From 5c0ddaa2dbcee4271cc12a11a7ea709a3839f8ef Mon Sep 17 00:00:00 2001 From: Kyle Sabo Date: Thu, 14 Sep 2023 14:49:07 -0700 Subject: [PATCH 1/6] Remove mention of invalid eventlog overflow policy Support for "Retain events older than X days" was dropped in Windows Vista (and it only ever almost worked on XP/Server 2003). This was a breaking change made roughly 15 years ago, and the new policy is documented as being strictly incompatible with the old retention setting: - XP/2003: Set reg value to 0 for "overwrite based on log size", > 0 for "overwrite based on the value as a time", and -1 for "never overwrite events" - Vista onward: Set reg value to 0 for "overwrite based on log size" and any non-zero value for "never overwrite events". Encouraging people to continue to try to utilize the XP/2003 behavior of setting a time will in fact make the system never overwrite events at all, which in turn will break the system when other security policies are applied (e.g. "don't allow users to log in when the security log is full" or "bug check the machine when a security event is lost"). This change does not fully remove every reference to the old behaviors across the entire code base, but it is a start. See the description of the Retention value at https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key for details. --- xml/System.Diagnostics/OverflowAction.xml | 46 +---------------------- 1 file changed, 1 insertion(+), 45 deletions(-) diff --git a/xml/System.Diagnostics/OverflowAction.xml b/xml/System.Diagnostics/OverflowAction.xml index 3c1c0223d30..1085cccb0c5 100644 --- a/xml/System.Diagnostics/OverflowAction.xml +++ b/xml/System.Diagnostics/OverflowAction.xml @@ -33,9 +33,7 @@ - New entries will be discarded. -- New entries will overwrite older entries. - -- New entries will either be discarded or will overwrite existing entries depending upon the age of the existing entries. +- New entries will overwrite older entries. Use the method to set the overflow behavior for an . Check the current configured behavior of an through its property. @@ -113,47 +111,5 @@ The following example enumerates the event logs defined on the local computer an Indicates that each new entry overwrites the oldest entry when the event log is full. - - - - - - - - Field - - System - 2.0.0.0 - 4.0.0.0 - - - System.Diagnostics.EventLog - 4.0.0.0 - 4.0.1.0 - 4.0.2.0 - 5.0.0.0 - 6.0.0.0 - 7.0.0.0 - 8.0.0.0 - - - System.Diagnostics.OverflowAction - - 1 - - Indicates that new events overwrite events older than specified by the property value when the event log is full. New events are discarded if the event log is full and there are no events older than specified by the property value. - - - - - - - - - - From c378828062769f3f5dac486b5ff680990958bdc5 Mon Sep 17 00:00:00 2001 From: Kyle Sabo Date: Thu, 14 Sep 2023 15:09:39 -0700 Subject: [PATCH 2/6] Update EventLog.xml --- xml/System.Diagnostics/EventLog.xml | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/xml/System.Diagnostics/EventLog.xml b/xml/System.Diagnostics/EventLog.xml index 08088eb49b1..1e0c9b2f490 100644 --- a/xml/System.Diagnostics/EventLog.xml +++ b/xml/System.Diagnostics/EventLog.xml @@ -2500,17 +2500,13 @@ SVC_UPDATE.EXE System.Int32 - Gets the number of days to retain entries in the event log. - The number of days that entries in the event log are retained. The default value is 7. + Deprecated + Deprecated property to examine the current setting for an event log. Use to change the minimum number of days that each entry in the event log must be retained. - - The value depends on the configured overflow behavior of the event log. If the property for an event log is set to , then the value is 0. If the property for an event log is set to , then the value is -1. If the property for an event log is set to , then the value is greater than zero, and represents the number of days to retain event log entries when the event log is full. - - The overflow behavior only occurs when an event log reaches its size limit. When an has its set to , and the event log reaches its maximum size, then new entries are written only if they can replace entries whose age exceeds the period. Retaining event entries for a minimum period is appropriate when the event log is archived regularly. Otherwise, you risk losing new entries when the event log reaches its limit. To avoid losing new event information, set the minimum retention days for events based on your archive schedule for a particular event log. + Support for the property was removed in Windows Vista and later operating systems. Setting this value can cause the Event Log to never overwrite events, and to drop all events to the channel once it is full. @@ -2565,9 +2561,8 @@ SVC_UPDATE.EXE - The overflow behavior for writing new entries to the event log. - The minimum number of days each event log entry is retained. This parameter is used only if is set to . - Changes the configured behavior for writing new entries when the event log reaches its maximum file size. + The overflow behavior for writing new entries to the event log. Must not be `OverwriteOlder`. + Deprecated. Must be 0. This property represents a configuration setting for the event log represented by this instance. When the event log reaches its maximum size, this property specifies how the operating system handles new entries written by all event sources registered for the event log. Set the `action` parameter to to indicate that a new entry overwrites the oldest entry when the reaches its maximum size. If the `action` parameter is set to , the `retentionDays` parameter value is ignored. - - Set the `action` parameter to to indicate that each new entry overwrites older entries when the reaches its maximum size. Specify the number of days that events must be retained in the log using the `retentionDays` parameter. Events written within the retention range are not overwritten by new entries. - + Set the `action` parameter to to discard new events when the maximum log size is reached. If the `action` parameter is set to , the `retentionDays` parameter value is ignored. + +> [!WARNING] +> Never set the `action` parameter to . This value is deprecated and may cause the log to behave as if the `DoNotOverwrite` parameter was passed instead. > [!CAUTION] > Setting the overflow policy to specifies that new entries are discarded when the event log is full. If you use this setting, ensure the event log is regularly archived and cleared to avoid reaching its maximum size limit. From 512f2de07bf572397e8aef34670b57641dd40f3d Mon Sep 17 00:00:00 2001 From: Kyle Sabo Date: Thu, 14 Sep 2023 15:18:11 -0700 Subject: [PATCH 3/6] Update OverflowAction.xml --- xml/System.Diagnostics/OverflowAction.xml | 45 +++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/xml/System.Diagnostics/OverflowAction.xml b/xml/System.Diagnostics/OverflowAction.xml index 1085cccb0c5..6edfb85ffbb 100644 --- a/xml/System.Diagnostics/OverflowAction.xml +++ b/xml/System.Diagnostics/OverflowAction.xml @@ -37,6 +37,9 @@ Use the method to set the overflow behavior for an . Check the current configured behavior of an through its property. +> [!WARNING] +> The `OverwriteOlder` behavior is deprecated. Using this value may cause the Event Log to behave as if the `DoNotOverwrite` value was used instead, which will cause events to be discarded when the log is full. + ## Examples The following example enumerates the event logs defined on the local computer and displays configuration details for each event log. @@ -111,5 +114,47 @@ The following example enumerates the event logs defined on the local computer an Indicates that each new entry overwrites the oldest entry when the event log is full. + + + + + + + + Field + + System + 2.0.0.0 + 4.0.0.0 + + + System.Diagnostics.EventLog + 4.0.0.0 + 4.0.1.0 + 4.0.2.0 + 5.0.0.0 + 6.0.0.0 + 7.0.0.0 + 8.0.0.0 + + + System.Diagnostics.OverflowAction + + 1 + + Deprecated + + [!WARNING] +> Do not use this value. Doing so may cause the Event Log to behave as if the `DoNotOverwrite` value was used instead. + + ]]> + + + + + + + From e6f87e6f3359a6842b2f25f12641c54ba67c9dfd Mon Sep 17 00:00:00 2001 From: Kyle Sabo Date: Thu, 14 Sep 2023 15:40:35 -0700 Subject: [PATCH 4/6] Restore missing summary line --- xml/System.Diagnostics/EventLog.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xml/System.Diagnostics/EventLog.xml b/xml/System.Diagnostics/EventLog.xml index 1e0c9b2f490..da439d34777 100644 --- a/xml/System.Diagnostics/EventLog.xml +++ b/xml/System.Diagnostics/EventLog.xml @@ -2562,7 +2562,8 @@ SVC_UPDATE.EXE The overflow behavior for writing new entries to the event log. Must not be `OverwriteOlder`. - Deprecated. Must be 0. + Deprecated. Must be 0. + Changes the configured behavior for writing new entries when the event log reaches its maximum file size. Date: Wed, 5 Jun 2024 18:22:15 -0700 Subject: [PATCH 5/6] Apply suggestions from code review Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com> --- xml/System.Diagnostics/EventLog.xml | 2 +- xml/System.Diagnostics/OverflowAction.xml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xml/System.Diagnostics/EventLog.xml b/xml/System.Diagnostics/EventLog.xml index da439d34777..4ecef86cfa1 100644 --- a/xml/System.Diagnostics/EventLog.xml +++ b/xml/System.Diagnostics/EventLog.xml @@ -2583,7 +2583,7 @@ SVC_UPDATE.EXE Set the `action` parameter to to discard new events when the maximum log size is reached. If the `action` parameter is set to , the `retentionDays` parameter value is ignored. > [!WARNING] -> Never set the `action` parameter to . This value is deprecated and may cause the log to behave as if the `DoNotOverwrite` parameter was passed instead. +> Never set the `action` parameter to . This value is deprecated and might cause the log to behave as if the `DoNotOverwrite` parameter was passed instead. > [!CAUTION] > Setting the overflow policy to specifies that new entries are discarded when the event log is full. If you use this setting, ensure the event log is regularly archived and cleared to avoid reaching its maximum size limit. diff --git a/xml/System.Diagnostics/OverflowAction.xml b/xml/System.Diagnostics/OverflowAction.xml index 6edfb85ffbb..90df2b33a96 100644 --- a/xml/System.Diagnostics/OverflowAction.xml +++ b/xml/System.Diagnostics/OverflowAction.xml @@ -38,7 +38,7 @@ Use the method to set the overflow behavior for an . Check the current configured behavior of an through its property. > [!WARNING] -> The `OverwriteOlder` behavior is deprecated. Using this value may cause the Event Log to behave as if the `DoNotOverwrite` value was used instead, which will cause events to be discarded when the log is full. +> The `OverwriteOlder` behavior is deprecated. Using this value might cause the Event Log to behave as if the `DoNotOverwrite` value was used instead, which will cause events to be discarded when the log is full. ## Examples @@ -146,7 +146,7 @@ The following example enumerates the event logs defined on the local computer an [!WARNING] -> Do not use this value. Doing so may cause the Event Log to behave as if the `DoNotOverwrite` value was used instead. +> Do not use this value. Doing so might cause the Event Log to behave as if the `DoNotOverwrite` value was used instead. ]]> From aa09fdf88b10247d78ecd1def867352cefe675f0 Mon Sep 17 00:00:00 2001 From: Genevieve Warren <24882762+gewarren@users.noreply.github.com> Date: Wed, 12 Mar 2025 14:58:47 -0700 Subject: [PATCH 6/6] Apply suggestions from code review --- xml/System.Diagnostics/EventLog.xml | 8 +++++--- xml/System.Diagnostics/OverflowAction.xml | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/xml/System.Diagnostics/EventLog.xml b/xml/System.Diagnostics/EventLog.xml index 4ecef86cfa1..3ebed991cdd 100644 --- a/xml/System.Diagnostics/EventLog.xml +++ b/xml/System.Diagnostics/EventLog.xml @@ -2500,13 +2500,15 @@ SVC_UPDATE.EXE System.Int32 - Deprecated - Deprecated + This property is deprecated. + To be added. property was removed in Windows Vista and later operating systems. Setting this value can cause the Event Log to never overwrite events, and to drop all events to the channel once it is full. + +> [!IMPORTANT] +> Support for the property was removed in Windows Vista and later operating systems. Setting this value can cause the Event Log to never overwrite events, and to drop all events to the channel once it is full. diff --git a/xml/System.Diagnostics/OverflowAction.xml b/xml/System.Diagnostics/OverflowAction.xml index 90df2b33a96..caa548b011a 100644 --- a/xml/System.Diagnostics/OverflowAction.xml +++ b/xml/System.Diagnostics/OverflowAction.xml @@ -142,7 +142,7 @@ The following example enumerates the event logs defined on the local computer an 1 - Deprecated + This field is deprecated. [!WARNING]