3.2.4.1.4 Retrieving Unexpanded Event Description Strings
The Event Message File is a binary resource file defining unexpanded description strings for an event source, where the resource ID corresponds to the EventID. Thus, a string with the resource ID 5 is the unexpanded description string for events with EventID 5, where EventID is a field of EVENTLOGRECORD as specified in 2.2.3.
"EventMessageFile" value MUST be of type REG_EXPAND_SZ.
"EventMessageFile" data MAY contain environment variables enclosed by % signs. The client MUST attempt to expand an environment variable as specified in 3.2.4.1.5.4 to retrieve the full path to the resource file. If the client is accessing a remote source, it MUST then convert the expanded resource file path to a UNC path: When the path begins with an "X:" pattern, where the first character is a drive letter and the second character is ":", the client MUST transform it to \\messageSourceServer\X$\path.
The format of the resource file is specified in [PE-COFF].
"EventMessageFile" data MAY contain several paths to event message files for this source, delimited by comma or semicolon. The client MUST expand any environment variables in each file path as specified above.
When an "EventMessageFile" value is present, the client SHOULD attempt to load the resource file<51> using the SMB Protocol, as specified in [MS-SMB], and retrieve the unexpanded description string with a resource ID number corresponding to the EventID for that record.<52>
If several event message files are specified, the client MUST attempt to load the resource string from these files in the order in which the files are specified until the resource string is successfully loaded.
If the client cannot find an event description string, it SHOULD attempt to load the "PrimaryModule" value for the event log. The client SHOULD use the file whose path is found in the "PrimaryModule" value as a fallback message file for loading event description strings and all sources in the log. "PrimaryModule" data MAY contain environment variables enclosed by % signs. The client MUST attempt to expand an environment variable as specified in 3.2.4.1.5.4 to retrieve the full path to the resource file. If the client is accessing a remote source, it MUST then convert the expanded resource file path to a UNC path: When the path begins with an "X:" pattern, where the first character is a drive letter and the second character is ":", the client MUST transform it to \\messageSourceServer\X$\path.