开发者

Event IDs don't match what is displayed in Event Viewer

开发者 https://www.devze.com 2023-01-11 14:18 出处:网络
In the System event log is an event with the following details: Source: Kernel-General Event ID: 1 Details: The system time has changed to ‎2010‎-‎07‎-‎17T02:58:20.285000000Z from ‎2010‎-‎07‎

In the System event log is an event with the following details:

Source: Kernel-General
Event ID: 1
Details: The system time has changed to ‎2010‎-‎07‎-‎17T02:58:20.285000000Z from ‎2010‎-‎07‎-‎17T02:58:20.285868600Z.

The EVENTLOGRECORD also has a 1 for the EventID field, so it matches what we see in the Event Log viewer.

So far so good.

The problem is, when you look in advapi32.dll which is where this source gets it's messages from, you see this:

ID:01000001
String: The system time has changed to %1 from %2.

How does the Event Log Viewer magically know to add those extra bits to the ID to find the right string? Not all event strings have that upper bit, and some have other upper bits set.

Calling FormatMessage with 1 fails. Calling it with x01000001 succeeds. But that's not what the event log reco开发者_如何学运维rd contains... :(

No docs that I can find discuss this at all (other that describing the ID format which shows error/severity/facility/code bits).


Supposedly, in Windows XP and earlier the Event ID was directly mapped to the Message ID within the message table. With Vista and later there are two ways that the Event ID can be mapped to the Message ID.

  1. Event Qualifiers (this is probably what looks like the severity being masked like Brian originally mentioned)
  2. Windows Event Template Resource

This article describes the two ways in more detail: https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#message-string-identifier

For this "The system time has changed..." event in particular, Windows 10 is using the Windows Event Template Resource. If you lookup the EventMessageFile key, in the registry, for this event (based on the Event Source = Microsoft-Windows-Kernel-General) you find the Provider DLL.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-Kernel-General

You can then use the windows event utility to look at the contents of the provider dll (adding the /gm:true flag will display the message text):

wevtutil gp Microsoft-Windows-Kernel-General /ge:true

The output shows that Event ID 1 with an Event Task 5 has a Message ID = 16777217 (0x01000001).


Like you I can't find it documented anywhere, but it looks like Event Viewer maps the EventType member of the EVENTLOGRECORD structure to the Severity bits of the message table identifier.

So for example, Service Control Manager event 7035 is of type "Information", which maps to Severity value 1, yielding a message ID of 0x40001B7B, which is indeed the text that Event Viewer displays from netevent.dll: The %1 service was successfully sent a %2 control.

Similarly, event 7000 is of type "Error", mapping to Severity 3 and a message ID of 0xC0001B58: The %1 service failed to start due to the following error: %n%2

Of course that doesn't quite fit with your example; are you sure you've got your 0s and 1s in the right place?

0

精彩评论

暂无评论...
验证码 换一张
取 消