Custom event messages with NDIS driver

Question

I'm trying to define a few custom Event Viewer events. I've been following the instructions in MSDN and few other online sources, yet the event viewer can't find the associated text data.

This is what I've done:

• Created an input file for the message compiler with the event codes and relevant strings (following the WDK Serial driver example).
• Included the .rc file generated by the message compiler in the main driver resource file (MyDriver.rc).
• Included the header file generated by the message compiler in the relevant driver module.
• Used the NdisWriteErrorLogEntry API to write events with new ids from the included header file.
• Added the driver binary to the Inf registry string identifying the event sources:

---

HKR, , EventMessageFile, 0x00020000, "%%SystemRoot%%\System32\netevent.dll; %%SystemRoot%%\System32\drivers\MyDriver.sys"
HKR, , TypesSupported,   0x00010001, 7

Everything works, except for strings display by the event viewer. It doesn't seem to recognize them and displays "the message resource is present but the message is not found in the string/message table" in the event description. The only significant difference from the WDK example is the usage of NDIS API instead of the generic WDM API. I'm also pretty confident that the text is included in the driver binary, since when opening the .sys file with editor I clearly see my strings there. Would appreciate any suggestions on this issue.

Answer 1

Well, after a year and a half I found the problem. Apparently, the event viewer registry string parser is unable to properly extract the second messages file name if there is a whitespace before it.

Thus, in order to fix it, all is needed is remove the whitespace. I.e., instead of:

HKR, , EventMessageFile, 0x00020000, "%%SystemRoot%%\System32\netevent.dll; %%SystemRoot%%\System32\drivers\MyDriver.sys"

Write this in the inf file:

HKR, , EventMessageFile, 0x00020000, "%%SystemRoot%%\System32\netevent.dll;%%SystemRoot%%\System32\drivers\MyDriver.sys"