Reading the Windows Event Log – Event ID: Problems with Qualifiers
By: Date: February 15, 2017 Categories: Windows Event Log

You might want to monitor the Windows Event Log by using a tool built in .Net which reads certain Event IDs where the Source is the SQL Server. I prepared a small test case which shows how Windows stores the Event ID and how you should (not) read them. I am using a Windows Server 2012 R2 and Microsoft .NET Framework 4 for my test.

To build my simple “Event Log Scanner” I used the following information about the EventLogEntry Class: https://msdn.microsoft.com/en-us/library/system.diagnostics.eventlogentry(v=vs.110).aspx

So first here is my simplified c# code which iterates through all entries in the “Application” part of the Windows Event Log and displays the InstanceID and EventID properties:

class GetEventlogs{
  public static void Main(){
    EventLog myLog = new EventLog();
    myLog.Log = "Application";
  
    foreach(EventLogEntry entry in myLog.Entries){
     if (entry.Source == "MSSQLSERVER") {
       Console.WriteLine("InstanceID: " + entry.InstanceId + " EventID: " + entry.EventID);
     }
    }
  
  }
}

Here you can see the results of the above code:

InstanceID: 1073758893 EventID: 17069
InstanceID: 1073791740 EventID: 49916
InstanceID: 1073758925 EventID: 17101
InstanceID: 1073758927 EventID: 17103
InstanceID: 1073758928 EventID: 17104
InstanceID: 1073760320 EventID: 18496
InstanceID: 1073757092 EventID: 15268
InstanceID: 1073758935 EventID: 17111

As you can see the InstanceID is completely different from the EventID. So even if the documentation of Microsoft says that EventID is obsolete and InstanceID should be used you will not be able to find your EventID when you are scanning for InstanceID. But let’s see why does InstanceID show a different result from EventID.

EventID is declared as an Int32 and InstanceID is declared as Int64 but actually both refer to 32bits of data. Windows stores the so called “Qualifiers” part of the EventID at the first 16 bits and the last 16 bits represent the actual EventID. To prove this here is the first Event in XML format:

Eventid_with_qualifiers

As you can see the EventID has the “Qualifiers” Property which is 16384. So let’s think a bit in binary. We can store 16384 on 16 bits as follows: 0100000000000000 and 17069 can be stored as 0100001010101101
Now when we combine these two numbers we get: 01000000000000000100001010101101 which is 1073758893. And this is the number which is displayed when we read InstanceID.

EventID 49916 does also have the following “Qualifiers” property: 16384

Qualifiers: 16384 = 0100000000000000
EventID: 49916 = 1100001011111100
InstanceID: 1073791740 = 01000000000000001100001011111100

The above examples showed the difference between EventID and InstanceID, namely that EventID reads only the last 16 bits (or 2 bytes) of the Windows Event Log Event ID but InstanceID contains the whole 32 bits (4 bytes) of data.

One thought on “Reading the Windows Event Log – Event ID: Problems with Qualifiers

  1. While the Qualifier is definitely the first 16 bits, the .NET docs imply that the EventID is actually the last 30 bits, with only the first 2 bits masked off. The 30th bit is the “Customer” bit, so it appears that for system-generated event entries/codes, there is no difference between the 30-bit and 16-bit values. However, it seems there is the ability for a customer to generate their own entirely different/overlapping set of event codes, in which case the 30th bit is relevant.

Leave a Reply to Daniel Widdis Cancel reply

Your email address will not be published. Required fields are marked *