Search code examples
c#event-log

How can I programmatically determine the description of an Event ID

I wrote a utility that allows me to view EventLog messages, filtering on their types, when they were written, etc.

I see that I have had the following entry a gazillion times (give or take a few) in the last several months/since I purchased my laptop:

Type: Error
Source: WinMgmt
Time Generated: 06/11/2012 20:55:00
Message: The description for Event ID '-1073741814' in Source 'WinMgmt' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'//./root/CIMV2', 'SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99', '0x80041003'
Machine Name: MuleheadedAsteroid

Does anybody know how I might respond to such an err msg to get to the bottom of the problem?

Solution

  • You're asking two questions, here. First, why is the event log entry not formatting correctly? (You're seeing the arguments to the message, but not the fully formatted message. First, we'll work on fixing the message.

    Seems like a corrupt registry, or a missing message file dll.

    Check to make sure these registry entries exist, and point to the correct place:

    1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WinMgmt

    Name:  ProviderGuid
Type:  REG_EXPAND_SZ
Value: {1edeee53-0afe-4609-b846-d8c0b2075b1f}

    2) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{1edeee53-0afe-4609-b846-d8c0b2075b1f}

    Values present:

    Name:  MessageFileName
Type:  REG_EXPAND_SZ
Value: %SystemRoot%\system32\wbem\WinMgmtR.dll

Name:  ResourceFileName
Type:  REG_EXPAND_SZ
Value: %SystemRoot%\system32\wbem\WinMgmtR.dll

    3) Lastly, verify the existence of WinMgmtR.dll at %SystemRoot%\system32\wbem\WinMgmtR.dll

    Second, what is the event log trying to tell us. I googled for the error code, 0x80041003. This immediately took me to discussions about trying to query WMI with insufficient permissions, and in particular, a KB article:

    Event ID 10 is logged in the Application log after you install Windows Vista Service Pack 1 or Windows Server 2008

    You'll notice that MS's example query is pretty much identical to yours So, it seems something is running and querying WMI without enough permission to do so.

    MS provides a script to stop entries from appearing in the resolution portion of the KB article.