I have a manifest file with several events and two channels. I generate include and resource file via mc command:
mc -um manifest.man
I link resource files into the application.
I install manifest in the system via wevtutil command:
wevtutil.exe im manifest.man
In application I use EventRegister for initialization log, and EventWrite for log writing. The next code for generating log event return ERROR_SUCCESS: EVENT_DATA_DESCRIPTOR data;
ULONG writeEvent(const std::string& message){
std::string log_message_str( message );
EVENT_DATA_DESCRIPTOR data;
EVENT_DESCRIPTOR description;
EventDataDescCreate( &data, message.c_str(), static_cast<ULONG>(log_message_str.size() + 1) );
return EventWrite(log_handle, &description, 1, &data);
}
Also, I grant read permissions to my application for LocalService:
icacls "service_win.exe" /grant "NT AUTHORITY\LocalService":R /Q
I start my application such as service with 'NT AUTHORITY\LocalService' account:
sc.exe create service_win binpath=D:\service_win.exe type=own obj='NT AUTHORITY\LocalService'
net start service_win
The channels declared in my manifest.man added in WinEvents journal, but are empty. In the application I write to log via writeEvent every one second with ERROR_SUCCESS result, but my logs files still are empty.
UPDATE:
I create github repo with steps for reproduce
I found a solution. The problem was in trace session and auto generated code from mc utility. Need to call mc with -um flag and use auto generated functions for log write. Working sample is here