The Windows Event Viewer is a very useful tool to see the log information related to the various applications, security and system events. The huge advantage having log information in Event log is its user friendly interface. One can quickly sort, filter the information and view log by searching keywords. One can also create custom views as one’s need filtering on log type or source etc.

One can also create own custom event log source to log information from the custom application.

You can create the event log using Windows Command, Power shell or from application code.

To create one from command prompt, Open command prompt under administrative right and execute the following command

eventcreate /ID 1 /L Application /T INFORMATION /SO MyEventSource /D “Creating my event source.”

  • /ID option is the EventID. It can be from 1 To 1000.
  • /L is to indicate the name of the log to write to. It can be APPLICATION and SYSTEM Log.
  • /T is to indicate the type of the event. It can be ERROR, WARNING, INFORMATION, SUCCESSAUDIT and FAILUREAUDIT.
  • /SO is to indicate the name of the source.
  • /D is the description of the event.

The above command adds a subkey to the registry under the EventLog/Application.

The path looks as below

HKLM\System\CurrentControlSet\Services\Eventlog\Application\MyEventSource

You can open the Registry Viewer by executing regedit command under RUN window.

RegEdit Command

In my case, I needed to create a EventLogSource with EventID of 0 for my custom .Net application by windows command. I didn’t want to put the responsibility of creation of the logsource in my application. The eventcreate command didn’t work for me since it requires an ID of 1 to 1000. Since the goal is to add a subkey in the registry under EventLog for my .Net application, I used another window command – Reg to create the registry.

To delete the registry earlier, execute the following command

reg delete HKLM\System\CurrentControlSet\Services\Eventlog\Application\MyLogSource /f

  • /f option is to specify silent execution of command without prompting for confirmation.

To create the EventLogSource, execute the following command

reg add HKLM\System\CurrentControlSet\Services\Eventlog\Application\MyLogSource /v EventMessageFile /t REG_EXPAND_SZ /d C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll /f

  • /v parameter is to specify the name of the entry to be added.
  • /t parameter is to specify the type of registry entry.
  • /d parameter is to specify the data for the entry.
<RegistryViewer-EventLogSource

The registry keys can manually created in the Registry Viewer interface too.

To learn more about Reg command, Click here.

Any questions or comments are welcome!!!

Happy Logging!!!

 

Delete and Create Event Log Source with Event ID ‘0’ using Command Prompt
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *