All geek questions in one place

Event Log Message Log Error

One of the applications I'm working on spits out the ugly event log messages that have our message, but also a wonderful message, for example below:

The description for Event ID 103 from source MyCustomSource cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: My event log message that is redacted. the message resource is present but the message is not found in the string/message table

So, I went the way of creating an event log message file for this source, does it sound pretty simple?

 ;// Header MessageIdTypedef=DWORD LanguageNames=( English=0x409:MSG00409 ) ;// Categories MessageId=0x1 SymbolicName=MYAPP_CATEGORY_GENERAL Language=English MyApp General . ;// Messages MessageId=0x103 SymbolicName=API_ERROR Severity=Error Language=English An error occurred in the API. Message: %1 .

Then I compile this file as usual:

 "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\mc.exe" -u MyAppMessages.mc" "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\rc.exe" -r MyAppMessages.rc" "C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\link.exe" -dll -noentry -out:MyAppMessages.dll MyAppMessages.res /MACHINE:x86

Now I have a compiled file MyAppMessages.dll. Now I add the necessary registry entries:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\MyApp\MyApp CategoryCount REG_DWORD 1 CategoryMessageFile REG_EXPAND_SZ <path to MyAppMessages.dll> EventMessageFile REG_EXPAND_SZ <path to MyAppMessages.dll>

The problem is that I still get the same message as at the beginning, only the task category now loads the correct value from the message file instead of the default value (1) that was downloaded earlier.

This is the event data XML:

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MyApp" /> <EventID Qualifiers="57344">103</EventID> <Level>2</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2012-02-27T16:42:20.000000000Z" /> <EventRecordID>20759</EventRecordID> <Channel>MyApp</Channel> <Computer>Skycaller</Computer> <Security /> </System> <EventData> <Data>My event log message that is redacted.</Data> </EventData> </Event>

I am not an expert in a message file, but it finds a category definition in a message file, but not an event message. Does anyone know why a message cannot be found, but a category is found in the same DLL?

+4
source share
4 answers

As it turns out, someone on the MSDN forums accidentally stumbled upon a solution to this issue and shared it with me.

Just extract any lines with Severity=xxxxx and Facility=xxxxx into the message file, and user messages will appear after recompilation. Facility not in my file, but the other guy had this line in it, and that would not have worked for him without taking this line. I don’t know why these lines are found in many textbooks and official documents of the MSDN documentation, but they are there.

Hope this helps someone!

+2
source

You defined the MessageId values ​​as hexidecimal, so 0x103 is converted to 259 decimal. If you want your MessageId to be decimal decimal, use MessageId = 0x67

+1
source

EventId is a combination of MessageId, Severity and Facility. I read this from the following source: "Any given value must correspond to 16 bits. For more details on how the message value is formed from the severity level, object and message identifier, see the Diagram in Winerror.h". http://msdn.microsoft.com/en-us/library/windows/desktop/dd996906%28v=vs.85%29.aspx

That's why it works if you take Severity and Facility from a message file.

0
source

The dwEventId argument that is passed to the Win32 ReportEvent call is not exactly the same as the MessageId in your message file; rather, it should be built from Severity , Facility and MessageId combined; bit-bit and OR'd as described by winerror.h .

It is useful that the Message Compiler, in addition to the RC and BIN file, also splashes the header file, which #defines maps from the SymbolicName (if provided) to the correct EventId for each message. Therefore, you can simply use these constants if you want to use Severity and Facility in Windows event log messages.

Note that if you specify a value for Facility or Severity for any message, this value will be the default message compiler for any subsequent messages that do not define Facility or Severity until a message is reached that indicates a value for Facility or Severity . which becomes the new default value, etc. etc.

0
source

Source: https://habr.com/ru/post/1398650/

More articles:


All Articles