All geek questions in one place

Message resource present but message not found in the line / message table

There is an event provider in the system event log called "Service Control Manager". Property EventMessageFile %SystemRoot%\system32\services.exe . It contains an event with id = 7036, and this event: "Service% 1 entered state% 2". You can create it very simply by stopping or starting any services in services.msc.

All I want to do is write this event to the system event log myself.

Here is my simple logging code:

  public static void Main() { EventLog myNewLog = new EventLog("System", ".", "Service Control Manager"); myNewLog.WriteEntry("Test",EventLogEntryType.Information, 7036); }

I am launching an application called Run as Administrator. The event was recorded in the system log with the correct event identifier, source, etc. But the description stated that "the message resource is present, but the message was not found in the line / message table" set by "Test service entered in state% 2" ,.

What's my mistake?

+6
source share
1 answer

The error is that you cannot achieve this with WriteEntry , because you need to provide several parameters, as well as the correct EventIdentifier

If you switch to WriteEvent , you can achieve where you are:

  var myNewLog = new EventLog("System", ".", "Service Control Manager"); myNewLog.WriteEvent( new EventInstance( (1 << 30) + 7036 ,0) , null , new object[] { "foobar","running" } );

Note that the Eventinstance is loaded with an EventIdentifier, which has 7036 found in the lower 16 bits, but bit 30 (client bit) should be 1, indicating that we have a client code.

Running this code as an administrator gives in the event log:

The foobar service has entered the current state.

with this xml:

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{some-guid-here}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7036</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2014-01-13T00:13:56.000000000Z" /> <EventRecordID>999999</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>internal.example.com</Computer> <Security /> </System> <EventData> <Data Name="param1">foobar</Data> <Data Name="param2">running</Data> <Binary /> </EventData> </Event>
+1
source

Source: https://habr.com/ru/post/888475/

More articles:


All Articles