Somebody gave me a testing program to write records into the windows event log (but I don't have the sources). I understand the general way of writing and reviewing event log, but that program behaves very special in a way that I can write records, that have a source which does not exist. There is not even a registry entry in .../eventlog/application, hence no formatting libs.
If I try that from my own code, I can write such a record but the Windows Event Viewer then always tells me something about "description cannot be found" (which is correct and I understand why that happens).
The question is now: Since that foreign test prog CAN do it, it must be possible somehow - but HOW?
Many thx!! :-)
OK, finally I found it (also, got the sources) - the prog creates the registry entry (probably happens when calling CreateEventSource()), it was just not visible until refreshing regedit :-|
And, it DOES register a formatting lib, only that it is something I cannot rely on: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\EventLogMessages.dll
Or, can I?
Ah, here we go for an explanation: Difference between EventLog.WriteEntry and EventLog.WriteEvent methods So, I cannot, as I'm not using .Net ... :-|
Now, if I NOW send another event from MY prog (with the same, newly created source, as the foreign prog), I see it in the event viewer normally. That means, WriteEntry() actually does not write a different/special type of evt log record containing the text directly (contrary to the standard method of writing just a msg catalog ID + params) but rather there must be some trick in the formatting lib to make the EventViewer apply some kind of "default" formatting.
Any ideas how I could accomplish this? Except just copying the EventLogMessages.dll above? :-)
OK, finally found an answer about this one in http://msdn.microsoft.com/en-us/magazine/cc163446.aspx "This file is called EventLogMessages.dll, and it contains 65,536 event descriptions, each of which consists of the string "%1", a placeholder for whatever string you want to write"
I was hoping for something like "messageid=*" but that seems to be too simple :-|
But maybe somebody else is interested in whats happening here ...