Sometimes, you will see a message in your Windows Event Log that Event Viewer cannot display the data because the event source is missing. To fix this, you need to create the corresponding event source. This can be easily achieved using PowerShell. I show you how, including working code.
Pre-requisite Knowledge
Typically event sources would be “missing” in one of two cases: either the program that needed it failed to create the source when it was installed or run, or ( more likely) the program was uninstalled, or (sometimes) you are trying to read the log from a different computer that does not have the event source installed. In any case, you would need to know the name of the event source required. You can figure out this name by looking at the “Event Source” field of the event entry.
Parameters
To create an event source, you need to have a name for your new source (called the Event Source Name) and the name of the log where the event source will be a part. If the event log entries would be written to the standard “Application”, “System” or “Security” logs, then you can use that as the name of the log. If you specify a different (custom) name, you will need to also specify a file where the entries for that log would be stored.
In this example, we look at the case where the event source exists in the standard Application log. Our event source’s name will be “Foo Source
”.
The Code
We will use the .NET method “CreateEventSource
” that is provided by the assembly “System.Diagnostics.dll” and encapsulated in the “EventLog
” class. To run such commands, you would start off by specifying the fully qualified namespace of the class enclosed in square brackets: [System.Diagnostics.EventLog]
.
Then use a double-colon syntax to separate that qualification and the method you are calling. So this becomes: [System.Diagnostics.EventLog]::CreateEventSource(…parameters….)
.
The CreateEventSource
method takes two parameters in the simplest form — the first being the name of the new event source, and the second being the event log — so it will be “Foo Source
”, followed by “Application
”.
Run PowerShell as Administrator. At the PS prompt, run the below command:
PS:\> [System.Diagnostics.EventLog]::CreateEventSource("Foo Source", "Application")
You will not be given any response if the operation succeeds. Now try to open event log and read the log again — see if the event entries that were not readable earlier are now readable. You can achieve this in PowerShell too using the below command:
PS:\> Get-EventLog -LogName "Application" -Source "Foo Source"
If you get back red colored error text that no matches were found, it means there were no long entries for that event source. If your intention was to create a new event source and not to fix any issues (as in you are manually installing a tool, etc), you can test creation by creating an entry for this event source:
PS:\> [System.Diagnostics.EventLog]::WriteEntry
("Foo Source", "This is a sample event entry", "Information", 100)
Now run the same Get-EventLog
command as above, you should see the event we just wrote.
Removing Event Sources
Sometimes, it becomes necessary to cleanup behind tools and installers by removing their event sources. To do so, again we use similar PowerShell. The command to delete event sources is — DeleteEventSource(SourceName)
. To delete the event source we created above, run:
PS:\> [System.Diagnostics.EventLog]::DeleteEventSource("Foo Source")
Again, you will not get a response. But hey! if you followed everything from the beginning, now you will have our test entry without an event source. If you run the “Get-EventLog
” command again, this time, you will see “The description for Event ID ‘100’ in source …
” as the message instead of “This is a sample event entry
”. Simple open the EventLog
, scroll to find the entry and delete it.