On Server 2016, if you use create a new event log source as follows, with Application unquoted as shown in the official documentation here:
New-EventLog –LogName Application –Source "IT Script"
and then try to write an event, you’ll get this error:
and you’ll see this in the registry.
The Problem
I misunderstood this error at first but I think I’ve finally figured it out.
Somehow I got en dashes (Unicode 2013) into my code. The PowerShell GUI is smart enough to convert those to regular dashes when you paste a command into the blue window, so that works. But if you put the command above into a .ps1 file, preserving the en dashes, you should see the error. PowerShell interprets –LogName Application –Source "IT Script" up to the quotation mark as the first, positional parameter, and creates a completely new event log here:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\â€LogName Application â€Source
Note that the UTF-8 for an en dash is hex E2 80 93. If we interpret those as three ASCII characters:
E2 = â Latin small letter a with circumflex
80 = € Euro symbol
93 = “ Left double quotation mark, apparently ignored here
So that explains the special characters in the registry.
If you update the .ps1 file to use normal dashes:
New-EventLog -LogName Application -Source "IT Script"
it creates the Source under Application, as expected:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\IT Script
The Fix
1. Delete the key containing the special characters from the registry.
2. Change en dashes to normal dashes:
New-EventLog -LogName "Application" -Source “IT Script”
3. Restart the Windows Event Log service and its dependent services.
4. Close and re-open Event Viewer.
5. Test creating the event again.