMLSchema”
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=“http://schemas.microsoft.com/win/2004/08/events eventman.xsd”
#
#instrumentation#
#events#
#provider
guid=“{XXXXXXXXXXXXX}”
messageFileName=“%SystemDrive%\Sample\Driver.sys”
name=“ProcessMonitor”
resourceFileName=“%SystemDrive%\Sample\Driver.sys”
symbol=“Process_Monitor”#
#channels#
#channel name=“ProcessMonitor” chid=“c1” symbol=“Process_Monitor_Channel” type=“Operational” enabled=“true”##/channel#
#/channels#
#templates#
#template tid=“load_Unload”#
#data
inType=“win:UnicodeString”
name=“Devname”
outType=“xs:string”/#
#data
inType=“win:UnicodeString”
name=“Message”
outType=“xs:string”/#
#data
inType=“win:UInt32”
name=“Status”
outType=“xs:unsignedInt”/#
#/template#
#template tid=“Event_Process”#
#data
inType=“win:UInt32”
name=“Processid”
outType=“xs:unsignedInt”/#
#data
inType=“win:UnicodeString”
name=“ProcessName”
outType=“xs:string”/#
#data
inType=“win:UnicodeString”
name=“ProcessArg”
outType=“xs:string”/#
…
…
…
#/template#
#/templates#
#events#
#event
channel=“c1”
level=“win:Informational”
message=“$(string.EvtLoad.EventMessage)”
opcode=“win:Start”
symbol=“EvtLoad”
template=“load_Unload”
value=“1”/#
#event
channel=“c1”
level=“win:Informational”
message=“$(string.EvtProcessLog.EventMessage)”
opcode=“win:Info”
symbol=“EvtProcessLog”
template=“Event_Process”
value=“2”/#
#event
channel=“c1”
level=“win:Informational”
message=“$(string.EvtUnload.EventMessage)”
opcode=“win:Stop”
symbol=“EvtUnload”
template=“load_Unload”
value=“3”/#
#/events#
#/provider#
#/events#
#/instrumentation#
#localization xmlns=“http://schemas.microsoft.com/win/2004/08/events”#
#resources culture=“en-US”#
#stringTable#
#string
id=“EvtLoad.EventMessage”
value=“Driver Loaded”/#
#string
id=“EvtProcessLog.EventMessage”
value=“Process Created”/#
#string
id=“EvtUnload.EventMessage”
value=“Driver Unloaded”/#
#/stringTable#
#/resources#
#/localization#
#/instrumentationManifest#

i get error in this function:
if (*RegHandle != 0)
{
Error = 0; // ERROR_SUCCESS
}
else
{
Error = MCGEN_EVENTREGISTER(ProviderId, EnableCallback, CallbackContext, RegHandle); // i got this
}

return Error;

thank you