<UserData xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <RuleAndFileData xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0"> <PolicyNameLength>3</PolicyNameLength> <PolicyName>EXE</PolicyName> <RuleId>{5028efad-7497-4ac0-84ce-00bee63f3951}</RuleId> <RuleNameLength>24</RuleNameLength> <RuleName>(Default Rule) All Exe's</RuleName> <RuleSddlLength>48</RuleSddlLength> <RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "*"))</RuleSddl> <TargetUser>S-1-5-18</TargetUser> <TargetProcessId>9796</TargetProcessId> <FilePathLength>31</FilePathLength> <FilePath>%SYSTEM32%\SEARCHFILTERHOST.EXE</FilePath> <FileHashLength>32</FileHashLength> <FileHash>92DF47871C9BC9F0A2FF1BBCCCE7427499524FB9976DCEEA4C8171EDF2BD381A</FileHash> <FqbnLength>106</FqbnLength> <Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS® SEARCH\SEARCHFILTERHOST.EXE\7.0.17763.3232</Fqbn> <TargetLogonId>0x3e7</TargetLogonId> <FullFilePathLength>40</FullFilePathLength> <FullFilePath>C:\WINDOWS\system32\SearchFilterHost.exe</FullFilePath> </RuleAndFileData> </UserData>