I am trying to fetch AD federation service related events programmatically from Registry location through a key name "EventMessageFile" which stores the path of application dll/exe.
I have searched for the path where events are stored in registry.
In registry, events are stored at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog" this location.
refer to this msdn link - https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx
However, I do not found any entry related to "Active Directory Federation Service" entry in this registry location.
In Event viewer I found source for AD federation service event as "AD FS" and Log Name as "AD FS/Admin"
When I searched for this location in registry, I found this path "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AD FS/Admin.This location does not contain any key as "EventMessageFile".
can anyone help me to understand following question.
1. How AD Federation Service Events works?
2.Where EventMessageFile entry present in registry for Federation service on windows server 2k12 R2?
3. Does Federation Service events collected from more than one dll?
Any assistance would be really helpful to solve the issue.
Sandeep Gupta