April 29th, 2011, 09:41 AM
The source name in eventlog is different from source name in registry.
Hello everyone! I have a little question.
Everyone knows that field "Source" in EventLog Viewer, when you view logs, indicates the name of source. As far as I know the name of source is taken from eventlog entry. But at that time the source name is the name of registry key under the appropriate eventlog key.
For example, if we have custom eventlog "TestLog" it's key is HKLM\\SYSTEM\\CurrentControlSet\\services\\eventlog\\TestLog and a custom provider "TestProvider" that writes events to that log with key HKLM\\SYSTEM\\CurrentControlSet\\services\\eventlog\\TestLog\\TestProvider.
So, if TestProvider will write event in TestLog, the "Source" field in EventViewer will be "TestLog". And at last here is my question "If we take a look, for example, at HKLM\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application\\Microsoft-Windows-RestartManager provider and write some events to Application log we will see that "Source" field in EventViewer isn't "Microsoft-Windows-RestartManager" but "RestartManager". How can it be? That source name in eventlog is different from source name in registry?
Tags for this Thread
Click Here to Expand Forum to Full Width