3

I have this small piece of code to read "System" events from eventvwr

        EventLog eventLog = new EventLog("System");

        foreach (EventLogEntry log in eventLog.Entries)
        {
            Console.WriteLine("{0}\n", log.Message);
        }

This works fine but for few event logs i get messages like

"The description for Event ID '109' in Source 'Microsoft-Windows-Kernel-Power' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'6', '0', '5'"

And when i open eventvwr, i can see the description there.

The kernel power manager has initiated a shutdown transition.
Shutdown Reason: Kernel API

I am running this code as an admin.

Can anyone help me figure out why am i getting such messages for description. Thanks in advance

There are similar posts but none raises this issue. for example this

"The description for Event ID X in Source Y cannot be found."

Tarun Kumar
  • 729
  • 1
  • 8
  • 16

2 Answers2

1

You either don't have access to the message file or its location is not on your current path, as Admin.

The Event Log message file locations are defined in the registry, i.e. if you look at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-Kernel-Power

you should find a Value EventMessageFile which has the Data %systemroot%\system32\microsoft-windows-kernel-power-events.dll or similar - this is from my machine.

Check whether this is on your path and what permissions you have, as Admin.

spodger
  • 1,668
  • 1
  • 12
  • 16
  • Yes path is there but as admin i only have limited permissions (SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege), rest are disabled – Tarun Kumar Jun 19 '18 at 13:33
  • Could you be more specific, what permissions i might be missing! But again i am able to view the event log description in eventvwr not though this above code – Tarun Kumar Jun 19 '18 at 13:35
  • I mean just file access permissions to the Dll, like 'Read'. However, I've just tried your code and I get the same issue. I have no idea why, I'm afraid. – spodger Jun 19 '18 at 14:10
  • Do any of you guys have any update / insights regarding this? I encountered the same-issue and I am at a loss. – carlaharris May 20 '20 at 08:13
0

Of topic for C# but if you get this error in PowerShell just switch to using Get-WinEvent instead of Get-EventLog and all will be OK.

Source: Boe Prox's reply here:

Use Get-WinEvent instead [...] Get-EventLog is better suited for the older OS's.

ndemou
  • 4,691
  • 2
  • 30
  • 33
  • Thanks for pointing it out Brade. That's what happens when one stops reading after the title! – ndemou Jan 11 '21 at 07:59