发表新帖
发表新帖

Description for event id from source cannot be found

后端 未结
关注
11 623
[愿得一人]
[愿得一人] 2020-11-29 01:55

When I write a log into windows event log, I get the event below, what\'s the root cause of this message, and how can I fix it? Many Thanks

The descri

11条回答
  • 庸人自扰
    庸人自扰 (楼主)
    2020-11-29 02:37

    I also stumbled on this - although caused by yet another possibility: the event identifier (which was "obfuscated" in a #define) was setting severity to error (the two high-order bits as stated in Event Identifiers). As Event Viewer displays the event identifier (the low-order 16 bits), there couldn't be a match...

    For reference, I've put together a set of tips based in my own research while troubleshooting and fixing this:

    1. If your log entry doesn't end with "the message resource is present but the message is not found in the string/message table" (as opposed to the original question):

      • Means that you're missing registry information
      • Double-check event source name and registry keys

    2. If you need to add/edit registry information, remember to:

      • Restart Event Viewer (as stated in item 6 of KB166902 and also by @JotaBe)
      • If it doesn't help, restart Windows Event Log/EventLog service (or restart the system, as hinted by @BrunoBieri).

    3. If you don't wish to create a custom DLL resource, mind that commonly available event message files have some caveats:

      • They hold a large array of identifiers which attempts to cover most cases
        • .NET EventLogMessages.dll (as hinted by @Matt) goes up to 0xFFFF
        • Windows EventCreate.exe "only" goes up to 0x3E9
      • Every entry contains %1
        • That means that only the first string will be displayed
        • All strings passed to ReportEvent can still be inspected by looking into event details (select the desired event, go to Details tab and expand EventData)

    4. If you're still getting "cannot be found" in your logged events (original question):

      • Double-check event identifier values being used (in my case it was the Qualifiers part of the event identifier)
      • Compare event details (select the desired event, go to Details tab and expand System) with a working example

    0 讨论(0)
 看不清?
提交回复
热议问题