locked
Creating event log message files RRS feed

  • Question

  • I'm not sure if this is the correct forum but it appears to be the closest to the subject material that I can find.

    One of the applications I work on has been spitting out ugly event log messages that have our message inside of the wonderful message such as below:

    The description for Event ID 103 from source MyCustomSource cannot be found. Either  the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    My event log message that is redacted.
    
    the message resource is present but the message is not found in the string/message table

    So I went about my way creating an event log message file for this source, sounds pretty simple right?

    ;// Header
    MessageIdTypedef=DWORD
    
    LanguageNames=(
        English=0x409:MSG00409
    )
    
    ;// Categories
    MessageId=0x1
    SymbolicName=MYAPP_CATEGORY_GENERAL
    Language=English
    MyApp General
    .
    
    ;// Messages
    MessageId=0x103
    SymbolicName=API_ERROR
    Severity=Error
    Language=English
    An error occurred in the API. Message: %1
    .
    


    I then compiled this file as normal:

    "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\mc.exe" -u MyAppMessages.mc"
    "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\rc.exe" -r MyAppMessages.rc"
    "C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\link.exe" -dll -noentry -out:MyAppMessages.dll MyAppMessages.res /MACHINE:x86

    I now have the compiled MyAppMessages.dll. I now add the required registry entries:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\MyApp\MyApp
    CategoryCount    REG_DWORD    1
    CategoryMessageFile REG_EXPAND_SZ <path to MyAppMessages.dll>
    EventMessageFile REG_EXPAND_SZ <path to MyAppMessages.dll>

    The problem is, I'm still getting the same message as at the beginning, only the Task Category is now loading the correct value from the message file instead of the default value (1) that was loading previously.

    This is the XML of the event data:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="MyApp" /> 
        <EventID Qualifiers="57344">103</EventID> 
        <Level>2</Level> 
        <Task>1</Task> 
        <Keywords>0x80000000000000</Keywords> 
        <TimeCreated SystemTime="2012-02-27T16:42:20.000000000Z" /> 
        <EventRecordID>20759</EventRecordID> 
        <Channel>MyApp</Channel> 
        <Computer>Skycaller</Computer> 
        <Security /> 
      </System>
      <EventData>
        <Data>My event log message that is redacted.</Data> 
      </EventData>
    </Event>
    

    I'm no message file expert, but it is finding the category definition in the message file but not the event message. Does anyone have any insight as to why the message can't be found but the category is found in the same DLL? Using Resource Hacker I am able to open the compiled resource file and it has all of the messages in it. Am I compiling the message file incorrectly?

    Monday, February 27, 2012 8:48 PM

All replies

  • Compiling with SDK 7.1 instead of 7.0A also makes no difference, it seems
    Thursday, March 1, 2012 9:41 PM