0

This is a continuation of RegisterEventSource(0, "App1.exe") => what if there are multiple "App1.exe"s under ...\Eventlog registry key?.

I have another question about the "EventMessageFile" value names in the Registry. For example, Chrome has an EventMessageFile value right under the Chrome subkey, while Windows PowerShell has it under one lower level, that is under the Windows PowerShell\PowerShell subkey.

Will RegisterEventSource() search through all the deepest levels until it finds the first EventMessageFile value? What if there exists multiple EventMessageFile values under the same log? Will it search depth first or width first? Neither MSDN nor internet tells anything about this.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
HaeRim Lee
  • 53
  • 6

1 Answers1

1

The details about EventMessageFile are documented on MSDN:

Event Sources

Each event source contains information (such as a message file) specific to the software that will be logging the events, as shown in the following table.

Registry Value Description
EventMessageFile Path to one or more event message files; use a semicolon to delimit multiple files. An event message file contains language-dependent strings that describe the events. This value can be of type REG_SZ or REG_EXPAND_SZ.

Both examples you present are storing the EventMessageFile value in an event source key:

  • Application\Chrome is an event source named Chrome of the Application log.
  • Windows PowerShell\PowerShell is an event source named PowerShell of the Windows PowerShell log.

So, to answer your question: "Will it search depth first or width first?" - the answer is Neither. There can only be 1 EventMessageFile per event source, but there can be multiple event sources per log. ReportEvent() will simply use the EventMessageFile of whichever event source RegisterEventSource() successfully opens a handle to. It doesn't have to search the Registry for the value at all, it already knows the exact key to look for it in.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • Hi @Remy Lebeau, could you help me with the following ticket? No one answers yet and need your help. https://stackoverflow.com/questions/70000713/event-log-file-not-created-how-to-fix – HaeRim Lee Nov 17 '21 at 17:18