none
Understanding the Event Data of Event Viewer logs in XML format RRS feed

  • Question

  • Hello,

    I'm trying to understand if there's a way to obtain a list for all the %%-numbers present in some XML event data section.

    For example, in the eventID 5152, I have

    <EventData><Data Name='ProcessId'>0</Data><Data Name='Application'>-</Data><DataName='Direction'>%%14592</Data><Data Name='SourceAddress'>10.0.0.76</Data> ... etc

    Thanks to Prakhar Khare, in the Microsoft Community, I understood now those values are localized MessageID related to a specific provider.

    My need is not strictly related to programming: I would like to create a lookup table for those values.

    I can do that manually, each time I found a new %%-code, but if there's such as Microsoft verified table/list, this could be better :)

    Thanks in advance,

    Fausto

    Wednesday, June 19, 2019 9:38 AM

Answers

  • There are only 65536 valid event ids. Event ids are only unique in each event source otherwise Microsoft would exhaust the available values quickly as Windows features come and go. 

    You can build a list for your current Windows copy by enumerating event sources (hopefully you don't need to support XP/2003 that have a different event system) and get all messages from message files registered for each source. There is no backward compatibility guarantee on this approach though, unused event ids could be removed and then later reused for a different purpose.



    Visual C++ MVP

    • Marked as answer by Fausap Friday, June 21, 2019 7:24 AM
    Wednesday, June 19, 2019 4:00 PM
    Moderator
  • Hi,

    PowerShell Get-WinEvent XML is better for you.

    Here's a good article that details how to use Get-WinEvent.

    Best regards,

    Strive


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Fausap Friday, June 21, 2019 7:24 AM
    Thursday, June 20, 2019 6:28 AM

All replies

  • There are only 65536 valid event ids. Event ids are only unique in each event source otherwise Microsoft would exhaust the available values quickly as Windows features come and go. 

    You can build a list for your current Windows copy by enumerating event sources (hopefully you don't need to support XP/2003 that have a different event system) and get all messages from message files registered for each source. There is no backward compatibility guarantee on this approach though, unused event ids could be removed and then later reused for a different purpose.



    Visual C++ MVP

    • Marked as answer by Fausap Friday, June 21, 2019 7:24 AM
    Wednesday, June 19, 2019 4:00 PM
    Moderator
  • Hi,

    PowerShell Get-WinEvent XML is better for you.

    Here's a good article that details how to use Get-WinEvent.

    Best regards,

    Strive


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Fausap Friday, June 21, 2019 7:24 AM
    Thursday, June 20, 2019 6:28 AM
  • Thanks a lot! 

    It's quite clear, now.

    Friday, June 21, 2019 7:21 AM
  • Thanks. It's a very good article indeed.
    Friday, June 21, 2019 7:24 AM