Windows Event Log message strings support enhancements

[joachimmetz]

Continuation of #4169

• Add support for resource files stored as:
  • relative path "system32..."
  • as "$(runtime.system32)" or "$(runtime.windows)"
  • Changes to handling message file resource paths #4259 #4773
• Add support for WEVT_TEMPLATE .mun files (PE/COFF) under C:\Windows\SystemResources\
  • Added support for SystemResources .mun files #4259 #4774
• Look into missing message strings (see Windows Event Log message strings support enhancements #163 (comment))
  • improve WEVT_TEMPLATE support and MUI file lookup - Changes to improve Event Log message string support #4169 #4194
  • normalize path when looking up message file paths in winevt_rc, use environment variables - Changes to normalize EventLog message file paths #4169 #4198
  • Replacement index # out of range for positional args tuple - Windows Event Log message strings support enhancements #4259 (comment)
  • No message string for message: 0xffffffff - Windows Event Log message strings support enhancements #4259 (comment)
• Add parameter expansion support
  • observed fallback to event message file - Worked on support for parameter expansion #4259 #4776
  • observed fallback to MsObjs.dll and kernel32.dll (Windows 10) - Worked on support for parameter expansion #4259 #4777

[joachimmetz]

2023-12-31 15:07:02,439 [WARNING] (MainProcess) PID:109203 <winevt_rc> No message string for message: 0xffffffff (0x00000069) of provider: {315a8872-923e-4ea2-9889-33cd4754bf64}

evtxexport 20231121

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Immersive-Shell" Guid="{315A8872-923E-4EA2-9889-33CD4754BF64}"/>
    <EventID>105</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>104</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2020-12-11T19:11:58.243969300Z"/>
    <EventRecordID>1</EventRecordID>
    <Correlation/>
    <Execution ProcessID="2132" ThreadID="5152"/>
    <Channel>Microsoft-Windows-TWinUI/Operational</Channel>
    <Computer>DESKTOP-SSPQK1B</Computer>
    <Security UserID="S-1-5-21-539969222-1187471189-2727535519-1000"/>
  </System>
  <EventData/>
</Event>

            <provider
                guid="{315A8872-923E-4EA2-9889-33CD4754BF64}">
                <events>
                    ...
                    <event
                        value="105"
                        version="0"
                        message="$(string.MessageTable.0xffffffff)">
                    </event>

Spot check with EventViewer indicates that this is an unresolvable message string.

[joachimmetz]

2023-12-31 15:07:05,933 [ERROR] (MainProcess) PID:109203 <winevt>
Unable to format message: 0x0000f2c0
of provider: {30336ed4-e327-447c-9de0-51b652c86108}
template: "Updating install state of package {0:s} to '{1:s}' with HRESULT {2:s}."
and strings: "MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy, Completed"
with error: Replacement index 2 out of range for positional args tuple

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Shell-Core" Guid="{30336ED4-E327-447C-9DE0-51B652C86108}"/>
    <EventID>62144</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>62132</Task>
    <Opcode>0</Opcode>
    <Keywords>0x2000000000010000</Keywords>
    <TimeCreated SystemTime="2020-12-11T19:09:14.808226700Z"/>
    <EventRecordID>19</EventRecordID>
    <Correlation/>
    <Execution ProcessID="3620" ThreadID="4576"/>
    <Channel>Microsoft-Windows-Shell-Core/Operational</Channel>
    <Computer>DESKTOP-SSPQK1B</Computer>
    <Security UserID="S-1-5-21-539969222-1187471189-2727535519-1000"/>
  </System>
  <EventData>
    <Data Name="PackageFamilyName">MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy</Data>
    <Data Name="InstallState">Completed</Data>
    <Data Name="ErrorCode">0</Data>
  </EventData>
</Event>

                    <event
                        value="62144"
                        version="0"
                        template="{00203874-A3F5-556D-4C97-825EF9FA2AA5}"
                        message="$(string.MessageTable.0xb000f2c0)">
                    </event>
                    ...
                    <template tid="{00203874-A3F5-556D-4C97-825EF9FA2AA5}">
                        <data
                            name="PackageFamilyName"
                            inType="win:UnicodeString"
                            outType="xs:string">
                        </data>
                        <data
                            name="InstallState"
                            inType="win:UnicodeString"
                            outType="xs:string">
                        </data>
                        <data
                            name="ErrorCode"
                            inType="win:UInt32"
                            outType="xs:unsignedInt">
                        </data>
                    <template/>

Spot check with EventViewer indicates that this should be format-able

Updating install state of package MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy to 'Completed' with HRESULT 0.

These appear recovered records where the 3rd string is not included

Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Shell-Core" Guid="{30336ED4-E327-447C-9DE0-51B652C86108}"/>
    <EventID>62144</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>62132</Task>
    <Opcode>0</Opcode>
    <Keywords>0x2000000000010000</Keywords>
    <TimeCreated SystemTime="2020-12-11T19:12:04.250958100Z"/>
    <EventRecordID>476</EventRecordID>
    <Correlation/>
    <Execution ProcessID="3620" ThreadID="5100"/>
    <Channel>Microsoft-Windows-Shell-Core/Operational</Channel>
    <Computer>DESKTOP-SSPQK1B</Computer>
    <Security UserID="S-1-5-21-539969222-1187471189-2727535519-1001"/>
  </System>
  <EventData>
    <Data Name="LogonType">MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy</Data>
    <Data Name="TaskName">Completed</Data>
  </EventData>
</Event>

[joachimmetz]

Interesting edge case

5.1.11548.0

0x4008003d | %2: Ecn RP attributes (2) for port %3:%n\r\nEcnRpgMinRate = %4%n\r\nEcnMaxTimeRise = %5%n\r\nEcnMaxByteRise = %6%n\r\nEcnAlphaToRateCoeff = %7%n\r\nEcnMarkedRatioMultiplier = %8%n\r\nEcnMarkedRatioShift = %9%n\r\nEcnRateToSetOnFirstCnp = %10%n\r\nEcnDceTcpG = %11%n\r\nEcnDceTcpRtt = %12%n\r\nEcnDceTcpRttDelay = %13%n\r\nEcnInitialAlphaValue = %14%n\r\nEcnSupportIBStandardCnp = %15%n\r\nEcnCoalesceCnpInRp = %16%n\r\n

EcnRpgMinRate = %4

5.50.14643.0

0x4008003d | %2: Ecn RP attributes (2) for port %3 (%4):%n\r\nEcnRpgMinRate = %5%n\r\nEcnMaxTimeRise = %6%n\r\nEcnMaxByteRise = %7%n\r\nEcnAlphaToRateCoeff = %8%n\r\nEcnMarkedRatioMultiplier = %9%n\r\nEcnMarkedRatioShift = %10%n\r\nEcnRateToSetOnFirstCnp = %11%n\r\nEcnDceTcpG = %12%n\r\nEcnDceTcpRtt = %13%n\r\nEcnDceTcpRttDelay = %14%n\r\nEcnInitialAlphaValue = %15%n\r\nEcnSupportIBStandardCnp = %16%n\r\nEcnCoalesceCnpInRp = %17%n\r\nEcnBurstSize = %18%n\r\nEcnPriorityEnable = %19%n\r\n

EcnRpgMinRate = %5