I have code that reads the Windows Event Log. It uses OpenEventLog, ReadEventLog and gets the event source and event ID. Then it looks up the source under the

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application 

key, loads the appropriate DLL(s) according to what is listed in EventMessageFile and finally uses FormatMessage to merge the event strings with the message DLL content to get the final event message text. This is the recommended way, and although a bit of a pain, it works great.

Until… I go lookup the source and find it doesn’t have an EventMessageFile, but rather a ProvideGuid entry. This seems to be the new way (they show up on Vista and Windows 2008). Uggh — nothing to pass to FormatMessage for looking up the message text and merging in the data strings

🙁

Searching the registry for the guid does lead to references to other files (http.sys in the case of the HTTP source), but I can never get the complete message text. Do I have to use those EvtOpenSession APIs? I’m hoping not since I already have the EVENTLOGRECORD* from a call to ReadEventLog, and the fact that the software needs to run on Windows 2003 where EvtOpenSession isn’t supported (only available on Vista and Windows 2008). NOTE: Some sources on Vista have ProviderGUID, and others have EventMessageFile, so the old method is still viable.

So what I’m after is a way to look at the ProviderGuid and get the DLL that needs to be passed to FormatMessage for displaying the complete event log message text.

Thanks for any input