[.net] Description for event id from source cannot be found

When I write a log into windows event log, I get the event below, what's the root cause of this message, and how can I fix it? Many Thanks

The description for Event ID 51001 from source RRWS cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

test log messge

the message resource is present but the message is not found in the string/message table

I also stumbled on this - although caused by yet another possibility: the event identifier (which was "obfuscated" in a #define) was setting severity to error (the two high-order bits as stated in Event Identifiers). As Event Viewer displays the event identifier (the low-order 16 bits), there couldn't be a match...

For reference, I've put together a set of tips based in my own research while troubleshooting and fixing this:

1. If your log entry doesn't end with "the message resource is present but the message is not found in the string/message table" (as opposed to the original question):

   • Means that you're missing registry information
   • Double-check event source name and registry keys

2. If you need to add/edit registry information, remember to:

   • Restart Event Viewer (as stated in item 6 of KB166902 and also by @JotaBe)
   • If it doesn't help, restart Windows Event Log/EventLog service (or restart the system, as hinted by @BrunoBieri).

3. If you don't wish to create a custom DLL resource, mind that commonly available event message files have some caveats:

   • They hold a large array of identifiers which attempts to cover most cases
     • .NET EventLogMessages.dll (as hinted by @Matt) goes up to 0xFFFF
     • Windows EventCreate.exe "only" goes up to 0x3E9
   • Every entry contains %1
     • That means that only the first string will be displayed
     • All strings passed to ReportEvent can still be inspected by looking into event details (select the desired event, go to Details tab and expand EventData)

4. If you're still getting "cannot be found" in your logged events (original question):

   • Double-check event identifier values being used (in my case it was the Qualifiers part of the event identifier)
   • Compare event details (select the desired event, go to Details tab and expand System) with a working example

I also faced similar problem. After doing lot of research I did following I verified the steps according to this article http://www.codeproject.com/Articles/4166/Using-MC-exe-message-resources-and-the-NT-event-lo Everything seemed to be in place. Except one thing..i realised it when I stumbled on this msdn http://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx

As last paragraph says.. 'If the application calls RegisterEventSource and passes a source name that cannot be found in the registry, the event-logging service uses the Application log by default. However, because there are no message files, the Event Viewer cannot map any event identifiers or event categories to a description string, and will display an error. For this reason, you should add a unique event source to the registry for your application and specify a message file.' So my application name in RegisterEventSource was not matching with the application name in registry. I fixed this and now it works... So please double check your registry entries if you face this problem.

Improving on the answer by @Alex, I suggest the following:

            using (EventLog eventLog = new EventLog("Application"))
            {
                //You cannot be sure if the current identity has permissions to register the event source.
                try
                {
                    if (System.Web.HttpRuntime.AppDomainAppId != null)
                    {
                        eventLog.Source = System.Web.HttpRuntime.AppDomainAppId;
                    }
                    else
                    {
                        eventLog.Source = Process.GetCurrentProcess().ProcessName;
                    }
                }
                catch (SecurityException)
                {
                    eventLog.Source = "Application";
                }

                eventLog.WriteEntry("Log message example", EventLogEntryType.Information, 1000);
            }

It is important here not to specify category parameter. If you do, and this is the same for the .NET Runtime so-called magic, the

The description for Event ID <...> from source <...> cannot be found.

is going to appear.

If you open the Event Log viewer before the event source is created, for example while installing a service, you'll get that error message. You don't need to restart the OS: you simply have to close and open the event viewer.

NOTE: I don't provide a custom messages file. The creation of the event source uses the default configuration, as shown on Matt's answer.

How about a real world solution.

If all you need is a "quick and dirty" way to write something to the event log without registering "custom sources" (requires admin rights), or providing "message files" (requires work and headache) just do this:

EventLog.WriteEntry(
    ".NET Runtime", //magic
    "Your error message goes here!!",
    EventLogEntryType.Warning,
    1000); //magic

This way you'll be writing to an existing "Application" log without the annoying "The description for Event ID 0 cannot be found"

If you want the "magic" part explained I blogged about it here

Use PowerShell to create your event log and source:

New-EventLog -LogName MyApplicationLog `
    -Source MySource `
    -MessageResourceFile C:\windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll

You'll need the messages dll to avoid the problem you are seeing.

Restart your system!

A friend of mine had exactly the same problem. He tried all the described options but nothing seemed to work. After many studies, also of Microsoft's description, he concluded to restart the system. It worked!!

It seems that the operating system does not in all cases refresh the list of registered event sources. Only after a restart you can be sure the event sources are registered properly.

You need to create an event source and a message file for it. Code looks something like this:

var data = new EventSourceCreationData("yourApp", "Application");
data.MessageResourceFile = pathToYourMessageFile;
EventLog.CreateEventSource(data);

Then you will need to create a message file. There is also this article that explains things (I did not read it all but it seems fairly complete).

For me, the problem was that my target profile by accident got set to ".Net Framework 4 Client profile". When I rebuilt the service in question using the ".Net Framework 4", the problem went away!

I got this error after creating an event source under the Application Log from the command line using "EventCreate". This command creates a new key under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application

If you look at the Key that's been created (e.g. SourceTest) there will be a string value calledEventMessageFile, which for me was set to %SystemRoot%\System32\EventCreate.exe.

Change this to c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll

Delete theCustomSource and TypesSupported values.

This should stop the "The description for Event ID...." message.

This is usually caused by a program that writes into the event log and is then uninstalled or moved.