In the System event log is an event with the following details:
Source: Kernel-General
Event ID: 1
Details: The system time has changed to 2010-07-17T02:58:20.285000000Z from 2010-07-17T02:58:20.285868600Z.
The EVENTLOGRECORD also has a 1 for the EventID field, so it matches what we see in the Event Log viewer.
So far so good.
The problem is, when you look in advapi32.dll which is where this source gets it's messages from, you see this:
ID:01000001
String: The system time has changed to %1 from %2.
How does the Event Log Viewer magically know to add those extra bits to the ID to find the right string? Not all event strings have that upper bit, and some have other upper bits set.
Calling FormatMessage with 1 fails. Calling it with x01000001 succeeds. But that's not what the event log record contains... :(
No docs that I can find discuss this at all (other that describing the ID format which shows error/severity/facility/code bits).
Like you I can't find it documented anywhere, but it looks like Event Viewer maps the EventType member of the EVENTLOGRECORD structure to the Severity bits of the message table identifier.
So for example, Service Control Manager event 7035 is of type "Information", which maps to Severity value 1, yielding a message ID of 0x40001B7B, which is indeed the text that Event Viewer displays from netevent.dll: The %1 service was successfully sent a %2 control.
Similarly, event 7000 is of type "Error", mapping to Severity 3 and a message ID of 0xC0001B58: The %1 service failed to start due to the following error: %n%2
Of course that doesn't quite fit with your example; are you sure you've got your 0s and 1s in the right place?