"The description for Event ID" when using EntryWrittenEventHandler to access Event Message

1
votes

We are using the following .NET 4.5 code to capture event log entries as they are created:

var log = new EventLog("Application");
log.EnableRaisingEvents = true;
log.EntryWritten += new EntryWrittenEventHandler(OnEntryWritten);

// Define other methods and classes here
protected static void OnEntryWritten(object source, EntryWrittenEventArgs evt)
{
    var e = evt.Entry;
    var v = new
    {
        EntryType = e.EntryType,
        Index = e.Index,
        InstanceId = e.InstanceId,
        MachineName = e.MachineName,
        Message = e.Message,
        Source = e.Source,
        TimeGenerated = e.TimeGenerated.ToUniversalTime(),
        TimeWritten = e.TimeWritten.ToUniversalTime(),
        UserName = e.UserName,
    };
    v.Dump(); //Testing in LinqPad
}

However the entries are showing the following as their Message:

The description for Event ID '1903' in Source 'HHCTRL' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'http://go.microsoft.com/fwlink?LinkID=45839'

and

The description for Event ID '1' in Source 'scollector' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'service_windows.go:194: scollector service stopped'

These messages appear correctly in the Event Viewer (no error about the description) and they also appear correct when I view them using get-winevent -LogName Application -MaxEvents 10 in Powershell.

I tried adding the following PermissionSet to make sure I have access to the event log, but it still doesn't work.

PermissionSet ps = new PermissionSet(PermissionState.Unrestricted);
ps.AddPermission(new RegistryPermission(RegistryPermissionAccess.AllAccess, System.Environment.MachineName));
ps.AddPermission(new EventLogPermission(EventLogPermissionAccess.Administer, System.Environment.MachineName));
ps.Demand();

The service (or LinqPad when we are testing) is running as administrator and I have confirmed that the HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\scollector\EventMessageFile registry key exists (our custom service just uses %SystemRoot%\System32\EventCreate.exe so that all message formats are just %1 ). What do we need to do to prevent the "The description for Event ID" error message from being included in the entry?

1
.netevent-log

1 Answers

2
votes

In this case it appears that the applications that were not working correctly were using a REG_SZ registry type for EventMessageFile instead of the REG_SZ_EXPAND registry type (which expands the %SystemRoot% to c:\Windows before returning the value).

EventMessageFile

REG_SZ_EXPAND is the required type, but in our case these were registered using just REG_SZ due to a bug in the winsvc/eventlog go package

Once I deleted and recreated the EventMessageFile key with the correct type it started working as expected.