The message resource is present but the message is not found in the string/message table

Question

There is a event provider called "Service Control Manager" under System event log. Its EventMessageFile is %SystemRoot%\system32\services.exe. It contains an event with id = 7036 and this event is "The %1 service entered the %2 state". You can generate it very simple by stopping or running any services in services.msc.

All that I want is to write that event to System event log by myself.

Here is my simple logging code:

 public static void Main()
 {      
     EventLog myNewLog = new EventLog("System", ".", "Service Control Manager");

     myNewLog.WriteEntry("Test",EventLogEntryType.Information, 7036);
 }

I run the application with "Run as administrator". Event was written to System log with right event id, source, etc. But the description was "the message resource is present but the message is not found in the string/message table" insted of "The Test service entered the %2 state".

What is my mistake?

Answer 1

The mistake is that you can't achieve that with WriteEntry because you need to provide multiple parameters as well as the correct EventIdentifier

If you switch to WriteEvent you can achieve where you're after:

 var myNewLog = new EventLog("System", ".", "Service Control Manager");

 myNewLog.WriteEvent( new EventInstance( (1 << 30) + 7036 ,0)
                    , null
                    , new object[] { "foobar","running" }
                    );

Note that the Eventinstance is fed with an EventIdentifier which has in its lowest 16 bits the 7036 you found but bit 30 (Customer bit) needs to be 1 indicating we have a customer code.

Running this code as administrator gives in the eventlog:

The foobar service entered the running state.

with this xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Service Control Manager" Guid="{some-guid-here}" EventSourceName="Service Control Manager" /> 
  <EventID Qualifiers="16384">7036</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2014-01-13T00:13:56.000000000Z" /> 
  <EventRecordID>999999</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="0" ThreadID="0" /> 
  <Channel>System</Channel> 
  <Computer>internal.example.com</Computer> 
  <Security /> 
</System>
<EventData>
  <Data Name="param1">foobar</Data> 
  <Data Name="param2">running</Data> 
  <Binary /> 
</EventData>
</Event>