How to specify eventlog resource file in Driver Store

Question inspired by the mention of driver isolation:
How we should specify a resource file in the driver package for "classic" event log?

I've seen some drivers that install the registry path to the resource under HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System containing %13% Of course it is not expanding and event viewer cannot find it.

Adaptation for Event log is not covered in Driver Package Isolation - Windows drivers | Microsoft Learn

Well, thanks to everyone )) So I understand that "classic" eventlog resource DLLs cannot be installed into dirid %13%. Whoever has to cope with this is on their own.

I'm actually not super familiar with event log stuff, I haven't had any chance to use it, but I can look into it for you. Can you explain a bit what you're doing and where %13% doesn't expand?

Thank you Zac for your attention.
The driver in question is one of newer Intel wi-fi's. For example WIFI-6E-AX211 (netwtw14.sys, inf version 23.60.1.2). The eventlog message strings are embedded into the .sys file. Older versions such as netwtw8.sys install into system32\drivers, and the eventlog just worked. These newer versions install into the driver store (dirid 13) and the eventlog no longer renders the messages. Snippet from the INF:

[Reg_CommonAddEventLog_14_WinT]
HKR,, EventMessageFile, 0x00020000, "%%SystemRoot%%\System32\netevent.dll;%%13%%\Netwtw14.sys"
HKR,, TypesSupported,   0x00010001, 7

So I've just copied the .sys file from (variable) driver store location to system32\drivers and edited the event DLL path in the registry. Now the events render properly.
I've asked on the Intel dev forum, but they don't seem to have a clue. Since I don't work there anymore ... it's not my problem anymore. But just curious, how this should be done?

Oh, now I understand what you mean. They've escaped the % so it's not rendering properly.

%13% -> PnP will expand this path to reflect the driver store path
%%13%% -> The string literal "%13%"

I should probably add a warning to InfVerif to catch this mistake, I'm not sure there's ever a reason to store %13% as a string literal

So just a single % - and it will be properly expanded at install time? Good to know, thank you again!

1 Like

Yep. Seems like there was confusion because %SystemRoot% requires the % be escaped, since they're trying to store it as an environment variable that gets expanded at runtime

1 Like

I don't know how common it is to embed the message resource into the .sys file. I have always used a separate resource only DLL. I'm not sure it matters much, but if the messages are long, and there are several languages, it can be 'large'.

Does anyone have a strong opinion about modern best practice?

These days we have plenty of other subjects for strong opinions : (
If the eventlog message file is "close coupled" to the driver binary, it should go with the binary - to the driver store. But if the message files can have independent life cycle - for example if we need to edit message text or add translations.... I don't know. In my support job I often read logs collected on other machines for which I don't have the message resources installed in the natural way. I have to copy these files and add them to the registry manually. Why to put the messages in the .sys file? Long ago, before concept of driver packages, I thought it is cool and hackish. Today... I don't know. For historic reasons.