How to Create Custom Event Logs

Keywords: 	 custom event logs read event log

After some digging, I found a simple, but kind of convoluted way to create custom win2k event logs using Winbatch and the wntEventWrite function. You need Visual C++ 6.0 in order to create the custom log files.

Custom Win2k Event Logs & WinBatch

Visual C++ 6.0

Create Project
1. File - New
2. Projects tab, select "Win32 Console Application"
3. Enter a Project Name, e.g., EvtTest
4. Click OK
5. Select "An Application that supports MFC"
6. Click Finish
Setup Message Compiler
(NOTE: This need only be done once.)
1. Tools - Customize
2. Tools tab
3. New icon
4. Menu Contents: Message Compiler
5. Command: "C:\Program Files\Microsoft Visual Studio\VC98\Bin\mc.exe"
6. Arguments, select "File Name"
7. Initial Directory, select "File Directory"
8. Check "Use Output Window"
Create Message File
1. File - New - Text File
2. Enter a file name, e.g., EvtTestMsg.mc
  (NOTE: filename must use .mc extension!)
3. Example message file
4. Tools - Message Compiler
Include Message File
1. In project workspace, click Resource tab
2. Right-click resources entry
3. Select "Resource Includes"
4. Add to "Read-only symbol directives:" #include "<filename>.rc"
  where <filename> is the name of the Message File, e.g., EvtTestMsg
5. Click OK to warning
Build Executable
1. Build - Build <projname>.exe
  where <projname> is the name of the project, e.g., EvtTest
2. File will be saved to C:\Program Files\Microsoft Visual Studio\My Projects\<projectname>\Debug
  where <projname> is the name of the project, e.g., EvtTest

WinBatch

Sample code:

; set base key path
rootKey = "SYSTEM\CurrentControlSet\Services\Eventlog\Application\EvtTest"

; create/open key handle
key = RegCreateKey ( @REGMACHINE, rootKey )

; set CategoryCount DWORD value
RegSetEx ( key, "[CategoryCount]", "1", "", "4" )

; set CategoryMessageFile EXPAND_SZ value
RegSetEx ( key, "[CategoryMessageFile]", "c:\temp\evttest.exe", "", "2" )

; set EventMessageFile EXPAND_SZ value
RegSetEx ( key, "[EventMessageFile]", "c:\temp\evttest.exe", "", "2" )

; set TypeSupported DWORD value
RegSetEx ( key, "[TypesSupported]", "7", "", "4" )

; close handle
RegCloseKey ( key )

; add extender
AddExtender ( "WWWNT34i.DLL" )

; write event to Application log using custom source & event ID
wntEventWrite ( "", "EvtTest", 262144, 100, "Additional info.")

NOTE: using %1 in the text of the event description (see Example message file) allows you to pass custom information to be included via the last parameter of the wntEventWrite function. Looking at sample output below, you see that the description contains a concatenation of the two strings.

Message text escape sequences

from Message Compiler help file

`%%`	Generates a single percent sign in the formatted message text.
`%\`	Generates a hard line break when it occurs at the end of a a line.
`%r`	Generates a hard carriage return, without a trailing newline character.
`%b`	Generates a space character in the formatted message text. This can be used to insure there are the appropriate number of trailing spaces in a message text line.
`%.`	Generates a single period character in the formatted message text. This can be used to get a period at the beginning of a line without terminating the message definition.
`%!`	Generates a single exclamation point in the formatted message text. This can be used to specify an exclamation point immediately after an insert.

Sample Output

All of the above together generates the following event in the Application log:

Event Type:     Information
Event Source:   EvtTest
Event Category: None
Event ID:       100
Date:           5/2/2002
Time:           1:48:04 PM
User:           N/A
Computer:       WIN2KTEST
Description:
This message came from the Message File.  Additional info.

Article ID:   W15293

File Created: 2017:08:29:11:58:58

Last Updated: 2017:08:29:11:58:58

Database Search

TechHome