EventLog Service Entries

The Services subkey for EventLog contains at least three subkeys for the three types of logs—Application, Security, and System. These Logfile subkeys contain subkeys that define the location of the related event message file and the supported types of events, as follows:

• The Application subkey contains subkeys for installed applications and services that write to the Application event log.
• The Security subkey contains subkeys for each of the security subsystem components.
• The System subkey contains subkeys for device drivers.

Each of the three Logfile subkeys for the EventLog service can contain the value entries described in this section. The Registry path for these entries is the following, where logfile is System, Application, or Security.

HKEY_CURRENT_MACHINE\SYSTEM\CurrentControlSet\Services
    \Eventlog\logfile

These entries are described for informational purposes only. This information is usually maintained by Event Viewer. New keys under the Application subkey can only be added in meaningful ways by using the Win32 Registry APIs.

File REG_SZ Path and filename

Specifies the fully qualified path name of the file for this log. This value can be set in Event Viewer.

Default: \SystemRoot\system32\config\filename

MaxSize REG_DWORD Number in kilobytes

Specifies the maximum size of the log file. This value can be set using the Event Viewer.

Default: 512

Retention REG_DWORD Number of seconds

Specifies that records that are newer than this value will not be overwritten. This is what causes a log full event. This value can be set using the Event Viewer.

Default: 604800 (7 days)

Sources REG_MULTI_SZ Names of source applications

Specifies the applications, services, or groups of applications that write events to this log. Each source is a subkey of the Logfile subkey.

Default: None. This value is dynamically maintained by the EventLog service.

The Source subkeys under a Logfile subkey are created by the applications that write events in the related event log. These subkeys contain information specific to the source of the event under the following types of value entries.

EventMessageFile REG_EXPAND_SZ Filename

Specifies the path and filename for the event identifier message file.

CategoryMessageFile REG_EXPAND_SZ Filename

Specifies the path and filename for the category message file. The category and event identifier message strings may be in the same file.

CategoryCount REG_DWORD Number

Specifies the number of categories supported.

TypesSupported REG_DWORD Number

Specifies a bitmask of supported types.