According to Microsoft:
"If you specify a custom log and it cannot be found, the event logging service opens the Application log; however, there will be no associated message or category string file."
... but I'm not having any luck...
For example, there are several examples to read the logs (some of which are part of JNA, such as Advapi32Util.EventLogIterator(logName), others of which are offered in online tutorials such as this one
https://stackoverflow.com/a/66343548/3196753), and I can get the log category using EventLogRecord.getRecord().EventCategory, however when I pass in a garbage value for "logName", it returns the exact same value for category as when I pass in a valid value (such as "Application").
In regards to "string file", I thought perhaps this was part of record.getStrings(), but those too are identical between garbage values and valid values. I'm at a loss for detecting this fallback behavior.
I had a third idea to get the last log entry and compare the record number (e.g. GetOldestEventLogRecord), but this will suffer concurrency problems (since it's a live value, it's subject to change) so it would be a crude hack to detect a fallback.
b) open the "Setup" log
Specifically this portion:
"The name of the event source whose handle is to be retrieved. The source name must be a subkey of a log under the Eventlog registry key. Note that the Security log is for system use only."
Following this guidance, I run:
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog
Which returns values such as "Windows PowerShell" and "HardwareEvents", which both are accepted through the API.
Because the setup eventlog is a new format log it can only be opened using the new API calls EvtQuery, EvtNext etc., the old OpenEventLog/ReadEventLog functions do not work on it.
- String path = "C:\\Windows\\System32\\Winevt\\Logs\\System.evtx";
+ String path = "C:\\Windows\\System32\\Winevt\\Logs\\Setup.evtx"; // Change "System" to "Setup"
Partially related: