EventLog keys

EventLog providers

Information about EventLog providers is stored across multiple keys:

  • the Services\EventLog key, which has been around since at least Windows NT 3.5

  • the WINEVT\Publishers key, which was introduced in Windows Vista

Note that the combined information of both keys can be needed, for example the Services\EventLog key:

Log type                : System
Log source              : Microsoft-Windows-Time-Service
Identifier              : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
Event message files     : %SystemRoot%\system32\w32time.dll
Log type                : System
Log source              : W32Time
Identifier              : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
Event message files     : %SystemRoot%\system32\w32time.dll

In combination with the corresponding WINEVT\Publishers key:

Name			: Microsoft-Windows-Time-Service
Identifier              : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
Event message files     : %SystemRoot%\system32\w32time.dll

Is the following EvenLog provider:

Name			: Microsoft-Windows-Time-Service
Identifier              : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
Log type                : System
Log source(s)           : Microsoft-Windows-Time-Service
                        : W32Time
Event message files     : %SystemRoot%\system32\w32time.dll

Note that an EventLog provider can have multiple log types and log sources. It is not known if a log source that matches the EventLog provider name can be deduplicated.

Or as specified as Event XML:

<Provider Name='Microsoft-Windows-Time-Service'
          Guid='{06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}'
          EventSourceName='W32Time'/>

Services\EventLog key

The event sources are stored in the Services\EventLog key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\

On Windows NT it can be found in the SYSTEM Registry file.

The Services\EventLog key contains a per EventLog type sub key, for example for the “System” EventLog type:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\

Common EventLog types are:

  • Application

  • Security

  • System

The EventLog type sub key contains a per EventLog source-per-type sub key, for example for the “Workstation” EventLog source:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\Workstation\

Note that the log source is case insensitive; so “Workstation” and “workstation” are considered equivalent.

Services\EventLog type sub key

Values:

Name Data type Description
Sources Array of strings with end-of-string character containing the names of the event sources

Services\EventLog source-per-type sub key

The Services\EventLog source-per-type sub key contains information about a single event source.

Values:

Name Data type Description
CategoryCount REG_DWORD Number of event categories supported
CategoryMessageFile REG_EXPAND_SZ Path to the category message file. A category message file contains language-dependent strings that describe the categories.
EventMessageFile REG_EXPAND_SZ Path to event message files. An event message file contains language-dependent strings that describe the events. Note that this value can contain multiple filenames, for example "C:\WINDOWS\system32\COMRES.DLL;C:\WINDOWS\system32\xpsp2res.dll". Multiple files are delimited using a semicolon.
ParameterMessageFile REG_EXPAND_SZ Path to the parameter message file. A parameter message file contains language-independent strings that are to be inserted into the event description strings.
ProviderGuid REG_SZ Identifier, in the form "{%GUID%}", of the event provider.
TypesSupported REG_DWORD Bitmask of supported types
TypesSupported value data
Value Identifier Description
0x0001 EVENTLOG_ERROR_TYPE
0x0002 EVENTLOG_WARNING_TYPE
0x0004 EVENTLOG_INFORMATION_TYPE
0x0008 EVENTLOG_AUDIT_SUCCESS
0x0010 EVENTLOG_AUDIT_FAILURE

WINEVT\Publishers key

The event publishers (or providers) are stored in the WINEVT\Publishers key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers

On Windows Vista or later it can be found in the SOFTWARE Registry file.

The WINEVT\Publishers key contains a GUID type sub key, for example “{de513a55-c345-438b-9a74-e18cac5c5cc5}”:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\%GUID%

WINEVT\Publishers GUID sub key

A WINEVT\Publishers GUID sub key contains information about a single event publisher.

Values:

Name Data type Description
(default) REG_SZ Case insensitive log source.
MessageFileName REG_EXPAND_SZ Path to an event message file. An event message file contains language-dependent strings that describe the events.
ResourceFileName REG_EXPAND_SZ Path to an event resource file.
ParameterFileName REG_EXPAND_SZ Path to an event parameter file.

Message file paths

A message file path can be defined in numerous different ways for example:

As an absolute path

C:\Windows\System32\mscoree.dll

As a relative path:

mscoree.dll

As a path using environment variables:

%SystemDrive%\Windows\System32\mscoree.dll
%SystemRoot%\System32\mscoree.dll
%WinDir%\System32\mscoree.dll

As a path using universal OEM runtime macros:

$(runtime.system32)\mscoree.dll
\SystemRoot\system32\mscoree.dll

EventLog provider with multiple provider GUIDs

Seen on Windows 8.0, 8.1, 10, 11 and 2012:

Key path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-KdsSvc
Name: Microsoft-Windows-KdsSvc
Last written time: Oct 30, 2015 07:25:12.126588100 UTC

Value: 0 providerGuid
Type: string (REG_SZ)
Data size: 78
Data: {d4be7726-dc7a-11df-a6e6-0902dfd72085}
Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{89203471-d554-47d4-bde4-7552ec219999}
Name: {89203471-d554-47d4-bde4-7552ec219999}
Last written time: Oct 30, 2015 07:25:53.860831900 UTC

Value: 0 (default)
Type: string (REG_SZ)
Data size: 50
Data: Microsoft-Windows-KdsSvc

Value: 1 ResourceFileName
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\KdsCli.dll

Value: 2 MessageFileName
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\KdsCli.dll

EventLog provider with multiple log types

Seen on Windows 10:

Key path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-EventCollector
Name: Microsoft-Windows-EventCollector
Last written time: Sep 13, 2014 07:27:56.080450600 UTC

Value: 0 ProviderGuid
Type: string (REG_SZ)
Data size: 78
Data: {b977cf02-76f6-df84-cc1a-6a4b232322b6}

Value: 1 EventMessageFile
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\wecsvc.dll
Key path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-EventCollector
Name: Microsoft-Windows-EventCollector
Last written time: Sep 13, 2014 07:27:56.080450600 UTC

Value: 0 ProviderGuid
Type: string (REG_SZ)
Data size: 78
Data: {b977cf02-76f6-df84-cc1a-6a4b232322b6}

Value: 1 EventMessageFile
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\wecsvc.dll
Key path:  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{b977cf02-76f6-df84-cc1a-6a4b232322b6}
Name: {b977cf02-76f6-df84-cc1a-6a4b232322b6}
Last written time: Sep 13, 2014 07:27:56.080450600 UTC

Value: 0 (default)
Type: string (REG_SZ)
Data size: 66
Data: Microsoft-Windows-EventCollector

Value: 1 ResourceFileName
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\wecsvc.dll

Value: 2 MessageFileName
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\wecsvc.dll