I am trying to create my own eventviewer. I am doing it in C#.
I got that the eventlog description is comprised of two parts. First the Message Templates that comes from the mc files of the logging application. It contains optional placeholder strings(%1, %2... %n) which is then replaced by the provided string. This(Template) is not stored in the evtx file, but read from the binaries of the logging application(dll or exe).
The second part is what replaces the string in the position of the teamplate's place holder. This is stored in .evtx file inside the tag. This is then merged with the Template by the EventViewer application to display the log message to the user.
I am able to read the tag from the .evtx but have no idea how to locate and read the MessageTemplates.
Could someone help me on this?
Oh, one more thing, I also know that the MessageCategories' details are stored in a dll whose address is in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog.
What I have tried:
In C#, FormatDescription() does the job for me. But, I need to know the steps it takes. So, I want to understand it's functionality.