When the user starts Event Viewer to view the event log entries, it calls the ReadEventLog function to obtain the EVENTLOGRECORD structures. The Event Viewer uses the event source and event identifier to get message text for each event from the registered message file (indicated by the EventMessageFile registry value for the source). The Event Viewer uses the LoadLibraryEx function to load the message file. The Event Viewer then uses the FormatMessage function to retrieve the description string from the loaded module.
The following illustration shows how the Event Viewer presents this information.
If the user double-clicks on an event log entry, the Event Viewer displays more information, as shown in the following illustration.
