How to log a crimson event to the custom log (for parental controls)

Now that you have setup a custom event using WMI, you can log to it.  Remember that you need to be elevated to register a custom event, but you do not need to be elevated to log to the channel.  The Windows Parental Controls channel is write only for limited users and only readable when logged in as an admin.

Here is the C++ code to log a custom event.

#include <wpcevents.h>

#include <winevt.h>


#define ARRAYSIZE(x)    (sizeof(x)/sizeof(x[0]))


inline ULONG GetStringByteLength(__in PCWSTR pcsz)


    if (!pcsz)


        return 0;


    return (ULONG)((wcslen(pcsz)+1)*sizeof(WCHAR));


HRESULT LogCustomEvent(

    LPCWSTR pszPublisher,

    LPCWSTR pszApp,

    LPCWSTR pszAppVersion,

    LPCWSTR pszEvent,

    LPCWSTR pszColumn1,

    LPCWSTR pszColumn2,

    LPCWSTR pszColumn3,

    DWORD dwBLocked,

    LPCWSTR pszReason




    if (pszPublisher != NULL &&

        pszApp != NULL &&

        pszAppVersion != NULL &&

        pszEvent != NULL &&

        pszColumn1 != NULL &&

        pszCOlumn2 != NULL &&

        pszColumn3 != NULL)


        REGHANDLE hProvider;

        // Register us with the crimson system, so we can log to it.

        ULONG res = EventRegister(&WPCPROV, NULL, NULL, &hProvider);

        if (res == ERROR_SUCCESS)


         // Array to handle all the data descriptors.


         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_PUBLISHER], (const PVOID)pszPublisher, GetStringByteLength(pszPublisher));

         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_APPNAME], (const PVOID)pszApp, GetStringByteLength(pszApp));

         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_APPVERSION], (const PVOID)pszAppVersion, GetStringByteLength(pszAppVersion));

         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_EVENT], (const PVOID)pszEvent, GetStringByteLength(pszEvent));

         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_VALUE1], (const PVOID)pszColumn1, GetStringByteLength(pszColumn1));

         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_VALUE2], (const PVOID)pszColumn2, GetStringByteLength(pszColumn2));

         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_VALUE3], (const PVOID)pszColumn3, GetStringByteLength(pszColumn3));

         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_BLOCKED], (const PVOID)&dwBlocked, sizeof(dwBlocked));

         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_REASON], (const PVOID)pszReason, GetStringByteLength(pszReason));

         res = EventWrite(hProvider, &WPCEVENT_CUSTOMEVENT, ARRAYSIZE(eventData), eventData);

         if (res == ERROR_SUCCESS)


             hr = S_OK;




             hr = HRESULT_FROM_WIN32(GetLastError());






         hr = HRESULT_FROM_WIN32(GetLastError());



    return hr;


Now that you have logged your event, you should be able to see it in the activity viewer of the windows parental controls controls panel.  You can also see it by looking at the Event Viewer in the control panel.  You want to look at the channel called Microsoft-Windows-ParentalControls/Operational. The event will be logged with an id of 13.

Comments (0)

Skip to main content