{"id":602,"date":"2025-10-12T17:04:06","date_gmt":"2025-10-12T17:04:06","guid":{"rendered":"https:\/\/eventlogxp.com\/blog\/?p=602"},"modified":"2025-10-12T21:18:01","modified_gmt":"2025-10-12T21:18:01","slug":"windows-event-log-api-bug-ruins-most-event-log-software","status":"publish","type":"post","link":"https:\/\/eventlogxp.com\/blog\/windows-event-log-api-bug-ruins-most-event-log-software\/","title":{"rendered":"Windows Event Log API Bug Ruins Most Event Log Software"},"content":{"rendered":"<p>Recently, our support team received a bug report that <strong>Event Log Explorer<\/strong> was displaying incorrect task categories for Security event logs.<br \/>\nThe user reported that on their <strong>Windows 11 24H2 and 25H2<\/strong> systems, Event Log Explorer showed the <em>same<\/em> category for all security events.<\/p>\n<p>At first, we couldn\u2019t believe it \u2014 so we tested it ourselves.<\/p>\n<p>Sure enough, we reproduced the issue immediately.<br \/>\n<a href=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/same-categories.png\" data-rel=\"lightbox-gallery-uoiBjdkx\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" class=\"alignnone size-medium wp-image-603\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/same-categories-300x216.png\" alt=\"Same task categories in the log\" width=\"300\" height=\"216\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/same-categories-300x216.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/same-categories-1024x739.png 1024w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/same-categories-768x554.png 768w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/same-categories-660x476.png 660w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/same-categories.png 1231w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>And yet, <strong>Windows Event Viewer<\/strong> displayed everything correctly.<\/p>\n<p><strong>&#x1f50d; <\/strong><strong>Checking Older Windows Versions<\/strong><\/p>\n<p>Suspecting a Windows regression rather than a bug in our code, we tested on <strong>Windows 11 22H2<\/strong> \u2014 and everything worked perfectly.<\/p>\n<p>Even more interesting:<\/p>\n<ul>\n<li>Running Event Log Explorer <strong>on 22H2<\/strong> to read logs <strong>from 24H2<\/strong> \u2192 &#x2705; <em>task names display correctly<\/em><\/li>\n<li>Running Event Log Explorer <strong>on 24H2<\/strong> to read logs <strong>from 22H2<\/strong> \u2192 &#x274c; <em>task names display incorrectly<\/em><\/li>\n<\/ul>\n<p>That ruled out our parsing logic and clearly pointed to an <strong>API-level problem<\/strong> in Windows 11 24H2 \/ 25H2.<\/p>\n<p><strong>&#x1f9ea;<\/strong><strong>Testing Other Tools<\/strong><\/p>\n<p>To verify further, we tested with other event-log viewers.<\/p>\n<p><strong>NirSoft\u2019s FullEventLogView<\/strong><\/p>\n<p>It showed the same issue \u2014 identical task names for every Security event.<\/p>\n<p><a href=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/FullEventViewIssue.png\" data-rel=\"lightbox-gallery-uoiBjdkx\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" class=\"alignnone size-medium wp-image-604\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/FullEventViewIssue-300x156.png\" alt=\"FullEventView has the same issue\" width=\"300\" height=\"156\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/FullEventViewIssue-300x156.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/FullEventViewIssue-768x400.png 768w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/FullEventViewIssue-660x344.png 660w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/FullEventViewIssue.png 772w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Interestingly, Event Log Explorer and FullEventLogView even displayed <em>different<\/em> wrong names.<\/p>\n<p><strong>Microsoft\u2019s Own Utilities<\/strong><\/p>\n<p>Let\u2019s check wevtutil:<\/p>\n<blockquote><p>wevtutil.exe qe Security \/c:30 \/f:text &gt; security.txt<\/p><\/blockquote>\n<p><a href=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/WevutilResult.png\" data-rel=\"lightbox-gallery-uoiBjdkx\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" class=\"alignnone size-medium wp-image-605\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/WevutilResult-300x190.png\" alt=\"wevtutil displays incorrectly\" width=\"300\" height=\"190\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/WevutilResult-300x190.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/WevutilResult.png 570w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>When reviewing security.txt, we found that every event \u2014 even logon events \u2014 had the same category: <strong>User Account Management<\/strong><\/p>\n<p><strong>PowerShell<\/strong><\/p>\n<p>Then we tried PowerShell:<\/p>\n<p>Run PowerShell as Admin, type commands:<\/p>\n<blockquote><p>$Events = Get-WinEvent -LogName Security -MaxEvents 30<\/p>\n<p>$Events | Select-Object -Property Id, Task, TaskDisplayName<\/p><\/blockquote>\n<p><a href=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/PowerShell-IncorrrectTask.png\" data-rel=\"lightbox-gallery-uoiBjdkx\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" class=\"alignnone size-medium wp-image-606\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/PowerShell-IncorrrectTask-300x205.png\" alt=\"Powershell also displays incorrect task name\" width=\"300\" height=\"205\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/PowerShell-IncorrrectTask-300x205.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/PowerShell-IncorrrectTask-768x526.png 768w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/PowerShell-IncorrrectTask-660x452.png 660w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/10\/PowerShell-IncorrrectTask.png 979w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Again \u2014 the same task name appears for different task IDs.<\/p>\n<p>&#x2705; <strong>Conclusion:<\/strong> this is a <strong>Windows Event Log API bug<\/strong>, not an Event Log Explorer issue.<\/p>\n<p>But\u2026 why does the built-in Event Viewer still work?<\/p>\n<p><strong>&#x2699;&#xfe0f;<\/strong><strong> How the Windows Event Log API Works<\/strong><\/p>\n<p>Windows does <strong>not<\/strong> store the task category as text.<br \/>\nTo save disk space, it stores a <strong>numeric ID<\/strong>, and software must resolve it to text using a message file.<\/p>\n<p>In pre-Vista days, developers had to manually locate the category message file and extract text strings.<br \/>\nThat process was slow, so caching was essential.<\/p>\n<p>Modern Windows provides a cleaner API:<\/p>\n<ol>\n<li>Open event source metadata:<br \/>\nhMetadata = EvtOpenPublisherMetadata(&#8230;)<\/li>\n<li>Retrieve task name:<br \/>\nEvtFormatMessage(hMetadata, hEvent, &#8230;, EvtFormatMessageTask, &#8230;)<\/li>\n<li>Close the metadata handle:<br \/>\nEvtClose(hMetadata)<\/li>\n<\/ol>\n<p>Developers often cache metadata handles to avoid reopening them repeatedly.<br \/>\nHowever, that optimization exposes a <strong>serious bug<\/strong> in recent Windows builds.<\/p>\n<p><strong>&#x1f41e;<\/strong><strong>The Root Cause<\/strong><\/p>\n<p>If you <strong>close and reopen<\/strong> the metadata handle, task names are resolved correctly. So I believe that Microsoft uses this ways in Event Viewer.<br \/>\nBut if you reuse the same handle, EvtFormatMessage seems to <strong>cache results internally<\/strong> \u2014<br \/>\nand that cache depends only on the <em>metadata handle<\/em>, not the <em>task ID<\/em>.<\/p>\n<p>In other words:<\/p>\n<p>Microsoft\u2019s internal caching forgets to consider the task ID when formatting messages.<\/p>\n<p>Interestingly, the semi-documented function <strong>EvtRpcMessageRender<\/strong> behaves correctly.<\/p>\n<p><strong>&#x1f9f0;<\/strong><strong> Our Fix in Event Log Explorer 5.7.2<\/strong><\/p>\n<p>As soon as we identified the cause, we released <strong>Event Log Explorer 5.7.2<\/strong>, which includes robust workarounds for this Windows API bug.<\/p>\n<p>Affected programs:<\/p>\n<ul>\n<li><strong>Event Log Explorer<\/strong> (all editions)<\/li>\n<li><strong>Event Log Explorer Elodea Collector<\/strong><\/li>\n<li><strong>Event Log Database Exporter (Eldbx)<\/strong><\/li>\n<li><strong>Event Log Explorer Exporter (Logexport)<\/strong><\/li>\n<\/ul>\n<p>Depending on the module, we:<\/p>\n<ul>\n<li>Switched to using EvtRpcMessageRender, <strong>or<\/strong><\/li>\n<li>Continued using the standard Windows Log API but <strong>explicitly closed and reopened<\/strong> metadata handles.<\/li>\n<\/ul>\n<p>Internally, event tasks are now cached efficiently, preserving high performance.<\/p>\n<p><strong>&#x2705; Recommendations<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/eventlogxp.com\/downloads\/\" target=\"_blank\" rel=\"noopener\"><strong>Update immediately<\/strong> to the latest version of <strong>Event Log Explorer<\/strong><\/a>.<\/li>\n<li>If you use other event log utilities that haven\u2019t implemented a workaround yet, switch to Event Log Explorer to ensure accurate task category display.<\/li>\n<li><strong>PowerShell users:<\/strong> avoid relying on task category names until Microsoft releases an official fix.<\/li>\n<\/ul>\n<p><strong>&#x1f9e9;<\/strong><strong> Final Thoughts<\/strong><\/p>\n<p>This issue highlights how a subtle regression in a low-level Windows API can silently break multiple third-party tools.<br \/>\nWhile Microsoft\u2019s Event Viewer remains unaffected, nearly all other log viewers \u2014 including ours \u2014 were impacted.<\/p>\n<p>We\u2019ve done our part to provide reliable workarounds.<br \/>\nNow we\u2019re waiting for Microsoft to officially fix the API.<\/p>\n<a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-facebook nolightbox\" data-provider=\"facebook\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F602&#038;t=Windows%20Event%20Log%20API%20Bug%20Ruins%20Most%20Event%20Log%20Software&#038;s=100&#038;p&#091;url&#093;=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F602&#038;p&#091;images&#093;&#091;0&#093;=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-content%2Fuploads%2F2025%2F10%2FWinAPI-bug-ruins-eventlog-software.jpg&#038;p&#091;title&#093;=Windows%20Event%20Log%20API%20Bug%20Ruins%20Most%20Event%20Log%20Software\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"Facebook\" title=\"Share on Facebook\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/facebook.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-twitter nolightbox\" data-provider=\"twitter\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Twitter\" href=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F602&#038;text=Check%20this%20Event%20Log%20Explorer%20blog%20post\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"twitter\" title=\"Share on Twitter\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/twitter.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-reddit nolightbox\" data-provider=\"reddit\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Reddit\" href=\"https:\/\/www.reddit.com\/submit?url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F602&#038;title=Windows%20Event%20Log%20API%20Bug%20Ruins%20Most%20Event%20Log%20Software\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"reddit\" title=\"Share on Reddit\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/reddit.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-pinterest nolightbox\" data-provider=\"pinterest\" target=\"_blank\" rel=\"nofollow\" title=\"Pin it with Pinterest\" href=\"https:\/\/pinterest.com\/pin\/create\/button\/?url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F602&#038;media=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-content%2Fuploads%2F2025%2F10%2FWinAPI-bug-ruins-eventlog-software.jpg&#038;description=Windows%20Event%20Log%20API%20Bug%20Ruins%20Most%20Event%20Log%20Software\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"pinterest\" title=\"Pin it with Pinterest\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/pinterest.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-linkedin nolightbox\" data-provider=\"linkedin\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Linkedin\" href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F602&#038;title=Windows%20Event%20Log%20API%20Bug%20Ruins%20Most%20Event%20Log%20Software\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"linkedin\" title=\"Share on Linkedin\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/linkedin.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-mail nolightbox\" data-provider=\"mail\" rel=\"nofollow\" title=\"Share by email\" href=\"mailto:?subject=Windows%20Event%20Log%20API%20Bug%20Ruins%20Most%20Event%20Log%20Software&#038;body=Check%20this%20Event%20Log%20Explorer%20blog%20post:%20https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F602\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px\"><img alt=\"mail\" title=\"Share by email\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/mail.png\" \/><\/a>","protected":false},"excerpt":{"rendered":"<p>A serious bug in the Windows Event Log API events to show the same task category. It affects most third-party log viewers and even PowerShell \u2014 only Windows Event Viewer displays the correct data.<br \/>\nWe released Event Log Explorer 5.7.2, which includes robust workarounds for this Windows API bug.<\/p>\n","protected":false},"author":2,"featured_media":608,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[10,39],"tags":[87,86,68,55],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/602"}],"collection":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/comments?post=602"}],"version-history":[{"count":4,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/602\/revisions"}],"predecessor-version":[{"id":611,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/602\/revisions\/611"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media\/608"}],"wp:attachment":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media?parent=602"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/categories?post=602"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/tags?post=602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}