Unable to fetch the Event Log - Event Description

I am trying to enumerate the Events from the Event Logs. While fetching the
event description I am getting errors such as,

The description for Event ID ( 9002 ) in Source ( Desktop Window Manager )
cannot be found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote computer.
You may be able to use the /AUXSOURCE= flag to retrieve this description;
see Help and Support for details. The following information is part of the
event: .

I am fetching the resource name from the "EventMessageFile" String value
under the particular source type under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application. I
then use the LoadLibraryEx API to load the library and then pass the
returned handle to FormatMessage API to retrieve the event description. The
FormatMessage API is returning 0 indicating a failure. This behaviour can be
reproduced using the native eventvwr.msc tool. I tried to test from win2k
sp4 and winxp sp2 machines. The behaviour is same for my code as well as the
native tool.

Any ideas why is this logic failing.

Thanks & Regards,
Vineet Kumar Das

Does anybody have any updates on this? I checked out the new native
functions in the Windows Event Log SDK (EvtXXX functions).The Windows SDK
requires the following:

1.. One of the following operating systems: Windows Vista Beta 2, Windows
Server 2003 Service Pack 2, or Windows XP Professional Service Pack 2.
2.. Microsoft .NET Framework version 2.0.

Also, the EvtXXX functions has the following requirements,

1.. Client: Requires Windows "Longhorn".
2.. Server: Requires Windows Server "Longhorn".

Is there no way i can access the Windows Vista Event Log from my Windows
2000 machines.I even tried to get the required information using WMI. The
WMI reported data is better but still not complete. I could fetch the
message descriptions for some of the events but some had empty descriptions.

This is really urgent. Could anyone please help me on this?


"Vineet Das" <vineet_das@hotmail.com> wrote in message
news:OHjK5RfwGHA.4408@TK2MSFTNGP02.phx.gbl...
>I am trying to enumerate the Events from the Event Logs. While fetching the
>event description I am getting errors such as,
>
> The description for Event ID ( 9002 ) in Source ( Desktop Window Manager )
> cannot be found. The local computer may not have the necessary registry
> information or message DLL files to display messages from a remote
> computer. You may be able to use the /AUXSOURCE= flag to retrieve this
> description; see Help and Support for details. The following information
> is part of the event: .
>
> I am fetching the resource name from the "EventMessageFile" String value
> under the particular source type under
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application.
> I then use the LoadLibraryEx API to load the library and then pass the
> returned handle to FormatMessage API to retrieve the event description.
> The FormatMessage API is returning 0 indicating a failure. This behaviour
> can be reproduced using the native eventvwr.msc tool. I tried to test from
> win2k sp4 and winxp sp2 machines. The behaviour is same for my code as
> well as the native tool.
>
> Any ideas why is this logic failing.
>
> Thanks & Regards,
> Vineet Kumar Das
>

Hey Jimmy! I see you have answered some of the queries regarding Event Log
on Vista. Could you help me on this one.

"Vineet Das" <vineet_das@hotmail.com> wrote in message
news:ue82%23JTxGHA.5044@TK2MSFTNGP05.phx.gbl...
> Does anybody have any updates on this? I checked out the new native
> functions in the Windows Event Log SDK (EvtXXX functions).The Windows SDK
> requires the following:
>
> 1.. One of the following operating systems: Windows Vista Beta 2, Windows
> Server 2003 Service Pack 2, or Windows XP Professional Service Pack 2.
> 2.. Microsoft .NET Framework version 2.0.
>
> Also, the EvtXXX functions has the following requirements,
>
> 1.. Client: Requires Windows "Longhorn".
> 2.. Server: Requires Windows Server "Longhorn".
>
> Is there no way i can access the Windows Vista Event Log from my Windows
> 2000 machines.I even tried to get the required information using WMI. The
> WMI reported data is better but still not complete. I could fetch the
> message descriptions for some of the events but some had empty
> descriptions.
>
> This is really urgent. Could anyone please help me on this?
>
>
> "Vineet Das" <vineet_das@hotmail.com> wrote in message
> news:OHjK5RfwGHA.4408@TK2MSFTNGP02.phx.gbl...
>>I am trying to enumerate the Events from the Event Logs. While fetching
>>the event description I am getting errors such as,
>>
>> The description for Event ID ( 9002 ) in Source ( Desktop Window
>> Manager ) cannot be found. The local computer may not have the necessary
>> registry information or message DLL files to display messages from a
>> remote computer. You may be able to use the /AUXSOURCE= flag to retrieve
>> this description; see Help and Support for details. The following
>> information is part of the event: .
>>
>> I am fetching the resource name from the "EventMessageFile" String value
>> under the particular source type under
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application.
>> I then use the LoadLibraryEx API to load the library and then pass the
>> returned handle to FormatMessage API to retrieve the event description.
>> The FormatMessage API is returning 0 indicating a failure. This behaviour
>> can be reproduced using the native eventvwr.msc tool. I tried to test
>> from win2k sp4 and winxp sp2 machines. The behaviour is same for my code
>> as well as the native tool.
>>
>> Any ideas why is this logic failing.
>>
>> Thanks & Regards,
>> Vineet Kumar Das
>>
>
>

Sorry, another user had a similar problem and I couldn't figure it out
either. The only information I found relating to the error was in the KB
article I posted about.

However, I did just yesterday find out that MS re-numbered the event log
ID's in Vista, and that these numbers are bigger than the old event log
could display. This seems to me like it might cause problems, but I don't
know for sure. I will see if I can get clarification.

Just out of curiosity ... are all the ID's that downlevel clients won't
display bigger than the ID's that it can?

- JB

Vista Support FAQ
http://www.jimmah.com/vista/

Hi Jimmy,

Thanks for the reply. Which IDs are talking about? I am actually unable to
get description for all the events. The Event IDs are more or less the same
as used in downlevel clients. For example, The event id 1025.

I had read in some site that the Event Log architecture has changed. Is this
creating problems? I am using the simple SDK Event Logging Functions like,
OpenEventLog, CloseEventLog, ReadEventLog, etc for enumerating the Event on
the Vista Machine. This works fine. But the logic for fetching the
description is failing. As mentioned in the previous posts I am trying to
read the description from the EventMessageFile available through the
registry. I tried to look into the EventMessageFile resource directly using
a resource hacker tool. I could not find any message table (string table)
resource in that dll from where I am trying to fetch the format strings.
This is why the logic is failing.

So now, I am just curious as how Vista is storing the event descriptions.
For example, check out the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\.NET
Runtime. In this you'll find a string value
EventMessageFile="C:\Windows\system32\mscoree.dll". Ideally this dll should
have all the resource strings related to the events for the ".NET Runtime"
related events. But in Vista this does not have those resources.

Can you please confirm that Vista does not store the resource strings
anymore in the EventMessageFile? Also, it would be great if you let me know
how could I get these resource strings on Vista.

Thanks & Regards,
Vineet Kumar Das

"Jimmy Brush" <JimmyBrush@discussions.microsoft.com> wrote in message
news:650EAAA0-F5B3-40A2-A774-3A323007AAAC@microsoft.com...
> Sorry, another user had a similar problem and I couldn't figure it out
> either. The only information I found relating to the error was in the KB
> article I posted about.
>
> However, I did just yesterday find out that MS re-numbered the event log
> ID's in Vista, and that these numbers are bigger than the old event log
> could display. This seems to me like it might cause problems, but I don't
> know for sure. I will see if I can get clarification.
>
> Just out of curiosity ... are all the ID's that downlevel clients won't
> display bigger than the ID's that it can?
>
> - JB
>
> Vista Support FAQ
> http://www.jimmah.com/vista/