Click here to Skip to main content
15,867,453 members
Articles / Programming Languages / PowerShell

SCRIPT to Create an Event Source using PowerShell

Rate me:
Please Sign up or sign in to vote.
5.00/5 (2 votes)
8 Dec 2016Ms-PL3 min read 52.2K   2   1
Here is a script to create an event source using PowerShell

Sometimes, you will see a message in your Windows Event Log that Event Viewer cannot display the data because the event source is missing. To fix this, you need to create the corresponding event source. This can be easily achieved using PowerShell. I show you how, including working code.

Pre-requisite Knowledge

Typically event sources would be “missing” in one of two cases: either the program that needed it failed to create the source when it was installed or run, or ( more likely) the program was uninstalled, or (sometimes) you are trying to read the log from a different computer that does not have the event source installed. In any case, you would need to know the name of the event source required. You can figure out this name by looking at the “Event Source” field of the event entry.

Parameters

To create an event source, you need to have a name for your new source (called the Event Source Name) and the name of the log where the event source will be a part. If the event log entries would be written to the standard “Application”, “System” or “Security” logs, then you can use that as the name of the log. If you specify a different (custom) name, you will need to also specify a file where the entries for that log would be stored.

In this example, we look at the case where the event source exists in the standard Application log. Our event source’s name will be “Foo Source”.

The Code

We will use the .NET method “CreateEventSource” that is provided by the assembly “System.Diagnostics.dll” and encapsulated in the “EventLog” class. To run such commands, you would start off by specifying the fully qualified namespace of the class enclosed in square brackets: [System.Diagnostics.EventLog].

Then use a double-colon syntax to separate that qualification and the method you are calling. So this becomes: [System.Diagnostics.EventLog]::CreateEventSource(…parameters….).

The CreateEventSource method takes two parameters in the simplest form — the first being the name of the new event source, and the second being the event log — so it will be “Foo Source”, followed by “Application”.

Run PowerShell as Administrator. At the PS prompt, run the below command:

PS:\> [System.Diagnostics.EventLog]::CreateEventSource("Foo Source", "Application")

You will not be given any response if the operation succeeds. Now try to open event log and read the log again — see if the event entries that were not readable earlier are now readable. You can achieve this in PowerShell too using the below command:

PS:\> Get-EventLog -LogName "Application" -Source "Foo Source"

If you get back red colored error text that no matches were found, it means there were no long entries for that event source. If your intention was to create a new event source and not to fix any issues (as in you are manually installing a tool, etc), you can test creation by creating an entry for this event source:

PS:\> [System.Diagnostics.EventLog]::WriteEntry
("Foo Source", "This is a sample event entry", "Information", 100)

Now run the same Get-EventLog command as above, you should see the event we just wrote.

Removing Event Sources

Sometimes, it becomes necessary to cleanup behind tools and installers by removing their event sources. To do so, again we use similar PowerShell. The command to delete event sources is — DeleteEventSource(SourceName). To delete the event source we created above, run:

PS:\> [System.Diagnostics.EventLog]::DeleteEventSource("Foo Source")

Again, you will not get a response. But hey! if you followed everything from the beginning, now you will have our test entry without an event source. If you run the “Get-EventLog” command again, this time, you will see “The description for Event ID ‘100’ in source …” as the message instead of “This is a sample event entry”. Simple open the EventLog, scroll to find the entry and delete it.

License

This article, along with any associated source code and files, is licensed under The Microsoft Public License (Ms-PL)


Written By
India India
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

 
SuggestionPrefer the PowerShell cmdlets New-EventLog, Write-EventLog - they do more than you might think. Pin
Lyle Snodgrass26-Jul-17 13:11
Lyle Snodgrass26-Jul-17 13:11 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.