Background
As described in this question, I am trying to use System.Diagnostics.EventLog#WriteEvent() as an alternative for New-WinEvent and Write-EventLog cmdlet.
Problem
I tried to write the following log with WriteEvent():
- LogName:
Application - Source:
Application Error - Event ID:
1005
$eventLog = [System.Diagnostics.EventLog]::new('Application')
$eventLog.Source = 'Application Error'
$eventLog.WriteEvent(
[System.Diagnostics.EventInstance]::new(1005, 0, [System.Diagnostics.EventLogEntryType]::Error),
@(
'FilePath.exe', # FilePath
'Application Name', # AppName
0x1234, # StatusCode
1 # MediumType
)
)
But in Event Viewer, I got the following message:
The description for Event ID 1005 from source Application Error cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
FilePath.exe
Application Name
4660
1
The message resource is present but the message was not found in the message table
On the other hand, when I used the New-WinEvent cmdlet, I got the following message (this is what I expected).
New-WinEvent -ProviderName "Application Error" -Id 1005 -Payload @(
'FilePath.exe', # FilePath
'Application Name', # AppName
0x1234, # StatusCode
1 # MediumType
)
Windows cannot access the file FilePath.exe for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Application Name because of this error.
Program: Application Name
File: FilePath.exe
The error value is listed in the Additional Data section.
User Action
1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again.
2. If the file still cannot be accessed and
- It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance.
Additional Data
Error value: 0x1234
Disk type: 0x1
I tried with other event sources and IDs, and got the following result:
| Method/Cmdlet | Source | Event ID | Result |
|---|---|---|---|
| WriteEvent() | Application Error | 1000 | ✔ |
| WriteEvent() | Application Error | 1005 | Message becomes “The description … cannot be found” |
| WriteEvent() | Application-Addon-Event-Provider | 1 | ✔ |
| New-WinEvent | Application Error | 1000 | No error but can’t set %2, %3, … in the message |
| New-WinEvent | Application Error | 1005 | ✔ |
| New-WinEvent | Application-Addon-Event-Provider | 1 | ✔ |
| Write-EventLog | Application Error | 1000 | No error but can’t set %2, %3, … in the message |
| Write-EventLog | Application Error | 1005 | Message becomes “The description … cannot be found” |
| Write-EventLog | Application-Addon-Event-Provider | 1 | No error but can’t set %2, %3, … in the message |
Question
I don’t want to use different methods/cmdlets based on the event source/ID. I want to write event logs in a unified way.
Why does WriteEvent() for event ID 1005 cause the message The description for Event ID 1005 from source Application Error cannot be found.?
Edit
Same as this question, I don’t have administrator privilege in the runtime environment, so I can’t run New-EventLog to create a customized LogName.
3