I'm trying to simulate the creation of a certain Windows event using Powershell's New-WinEvent. The events that I try to mimic have the following top level structure in the Event Viewer's XML view:
<Event>
<System>
<!--ID, provider, etc-->
</System>
<UserData>
<!-- Data specific to this particular event type-->
</UserData>
</Event>
Now, the event that I create using the following line
New-WinEvent -ProviderName Microsoft-Windows-XXX -Id 999 -Payload @("Hello world")
using the same provider and ID, get the following XML instead:
<Event>
<System>
<!--ID, provider, etc-->
</System>
<EventData>
<Data Name="EventWriteData">Hello world</Data>
</EventData>
</Event>
So the payload goes into EventData instead of UserData. Is it possible to initialize the latter? If not via the New-WinEvent, maybe directly via .NET API (e. g. System.Diagnostics.EventLog.WriteEvent())?
The Event schema says:
Typically, this section will contain with the EventData or UserData section. The EventData section is used if the template does not contain a UserData section.
The event template, one assumes, is loaded from the provider's resource files. The cmdlet issues a warning that the data doesn't conform to the template if you provide, say, two strings as payload.
Using ProviderMetadata, I've pulled a template for that event by the ID. It goes:
<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="EventWriteData" inType="win:UnicodeString" outType="win:Xml"/>
</template>
Which is extremely generic - string in, XML out. And there is nothing there that would suggest UserData.
