Udostępnij za pośrednictwem


EventCreate and "ERROR: Source parameter is used to identify custom applications/scripts only"

EventCreate.exe is a command line utility that comes with Windows that lets you write events into the Windows event log and to create custom event sources.  For example, this command line creates an Information event in the Application log, associated with the source "MyStuff":

EventCreate /L APPLICATION /SO MyStuff /ID 1 /T INFORMATION /D "Text that goes into the event"

If the "MyStuff" source doesn't exist, EventCreate creates it, assuming the user has the necessary permissions.

I recently came across an undocumented quirk that causes EventCreate to fail and to report this error message:

ERROR: Source parameter is used to identify custom applications/scripts only (not installed applications).

I chased this one down and finally determined what causes it.  For whatever reason, EventCreate was designed only to log events that are associated with event log sources that EventCreate created.  It does this by adding a REG_DWORD value called CustomSource in the source's registry key when it creates a new source, and checking for that value for a source that already exists.  So in the above example, if the "MyStuff" source didn't already exist in the Application log, the above command would have created it and configured its key with a CustomSource value.  Subsequent calls to EventCreate with the same source would succeed after verifying the existence of the CustomSource value.  If, however, the "MyStuff" source had been created through another mechanism that didn't create a CustomSource flag, such as with the PowerShell New-EventLog cmdlet, then you'd get the error message.  If you create a CustomSource value in an event source's key, then EventCreate will work with that source.  (The key associated with an event source is HKLM\System\CurrentControlSet\Services\EventLog\logname\sourcename.  E.g., HKLM\System\CurrentControlSet\Services\EventLog\Application\MyStuff.)

There's more to it when /SO isn't specified, but at that point I had figured out what I needed to unblock my work and lost interest.  It's left as an exercise to the more bored.

Comments

  • Anonymous
    November 25, 2013
    Great help, thanks.