2

When running the following one liner:

Write-EventLog -LogName Application -Source 'Application Error' -EntryType Error -EventID 1001 -Message 'Problem description'

We see the entry in the log Application:

enter image description here

According to Microsoft for EventID 1001, one should provide the values for %1, %2 and %3:

Detection of product '%1', feature '%2' failed during request for component '%3'

How is this possible in PowerShell? When adding the switch -RawData 10, 20 only the type is filled in as following:

enter image description here

Is there a way to not have the other text available without creating a new log name or source in the Event log? Or to be able to fill in the variables? I'm writing to Application error in case the custom made log name or source isn't available. So there is somewhere a trace.

Thank you for your help.

Improve this question
2
  • EventID 1001 from MSI and EventID 1001 from Application Error or Windows Error Reporting is not the same event - the Source matters. Change it to MsiInstaller and you'll see Commented Apr 1, 2016 at 11:58
  • Thank you Mathias I understand it now. Which source is always available and best for reporting custom errors? When picking at random another number to avoid the extra fuzz it's always complaining about The description for Event ID xxx cannot be found... Commented Apr 1, 2016 at 12:15

1 Answer 1

Reset to default
3

The Event ID 1001 description you link to is specific to the MsiInstaller source.

For your own custom error events, use a custom Source identifier. You can check whether a source definition already exists on the machine, and if not, create it:

$CustomSource = 'MyCustomApplication'

# Wrap check i try/false to catch SourceExists() throwing access denied on failure
$SourceExists = try {
    [System.Diagnostics.EventLog]::SourceExists($CustomSource)
} catch {
    $false
}

if(-not $SourceExists)
{
    # Create the Source definition
    New-EventLog -Source $CustomSource -LogName Application
}

Write-EventLog -LogName Application -Source $CustomSource -EntryType Error -EventID 1001 -Message 'Problem description'

If you have a message resource file (the file containing the "templates" for your events), you can also include that in the call to New-EventLog

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks Mathias, I already do this via SCCM and the System account. But later on when I run a script with the user account it should fail when the custom source didn't get created properly with the system account. In that case I want the user to write a message to the event log. The user can't use a custom log but should be using something that is already available... Hope this makes it more clear?
@DarkLite1 Why is it so important that it uses something "already available"? As long as the source name you choose is different from whatever SCCM should've created, you can still easily distinguish between them. What are you trying to achieve?
I'm trying to achieve a clean error message in the Application log, without extra stuff in there like The description for Event ID is unknown or other text like Fault bucket. Why? Because there's no custom log available at that point yet (the user can't create that) and it needs to go somewhere...
That's exactly what my current sample does - register a Source in an existing log (Application) without any message resource templates, resulting in a "clean" message in the event log
Indeed, and when I execute your code I get an Access denied: New-EventLog : Access is denied. Try running the command again in a session that has been opened with elevated use r rights (that is, Run as Administrator). That's the exact reason why it needs to be a pre existing source...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.