3.2.4.1.3 Retrieving Event Category Strings

If an event source contains localizable category names, the server machine MUST configure them via the CategoryMessageFile and CategoryCount registry values under the log registry key described in 3.1.1.3.

CategoryMessageFile data MUST contain a single path to a category message file for this source. The path data MAY contain environment variables that are enclosed by percent signs (%). The client MUST attempt to expand an environment variable as described in 3.2.4.1.5.4 to retrieve the full path to the resource file. If the client is accessing a remote source, it MUST then convert the expanded resource file path to a UNC path; when the path begins with an "X:" pattern, where the first character is a drive letter and the second character is ":", the client MUST transform it to \\messageSourceServer\X$\path.<48>

The format of the resource file is specified in [PE-COFF].

CategoryCount is the number of categories for this event source. Unlike Event IDs and parameters, category numbers are required to be sequential starting from 1.

When both the CategoryMessageFile and CategoryCount values are present, the client SHOULD attempt to load the category resource file<49> by using the SMB Protocol, as specified in [MS-SMB], and retrieve the category resource string with the ID number that is specified by the EventCategory EVENTLOGRECORD field.<50> The client MAY retrieve all category descriptions at once and cache them for subsequent access.