On Thu, Jun 7, 2012 at 10:02 AM, Michael B. Smith <[email protected]> wrote: > > The format of event logs changes in Windows 2008 and this also included a > change to the format of the basic Win32_NTLogEvent. A new field called > “InsertionStrings” was added that contains data which is unique to a given > event log entry. The reason for this is that it represents a significant > optimization in the amount of space consumed by the average event log item.
While it may be that more fields are exposed via APIs now, as far as I know, the Event Log has always worked that way internally. Long winded explanation: The "Description" field consists of a "format string" and zero or more "insertion strings". The format string is generic for a given event ID. The insertion strings contain the info that varies with each event. For example, say there was an event ID for a file-not-found sort of event. The "File not found" part would be the format string. The specific file name that was attempted would be an insertion string. The insertion strings are stored as part of each event record, in the log. The format strings come from resource DLLs, which are specified via registry entries. Event Viewer assembles them into a single message when you view the log. That's why if you don't have the needed DLLs and/or reg entries, you get a generic message like "The description for Event ID X could not be found." Reasons given for doing this include space optimization (as MBS says) and also localization. For example, two different people could view the same log file, and as long as they have localized DLLs on their PCs, they would each see the messages in their native languages. References: MSKB 165959 "Reading a File Saved with the Event Viewer of Another Computer" http://support.microsoft.com/kb/165959 Applies to NT 4.0 -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
