Manually Registering a Log Source for Windows Event Viewer

Symptoms

Sometimes Microsoft Windows Event Viewer will display messages like this:

The description for Event ID (42) in Source (CrappyApplication) could not be found.  It contains the following insertion string(s): foo bar baz

Cause

That usually means that Event Viewer could not find the resource DLL containing the message catalog. That typically means one of:

• The DLL was not installed by the software publisher (missing file)
• The DLL exists, but was not registered with the EventLog subsystem

If the former, you're usually out-of-luck. Unless you can find a copy of the needed catalog, there's nothing you can do. Sometimes a catalog was never built. I've encountered multiple cases of (expensive, commercial) applications just dumping arbitrary strings to the log, with no intent to ever make them understandable without the source code.

But if a catalog exists, one can do a quick fix kludge to get it more-or-less working.

Background

Windows Event Log messages are not just a simple text message. They are built from a message catalog, containing the generic text of all possible log messages defined by the application. Information specific to a particular occurance of a message is inserted into the generic message (hence "insertion string"). The big advantage of this approach is, different message catalogs can be provided for different languages, allowing the same error message to be shown in different langauges.

Which is great until it breaks. Then you get the text shown above.

Workaround

First you have to find the message catalog DLL in the filesystem. You're largely on your own there. Look in the program's directories under "Program Files", in C:\WINDOWS\SYSTEM32\, and/or, on the install media for the application. There is no standard naming convention, that I'm aware of.

Once you've found the DLL, you have to register the DLL, as follows:

Find the key for the log channel/file under:

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\

For example:

Find the subkey for the Source under that. For example:

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\CrapApp\

If needed, create the subkey for the Source.

Create two entries under the Source subkey:

Set EventMessageFile to the path to the message DLL. Multiple DLLs are allowed, separate them with semicolons (;).

Set TypesSupported to 0x7. This is "all possible severity levels" under old versions of Windows. I have seen other values under Windows 10, at least. I am unsure if the value really matters for display purposes, but most seem to define it.

References