How can I find out which message file is used by a particular source logging to the event log?

Article ID: 65
Category: Usage
Created: 2005-10-02

Every application that is logging to the event log ussage has what is called a message file associated with it. Message files are used to translate event ids and their associated insertion strings to actual descriptive event messages.

Message files are usually DLL or EXE files that are shipped with the application. For example, the message file for EventSentry is "eventsentry_msg.dll" which is usually stored in the %SYSTEMROOT%\system32 directory.

Follow the steps below to find out what the actual message file being used for a particular event source is:

  1. Open the registry editor regedit.exe
  2. Navigate to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog[EVENTLOG][EVENTSOURCE], where [EVENTLOG] is the event log the event is occurring in and [EVENTSOURCE] is the source you are interested in. For example, if the source is "EventSentry" then you would need to open the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\EventSentry.
  3. The message file being used stored in the "EventMessageFile" value. Please note that event categories might be stored separately in the "CategoryMessageFile" value, but they usually point to the same message file.