Sending ETW Events to Global "Application" Log

Question

I'd like to enable my app to make warnings and errors visible to the global "Application" log in Windows Event Viewer. I've successfully followed the directions here that helped me get ETW up and running, but I only see events when I explicitly enable logging via a tracing program, and even then they only show up in the generated .etl file, not in the global log.

How can I programmatically register and write events to the global Application log, so that when users run event viewer, they'll see events from my app? Is it even possible? In a nutshell, I want to end up with something like the screenshot below, just with less photoshopping required:

Answer 1

The Windows Event Tracing API was intended to supersede the older Windows Event Logging API for logging events to the Event Log, starting with Windows Vista. But to this day it is difficult to find clear examples online showing how to use this newer Event Tracing for Windows (ETW) API.

It is fundamental for applications - and especially services - to log events to the Windows Event Log under System or Application. But Microsoft does not provide any clear documentation for this very common use case. Instead, the current online documentation for Event Tracing drags you through the entire complexity of ETW.

That said, Microsoft offers a sample solution for native VC++ which works well. The solution and project (from VS2008!) loaded fine into Visual Studio 2022.

The included XML manifest in this sample defines 5 events, but only the first, fourth and fifth are associated with the "channel" for the Windows Application Event Log. The second and third events are associated with an "analytic channel" for ETW and will not appear in Application or System logs within Event Viewer (such ETW events are typically captured/monitored through other means). So the sample demonstrates how to log to the Event Log or to ETW using the newer API. The readme.txt file in this solution is instructive.

Also helpful is an archived Microsoft forum posting called FAQ: Common Questions for ETW and Windows Event Log. It describes the various ETW channels, defines what WPP means and provides a number of other details.

There is a third Windows API for ETW logging called TraceLogging which builds upon and simplifies the ETW API; however, for logging to the traditional Application and System Event Logs shown in Event Viewer, you must stay with either manifest-based ETW logging or the older Windows XP/Server 2003 Event Logging API.

Answer 2

ETW seems to be quite complex for your purpose, here's the procedure to write to the Event Log:

a) One-time (you would typically do this while installing your application) Register your application as a Event Provider; only the EventMessageFile entry is really required:
- key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\MyCoolGame
- string name (REG_EXPAND_SZ) = EventMessageFile
- string value = C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll

b) On program startup: Register Event Source and receive a handle:

hEventLog = RegisterEventSource(NULL, lpszAppNameName);

c) Use the ReportEvent function to write entries to the Event Log:

TCHAR szLogBuffer[] = _T("Started new multiplayer server.");
const TCHAR *lpszEventStrings[2] = {szLogBuffer, NULL};
ReportEvent(hEventLog, EVENTLOG_INFORMATION_TYPE, 0, 1, NULL, 1, 0, lpszEventStrings, NULL)

d) On program shutdown:

DeregisterEventSource(hEventLog);