tags:

views:

63

answers:

1
Q: 

Event IDs don't match what is displayed in Event Viewer

In the System event log is an event with the following details:

Source: Kernel-General
Event ID: 1
Details: The system time has changed to ‎2010‎-‎07‎-‎17T02:58:20.285000000Z from ‎2010‎-‎07‎-‎17T02:58:20.285868600Z.

The EVENTLOGRECORD also has a 1 for the EventID field, so it matches what we see in the Event Log viewer.

So far so good.

The problem is, when you look in advapi32.dll which is where this source gets it's messages from, you see this:

ID:01000001
String: The system time has changed to %1 from %2.

How does the Event Log Viewer magically know to add those extra bits to the ID to find the right string? Not all event strings have that upper bit, and some have other upper bits set.

Calling FormatMessage with 1 fails. Calling it with x01000001 succeeds. But that's not what the event log record contains... :(

No docs that I can find discuss this at all (other that describing the ID format which shows error/severity/facility/code bits).

A: 

Like you I can't find it documented anywhere, but it looks like Event Viewer maps the EventType member of the EVENTLOGRECORD structure to the Severity bits of the message table identifier.

So for example, Service Control Manager event 7035 is of type "Information", which maps to Severity value 1, yielding a message ID of 0x40001B7B, which is indeed the text that Event Viewer displays from netevent.dll: The %1 service was successfully sent a %2 control.

Similarly, event 7000 is of type "Error", mapping to Severity 3 and a message ID of 0xC0001B58: The %1 service failed to start due to the following error: %n%2

Of course that doesn't quite fit with your example; are you sure you've got your 0s and 1s in the right place?

Brian Nixon  2010-08-12 23:00:17
Hmmm, yes that does work in some circumstances. Unfortunately, not all as far as I can tell. Looking in advapi32.dll, there are values where the upper byte is 0D, 76, B5, D4, just to name a few. That would seem to indicate that the reserved bit is sometimes used, and even facility codes.
DougN  2010-08-13 13:20:23
Which platform is that on? I'm on Windows XP, and the message table entries in advapi32.dll all have either 0x40 or 0x80 as the top byte.
Brian Nixon  2010-08-13 21:46:03
You make a good point. I'm on Windows 2008 (and I did know that things changed). I've gone through and randomly checked about 50 DLLs in the System32 directory. CertEnroll and AdvApi32 happen to have all sorts of odd numbers, but most of the rest seem to have upper values of 0, 1, 3, 4, 5, 8, 9, B, C. So the Reserved and Customer bits are being used too. Maybe the moral of the story is you really MUST use the new API if looking at Vista/2008 or newer.
DougN  2010-08-14 13:41:32
I've contacted Microsoft to see if there is any additional info on predicting event IDs. I'll report back.
DougN  2010-08-14 13:44:54

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)