Platform SDK: Debugging and Error Handling

Event Sources

Each logfile can contain subkeys called event sources. The event source is the name of the software that logs the event. It is often the name of the application, or the name of a subcomponent of the application, if the application is large. Applications and services should add their names to the Application logfile. Device drivers should add their names to the System logfile. The structure is as follows:

HKEY_LOCAL_MACHINE
    SYSTEM
     CurrentControlSet
       Services
         EventLog
            Application
              AppName
            Security
            System
              DriverName

The application provides its name when it opens the event log using the RegisterEventSource function. You cannot use a source name that has already been used as a logfile name. In addition, source names cannot be hierarchical (that is, you cannot use the backslash character [\]).

Each event source contains information specific to the software that will be logging the events, such as the message files, as shown in the following table.

Registry Value Description
CategoryCount Specifies the number of event categories supported. This value has the type REG_DWORD.
CategoryMessageFile Specifies the path for the category message file. A category message file contains language-dependent strings that describe the categories. This value has the type REG_EXPAND_SZ.
DisplayNameFile Windows 2000: Specifies the file that stores the localized name of the event log. The name stored in the specified file appears as the log name in Event Viewer. If this entry does not appear in the registry for an event log, Event Viewer displays the name of the registry subkey as the log name. This value has the type REG_EXPAND_S.
DisplayNameID Windows 2000: Specifies the message identification number of the log name string. This number indicates the message in which the localized display name appears. The message is stored in the file specified by the DisplayNameFile value. This value has the type REG_DWORD.
EventMessageFile Specifies the path for the event message file. You can list multiple files, separated by semicolons. An event message file contains language-dependent strings that describe the events. This value has the type REG_EXPAND_SZ.
ParameterMessageFile Specifies the path for the parameter message file. A parameter message file contains language-independent strings that are to be inserted into the event description strings. This value has the type REG_EXPAND_SZ.
TypesSupported Specifies a bitmask of supported types. This value has the type REG_DWORD. It can be one or more of the following values:

EVENTLOG_ERROR_TYPE
EVENTLOG_WARNING_TYPE
EVENTLOG_INFORMATION_TYPE
EVENTLOG_AUDIT_SUCCESS
EVENTLOG_AUDIT_FAILURE


When an application uses the RegisterEventSource or OpenEventLog function to get a handle to an event log, the event-logging service searches for the specified event source in the registry. For example, the Application logfile might contain event sources for Microsoft SQL Server and Microsoft Excel. If an application uses RegisterEventSource or OpenEventLog with a source name of Application, SQL, or Excel, the event-logging service returns a handle to the Application logfile.

An application can use the Application event log without adding a new event source to the registry. If the application calls RegisterEventSource, passing a source name that cannot be found in the registry, the event-logging service uses the Application logfile by default. However, because there are no message files, the Event Viewer cannot map any event identifiers or event categories to a description string, and will display an error. For this reason, you should add a unique event source to the registry for your application and specify a message file.