Event Logging Management Information

Event logging management information is stored in the Services key of the configuration database and can be modified by a system administrator.

The structure of the configuration information is as follows:

HKEY_LOCAL_MACHINE

SYSTEM

CurrentControlSet

Services

EventLog

Application

Security

System

The EventLog key contains several subkeys, called logfiles. The default logfiles are Application, Security, and System. Each logfile subkey can contain subkeys, called sources. You cannot use a source name that has been used as a logfile name, and source names should not be hierarchical. (The backslash character [\] cannot be used in a registry key.) Each source entry contains information specific to the source of the event, as shown in the following table.

Value Description
EventMessageFile Specifies the path for the event identifier message file. This value has the type REG_EXPAND_SZ.
CategoryMessageFile Specifies the path for the category message file. The event category and event identifier message strings can be in the same file. This value has the type REG_EXPAND_SZ.
ParameterMessageFile Specifies the path for the event source's parameter message file. This file contains language-independent strings that are to be inserted into the event description strings. You can use the same message file for parameter, category, and event identifier message strings. This value has the type REG_EXPAND_SZ.
CategoryCount Specifies the number of categories supported. This value has the type REG_DWORD.
TypesSupported Specifies a bitmask of supported types. This value has the type REG_DWORD.

When an application uses the RegisterEventSource or OpenEventLog function to get a handle of an event log, the event logging service searches for the specified source name in the registry. For example, the Application logfile might have configured sources of Microsoft® SQL Server™ and Microsoft® Excel. If an application uses RegisterEventSource or OpenEventLog with a source name of Application, SQL, or Excel, the event logging service returns a handle to the Application logfile.

An application can use the Application event log without adding a new source key to the registry. If the application calls RegisterEventSource, passing a source name that cannot be found in the registry, the event logging service uses the Application logfile by default. However, because there is not a message or category string file, the event viewer will not be able to map the event identifier or category to a replacement string. For this reason, the recommended procedure is to add a unique source name for the application to the registry. This allows you to specify message files for the event identifier and category in your events. Applications and services should add their source names to the Application logfile. Device drivers should add their source name to the System logfile.

An event viewer application uses the OpenEventLog function to open the event log for an event source. The event viewer can then use the ReadEventLog function to read event records from the log. ReadEventLog returns a buffer containing an EVENTLOGRECORD structure and additional information that describes a logged event. The EventID member of the EVENTLOGRECORD is the identifier of a description string in the source's event message file. The event viewer uses the LoadLibrary function to load the file indicated by the source's EventMessageFile registry value. The viewer then uses the FormatMessage function to retrieve the description string from the loaded module.

The description string may contain insertion string placeholders, such as %n, where %1 indicates the first insertion string, and so on. In this case, the buffer returned by ReadEventLog contains the insertion strings. The NumStrings member of the EVENTLOGRECORD indicates the number of insertion strings. The StringOffset member of the EVENTLOGRECORD indicates the location of the first insertion string in the buffer.

An insertion string may also contain placeholders of the form %%n, where n is the identifier of a string in the source's parameter message file. In this case, the event viewer uses LoadLibrary and FormatMessage to retrieve the insertion string from the file indicated by the source's ParameterMessageFile registry value.

For more information about using the registry, see Registry. For more information about creating and using message files, see your message compiler documentation.