EventCreate.exe creates a "CustomSource" value, what does it mean?

Question

The command-line EventCreate.exe tool registers a user-defined event source in the Registry for the Windows Event Log Viewer to use, like this:

eventcreate /t INFORMATION /ID 100 /L "Application" /SO [SourceName] /D "Description"

I wrote an app that has its own Event Log resource strings and is registered as an event source, per MSDN, but it doesn't use the CustomSource value and works fine.

I can't find any documentation on MSDN, or elsewhere online, on what CustomSource is meant for exactly. None of the registered sources on my machines use it.

Does anyone know what CustomSource is meant for, and how it works? Is it just something internal to EventCreate.exe, or does the Windows Event Log actually use it for something?

Answer 1

Thanks to @RbMm for pointing out this blog article:

EventCreate and "ERROR: Source parameter is used to identify custom applications/scripts only"

For whatever reason, EventCreate was designed only to log events that are associated with event log sources that EventCreate created.  It does this by adding a REG_DWORD value called CustomSource in the source's registry key when it creates a new source, and checking for that value for a source that already exists.  So in the above example, if the "MyStuff" source didn't already exist in the Application log, the above command would have created it and configured its key with a CustomSource value.  Subsequent calls to EventCreate with the same source would succeed after verifying the existence of the CustomSource value.  If, however, the "MyStuff" source had been created through another mechanism that didn't create a CustomSource flag, such as with the PowerShell New-EventLog cmdlet, then you'd get the error message.  If you create a CustomSource value in an event source's key, then EventCreate will work with that source.