In my code, if something terribly goes wrong, I write something in the event log (using the ReportEvent function). For those entries, I get a user-id in the event log entry (5th argument of ReportEvent functions).
For lots of other entries (from other applications or from Windows itself), the user field is shown as "N/A".
The problem is that Windows also adds entries for my application by itself, especially:
- if the application shows a MesssageBox (with MB_TASKMODAL flag). The Event log shows an entry with source "Application Popup".
- if my application is busy and not responding immediately. The Event log shows an entry with source "Application Hang".
Why doesn't Windows show a User Name or User SID in the event log entries? Why is it "N/A" most of the times? Is there any way I can force Windows to use a User Name or SID in the Windows-generated event log entries?
Thanks, Patrick
As far as I know there is no way to tell windows to log events with the username. It appears that Microsoft is moving away from logging the user name with most events.
Up to Windows 2003, events in the security event log usually had a username associated with them, but that doesn't seem to be the case with Windows 2008.
I can't say why that is. Event log entries are usually identified by the source, id and category, and the username is usually of little value for troubleshooting purposes. For most events, the username would just be something LocalSystem anyways.
Windows still does log the username for some events, notably events from the Task Scheduler. If you look at the Microsoft-Windows-TaskScheduler/Operational event log, you will see that all events are logged with the username of the user under which the tasks were executed.
I'm imaging that you'd probably like to filter events based on the username, so that you can see all events that have anything to do with your application. That's unfortunately not possible, so you'll have to look at the content to determine whether it matches your exe's name.