How to Create Custom Event Logs

Keywords: 	 custom event logs read event log

---

After some digging, I found a simple, but kind of convoluted way to create custom win2k event logs using Winbatch and the wntEventWrite function. You need Visual C++ 6.0 in order to create the custom log files.

General instructions on how to create an event log are found here:

http://www.johnjohnston.com/w2kevtlog.html 

I distilled these instructions (quick and dirty), as well as added the appropriate sample Winbatch code below:

Custom Win2k Event Logs & WinBatch

Original instructions by John Johnston. Used with permission.

This is just quick and dirty instructions. See John's original instructions for a more detailed explanation.

Visual C++ 6.0

1. Create Project
   1. File - New
   2. Projects tab, select "Win32 Console Application"
   3. Enter a Project Name, e.g., EvtTest
   4. Click OK
   5. Select "An Application that supports MFC"
   6. Click Finish
2. Setup Message Compiler
   (NOTE: This need only be done once.)
   1. Tools - Customize
   2. Tools tab
   3. New icon
   4. Menu Contents: Message Compiler
   5. Command: "C:\Program Files\Microsoft Visual Studio\VC98\Bin\mc.exe"
   6. Arguments, select "File Name"
   7. Initial Directory, select "File Directory"
   8. Check "Use Output Window"
3. Create Message File
   1. File - New - Text File
   2. Enter a file name, e.g., EvtTestMsg.mc
      (NOTE: filename must use .mc extension!)
   3. Example message file
   4. Tools - Message Compiler
4. Include Message File
   1. In project workspace, click Resource tab
   2. Right-click resources entry
   3. Select "Resource Includes"
   4. Add to "Read-only symbol directives:" #include "<filename>.rc"
      where <filename> is the name of the Message File, e.g., EvtTestMsg
   5. Click OK to warning
5. Build Executable
   1. Build - Build <projname>.exe
      where <projname> is the name of the project, e.g., EvtTest
   2. File will be saved to C:\Program Files\Microsoft Visual Studio\My Projects\<projectname>\Debug
      where <projname> is the name of the project, e.g., EvtTest

WinBatch

Sample code:

; set base key path rootKey = "SYSTEM\CurrentControlSet\Services\Eventlog\Application\EvtTest" ; create/open key handle key = RegCreateKey ( @REGMACHINE, rootKey ) ; set CategoryCount DWORD value RegSetEx ( key, "[CategoryCount]", "1", "", "4" ) ; set CategoryMessageFile EXPAND_SZ value RegSetEx ( key, "[CategoryMessageFile]", "c:\temp\evttest.exe", "", "2" ) ; set EventMessageFile EXPAND_SZ value RegSetEx ( key, "[EventMessageFile]", "c:\temp\evttest.exe", "", "2" ) ; set TypeSupported DWORD value RegSetEx ( key, "[TypesSupported]", "7", "", "4" ) ; close handle RegCloseKey ( key ) ; add extender AddExtender ( "WWWNT34i.DLL" ) ; write event to Application log using custom source & event ID wntEventWrite ( "", "EvtTest", 262144, 100, "Additional info.")

NOTE: using %1 in the text of the event description (see message file example) allows you to pass custom information to be included via the last parameter of the wntEventWrite function. Looking at sample output below, you see that the description contains a concatenation of the two strings.

Message text escape sequences

from Message Compiler help file

%%	Generates a single percent sign in the formatted message text.
%\	Generates a hard line break when it occurs at the end of a a line.
%r	Generates a hard carriage return, without a trailing newline character.
%b	Generates a space character in the formatted message text. This can be used to insure there are the appropriate number of trailing spaces in a message text line.
%.	Generates a single period character in the formatted message text. This can be used to get a period at the beginning of a line without terminating the message definition.
%!	Generates a single exclamation point in the formatted message text. This can be used to specify an exclamation point immediately after an insert.

 

Sample Output

All of the above together generates the following event in the Application log:

Event Type: Information Event Source: EvtTest Event Category: None Event ID: 100 Date: 5/2/2002 Time: 1:48:04 PM User: N/A Computer: WIN2KTEST Description: This message came from the Message File. Additional info.

---

Article ID:   W15293