Can I list all registered event sources?

Question

My windows service writes to the event log, but I've had various problems getting this correct. So in the process I used a number of different names. I followed an article describing how to set up event logs in windows services. So after adding an EventLog component in the designer, I have added this to the constructor:

if (!System.Diagnostics.EventLog.SourceExists("AS0604"))
   System.Diagnostics.EventLog.CreateEventSource("AS0604", "SIRR");

eventLog1.Source = "AS0604";
eventLog1.Log = "SIRR";
eventLog1.WriteEntry("AS is initializing...", EventLogEntryType.Information, 16);

I found out that there is trouble if the source has the same name as the service name of the windows service. But I kept changing the names a lot for both the Log and the Source. The

EventLog[] eventLogs = EventLog.GetEventLogs();

Lists the eventlogs and I was able to remove those I didn't use with EventLog.Delete command.

But how does this work? Are there still registered sources in these deleted logs? Can I get a list of registered sources?

Answer 1

Since the accepted answer is lost, here is another. Unfortunately I found no alternative to examining the Windows Registry directly.

• PowerShell (Get-ChildItem HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\<EventLogName>).pschildname

E.g. to list the Windows Application Event Log's Sources:

• PowerShell (Get-ChildItem HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application).pschildname

I threw this up after reading several sources. Unfortunately none were very clear or direct.

Answer 2

I don't have a C# answer, but here is a WMI solution:

$Sources = Get-WmiObject -Namespace "root\cimv2" -Class "Win32_NTEventLOgFile" | Select-Object FileName, Sources | ForEach-Object -Begin { $hash = @{}} -Process { $hash[$_.FileName] = $_.Sources } -end { $Hash }

This will list the source even if there is no entry currently in the log for the given source.