0
TCHAR EvtKey[] = _T("SYSTEM\\CurrentControlSet\\Services\\EventLog\\MyCustLog\\C:/App1.exe");
TCHAR EvtSrc[] = _T("C:/App1.exe");
TCHAR EvtFil[] = _T("C:\\MyFolder\\App1.evtx");
    
DWORD dwSize = (_tcslen(EvtFil) + 1) * sizeof(TCHAR);//including terminating NULL
DWORD dwRet = RegSetKeyValue(HKEY_LOCAL_MACHINE, EvtKey, _T("File"), REG_SZ, (PVOID)EvtFil, dwSize);
...
HANDLE hEvtSrc = RegisterEventSource(0, EvtSrc);
BOOL bRet = ReportEvent(hEvtSrc, EVENTLOG_ERROR_TYPE, ...);

This code successfully runs OK, and adds an event log to the Windows Event Log Viewer.

However, it does NOT create the C:\MyFolder\App1.evtx file at all. No error or whatsoever at all, but no file created.

What is missing here to create the event log file?

@mutantkeyboard suggested the following answer, but it did not explain anything about the File value. So it is not an answer to my question unfortunately:

Write an Event to the Event viewer

HaeRim Lee
  • 53
  • 6
  • Does this answer your question? [Write an Event to the Event viewer](https://stackoverflow.com/questions/8559222/write-an-event-to-the-event-viewer) – mutantkeyboard Nov 17 '21 at 08:15
  • Why are you saving the log file to the drive root? The [documentation](https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key) says: "*If a specific file is set, **make sure that the event log service has full permissions on the file**... If the file setting is wrong, an event is fired in the System event log when the event log service starts... Windows Server 2003 and Windows XP/2000: If the File setting is set to an invalid value, the log will either not be initialized properly, or all requests will silently go to the default log (Application).*" – Remy Lebeau Nov 17 '21 at 19:21
  • Also, you are not including the null-terminator of `EvtFil` when calculating the value of `dwSize`. The [`RegSetKeyValue()` documentation](https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regsetkeyvaluew) says: "*If the data is of type REG_SZ, REG_EXPAND_SZ, or REG_MULTI_SZ, **cbData must include the size of the terminating null character** or characters.*" `_tcslen()` does not count the null-terminator, so use `DWORD dwSize = (_tcslen(EvtFil) + 1) * sizeof(TCHAR);` instead. – Remy Lebeau Nov 17 '21 at 19:26
  • My mistake to not include the NULL, and it was fixed right away. And the file path is just a sample to ask this ticket. In my actual code, it is not in the root but looks like C:\MyFolder\App1.evtx something like that. Even with C:\MyFolder\App1.evtx, the result is the same and C:\MyFolder\App1.evtx is not created at all. The same program also writes a plain text log file C:\MyFolder\App1.logx without any problem. This means there is no file permission issue on the folder. – HaeRim Lee Nov 17 '21 at 20:18
  • @Remy Lebeau Please help – HaeRim Lee Nov 18 '21 at 04:55
  • @HaeRimLee just because *your program* is able to write a file does not mean the *eventlog service* is able to write a file in the same folder. As the documentation says, make sure the *eventlog service* has adequate permissions to the file. That being said, have you tried removing the `File` value and let the eventlog service write a file to the default path? "*If the value is not specified, it defaults to %SystemRoot%\system32\winevt\logs\ followed by a file name that is based on the event log registry key name.*" If that works, then you definitely have a permission issue. – Remy Lebeau Nov 18 '21 at 05:37
  • @RemyLebeau Yes, I can see the default event log file created under %SystemRoot%\system32\winevt\logs\. But how can I check the eventlog service has adequate permissions to the file? And if not have adequate permissions, how to set them? – HaeRim Lee Nov 18 '21 at 06:44
  • @RemyLebeau thank you for your help and finally I figured out 'File' should be set under event log, not event source. – HaeRim Lee Nov 18 '21 at 08:24
  • @HaeRimLee "*I figured out 'File' should be set under event log, not event source*" - good catch, I completely missed that you were putting it on the wrong key. – Remy Lebeau Nov 18 '21 at 09:47

0 Answers0