Menu
I am trying to read the System Event Logs in C# .NET 3.5 with the following method EventLog.GetEventLogs. This seems to be working perfectly for all kinds of Event Logs that I want to take a look at. There is but one exception: Microsoft-Windows-Kernel-Power Event Logs which can be read but produces the following Message:
Microsoft-Windows-Kernel-Power The description for Event ID 'X' in Source 'Microsoft-Windows-Kernel-Power' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'Y', 'Z'
instead of the correct Message displayed in the Windows Event Viewer.
Code looks like this
var myEventLogs = new List<myModels.EventLogEntry>();
foreach (var eventLog in EventLog.GetEventLogs())
{
foreach (var entry in eventLog.Entries)
{
if (entry.Source.IndexOf("kernel-power", StringComparison.OrdinalIgnoreCase) == -1 &&
entry.Message.IndexOf("kernel-power", StringComparison.OrdinalIgnoreCase) == -1)
continue;
myEventLogs.Add(new myModels.EventLogEntry(entry.Source, entry.Message))
}
}
This is happening even if I run the application as administrator. I am at a loss here. I have searched far and wide all over the internet and found a couple posts that seem to have similar issues but most are for writing Event Logs instead of having problems reading them. Is anyone familiar with that kind of problem or can point me in the right direction? All my registry keys etc seem to be set up correctly (and it is also showing the same results on a different PC).
EDIT: Windows Version 10.0.18363 Build 18363 but it is happening on multiple PCs (I am not sure what Windows version the others are using). In fact, I have not found a single one which is working (tested 5 so far).
529
Mostly, the Kernel-Power 41 error is caused by the wrong device drivers on your computer, especially an old or corrupted sound card driver. So you can try to update all the available drivers on your computer to solve this problem.
The kernel power event ID 41 error occurs when the computer is shut down, or it restarts unexpectedly. When a computer that is running Windows starts, a check is performed to determine whether the computer was shut down cleanly. If the computer was not shut down cleanly, a Kernel Power Event 41 message is generated.
What Is a Kernel-Power Critical Error? The Kernel-Power critical error is a system error that causes your system to crash. The error can trigger under a range of circumstances, though all relate to a power issue.
I couldn't find any specification neither, but I got a hack which shows plausible messages here. The issue looks like either a bug in EventLogEntry from CLR or a non-uniform message handling of kernel-power events.
I reproduced the issue, and what was happening under the hood on my machine:
E.g. there is a 109 (0x6D) event in the event log:
EventLogEntry gets a path to a dll with string resources from HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-Kernel-Power\EventMessageFile (in CLR sources of EventLogEntry as here and here)
Dll path on my machine is: %systemroot%\system32\microsoft-windows-kernel-power-events.dll, it's successfully found and loaded, but there is no 0x6D string id inside. However there is a string with the same text but with 0x02 00 00 00 prefix in its id (string resources from native dll were enumerated using this article)
ID 0x0200006d (33554541) Language: 0409
The kernel power manager has initiated a shutdown transition.
So if set 0x02 00 00 00 bit manually in event id, it might produce meaningful messages. Code below does this, but again this is an ugly hack, it should not be used in real life software, as it's based solely on assumptions and not tested in all cases, and it manipulates private state of EventLogEntry:
var myEventLogs = new List<myModels.EventLogEntry>();
foreach (var eventLog in EventLog.GetEventLogs())
{
foreach (EventLogEntry entry in eventLog.Entries)
{
if (entry.Source.IndexOf("kernel-power", StringComparison.OrdinalIgnoreCase) == -1 &&
entry.Message.IndexOf("kernel-power", StringComparison.OrdinalIgnoreCase) == -1)
continue;
var dataBuf = entry.GetPrivateField<byte[]>("dataBuf");
var bufOffset = entry.GetPrivateField<int>("bufOffset");
byte previousMagicByte = dataBuf[bufOffset + EVENTID + 3];
try
{
dataBuf[bufOffset + EVENTID + 3] |= 0x02; //as strings in microsoft-windows-kernel-power-events.dll have 0x02****** ids
myEventLogs.Add(new myModels.EventLogEntry(entry.Source, entry.Message))
}
finally
{
dataBuf[bufOffset + EVENTID + 3] = previousMagicByte;
}
}
}
...
internal const int EVENTID = 20;
public static T GetPrivateField<T>(this object obj, string fieldName)
{
if (fieldName == null)
throw new ArgumentNullException(nameof(fieldName));
var fieldInfo = obj.GetType().GetField(fieldName, BindingFlags.Instance | BindingFlags.NonPublic);
if (fieldInfo == null)
throw new ArgumentException($"Type {obj.GetType().FullName} doesn't have {fieldName} private instance field");
object result = fieldInfo.GetValue(obj);
return (T)result;
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
