HOWTO: Troubleshooting the "Event Message Not Found" Message

 Last reviewed: April 14, 1997
Article ID: Q166902
The information in this article applies to:
  • Microsoft Win32 Application Programming Interface (API) included with: - Microsoft Windows NT versions 3.51, 4.0

SUMMARY

There may be several possible reasons why the following error message appears for events in Event Viewer: 

   The description for Event ID ( <####> ) in Source (<application name>)
   could not be found. It contains the following insertion string(s): <the
   text of the message logged by ReportEvent>.
This article helps to troubleshoot this problem.

MORE INFORMATION

Listed below are the possible causes and more information on how to correct the problem. The cause may be one or more of the following:

  1. An incorrect source name parameter was passed to RegisterEventSource.

Make sure the source name in the registry matches that of what is passed to RegisterEventSource. This function will succeed even if the source is not found in the registry. The source name in the registry should be in a subkey of: 

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
Typically an application source is listed under the Application subkey.

  1. The path to the DLL or EXE in the registry is incorrect. In the registry value named EventMessageFile found at: 

          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\EventLog\Application\sourcename

verify the path to the DLL or EXE is correct and the name of the DLL or EXE is correct. In this case the Event Viewer application is failing to load the source of the message resources. Also, if you use %SystemRoot% or some other macro, you must use REG_EXPAND_SZ registry value type. Otherwise, the macro does not get expanded.

  1. The registered message source is the wrong DLL or EXE. In the registry value named EventMessageFile found at: 

          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

             Services\EventLog\Application\sourcename


verify that the path to the DLL or EXE is the one which contains the
expected message resources. Be careful of listing an EventMessageFile
without a path and having multiple files with the same name. Event Viewer
follows the rules to find the message source by using the search algorithm
documented in the comments for the LoadLibrary API. For Windows NT 4.0 be
aware if the DLL name is listed in the registry as a KnownDLL to the
system, because the rebuilt DLL will not be used until you reboot. Please
search the Microsoft Knowledge Base on the keywords WinNT and KnownDLLs for
further information on this topic.


  1. Message resources are not bound in the EventMessageFile source.

    

A version of the Logging sample failed to include the .RC file as part of
the build in the makefile. So the DLL is built, but no message resources
were included in the build. Some developers have tried to include the .BIN
file, which is output from the message compiler, as the resource. This
does not properly bind the resource to the DLL. You must use the .RC file
that is output from the message compiler because it marks the resource
with ID of 1 and of type 11 (RT_MESSAGETABLE). This is required for Event
Viewer to find the message resources.


  1. Make sure the correct ID is passed to the ReportEvent function.

    

Many think that the literal ID number found in the .MC file is the correct
ID. This is not so because the message compiler bitwise ORs the ID number
into the LOWORD and bitwise ORs the severity and facility bits into the
HIWORD. An application should always use the symbolic name in the header
file that is output from the message compiler.


Verify MessageIdTypedef= statement in the .MC file. If the
MessageIdTypedef= statement is set for WORD rather than DWORD, then the ID
defines zero as the HIWORD which will be the cause of an ID mismatch. Some
.MC files may define and redefine MessaegIdTypedef because Category IDs are
only 16-bit.


Also be sure that the MC -c command line is consistently used for the
message resources and header file. The -c switch turns on a bit in the
HIWORD of the message ID.


  1. Event Viewer was not restarted since you added the EventMessageFile
   entry in the registry.

    

Event Viewer caches the DLLs it loads for event sources. If you have
changed the registry to give a proper directory or source name after the
event viewer has been started, you need to restart Event Viewer.



	
	

	















	






Additional query words: logging evtlog

Keywords            : BseEvtlog kbprg kbtshoot

Version             : 3.51 4.0

Platform            : NT WINDOWS

Issue type          : kbhowto








THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.






	
	Last reviewed:  April 14, 1997
	

	© 1998 Microsoft Corporation. All rights reserved. Terms of Use.