Event Sources

Each logfile can contain subkeys called event sources. The event source is the name of the software that logs the event. It is often the name of the application, or the name of a subcomponent of the application, if the application is large. Applications and services should add their names to the Application logfile. Device drivers should add their names to the System logfile. The structure is as follows:

HKEY_LOCAL_MACHINE
    SYSTEM
     CurrentControlSet
       Services
         EventLog
          Application
              AppName
            Security
            System
              DriverName

The application provides its name when it opens the event log using the RegisterEventSource function. You cannot use a source name that has already been used as a logfile name. In addition, source names cannot be hierarchical (that is, you cannot use the backslash character [\]).

Each event source contains information specific to the software that will be logging the events, such as the message files, as shown in the following table.

Registry Value Description
EventMessageFile Specifies the path for the event message file. You can list multiple files, separated by semicolons. An event message file contains language-dependent strings that describe the events. This value has the type REG_EXPAND_SZ.
CategoryMessageFile Specifies the path for the category message file. You can list multiple files, separated by semicolons. A category message file contains language-dependent strings that describe the categories. This value has the type REG_EXPAND_SZ.
ParameterMessageFile Specifies the path for the parameter message file. You can list multiple files, separated by semicolons. A parameter message file contains language-independent strings that are to be inserted into the event description strings. This value has the type REG_EXPAND_SZ.
CategoryCount Specifies the number of event categories supported. This value has the type REG_DWORD.
TypesSupported Specifies a bitmask of supported types. This value has the type REG_DWORD. It can be one or more of the following values:

EVENTLOG_ERROR_TYPE
EVENTLOG_WARNING_TYPE
EVENTLOG_INFORMATION_TYPE
EVENTLOG_AUDIT_SUCCESS
EVENTLOG_AUDIT_FAILURE


When an application uses the RegisterEventSource or OpenEventLog function to get a handle to an event log, the event-logging service searches for the specified event source in the registry. For example, the Application logfile might contain event sources for Microsoft SQL Server and Microsoft Excel. If an application uses RegisterEventSource or OpenEventLog with a source name of Application, SQL, or Excel, the event-logging service returns a handle to the Application logfile.

An application can use the Application event log without adding a new event source to the registry. If the application calls RegisterEventSource, passing a source name that cannot be found in the registry, the event-logging service uses the Application logfile by default. However, because there are no message files, the Event Viewer cannot map any event identifiers or event categories to a description string, and will display an error. For this reason, you should add a unique event source to the registry for your application and specify a message file.