Home > Software engineering >  ReadEventLog access Windows log describing a problem
ReadEventLog access Windows log describing a problem

Time:11-15

Code: 
 
#include  
#include  
#include  
#include  
using namespace std; 


512 * 2 # define BUFFER_SIZE 


Int main () 
{
Hkeys hkeys; 
DWORD dwType; 
Char valueBuf [BUFFER_SIZE]; 
TCHAR dllName [BUFFER_SIZE]; 
DWORD dwSize; 


//the Name of the event log. 
LPCTSTR logName=TEXT (" system "); 
DWORD fm_flags=0; 
HANDLE h; 
EVENTLOGRECORD * pevlr; 
BYTE bBuffer [BUFFER_SIZE]; 
DWORD dwRead dwNeeded; 
LPCTSTR lpSourceName; 

/* Flags for the format event */
Fm_flags |=FORMAT_MESSAGE_FROM_HMODULE; 
Fm_flags |=FORMAT_MESSAGE_ALLOCATE_BUFFER; 
Fm_flags |=FORMAT_MESSAGE_FROM_SYSTEM; 

//Step 1: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
//Open the event log. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
H=OpenEventLog (NULL, logName); 
If (h==NULL) 
{
STD: : wcout & lt; return 0; 
} 

//Step 2: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
//Initialize the event record buffer. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
Pevlr=(EVENTLOGRECORD *) & amp; BBuffer; 

//Step 3: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
//When the event log is the opened, the position of the file pointer 
//is at the beginning of the log. Read the event log records 
//sequentially until the last record has had been read. 
If (ReadEventLog (h,//the Event log handle 
EVENTLOG_FORWARDS_READ |//Reads forward 
EVENTLOG_SEQUENTIAL_READ,//Sequential read 
0,//Ignored for sequential read 
Pevlr,//a Pointer to the buffer 
BUFFER_SIZE,//the Size of buffer 
& DwRead,//the Number of bytes read 
& DwNeeded))//Bytes in the next record 
{
While (dwRead & gt; 0) 
{
//Get the event source name. 
LpSourceName=(LPCTSTR) ((LPBYTE) pevlr + sizeof (EVENTLOGRECORD)); 
Cstrings strKey; 
StrKey. The Format (TEXT (" SYSTEM \ \ CURRENTCONTROLSET \ \ SERVICES \ \ EVENTLOG \ \ % s \ \ % s "), logName, lpSourceName); 
If (RegOpenKey (HKEY_LOCAL_MACHINE, strKey, & amp; Hkeys)=={ERROR_SUCCESS) 
DwType=REG_EXPAND_SZ; 
DwSize=sizeof (valueBuf); 
If (RegQueryValueEx (hkeys, "EventMessageFile," 0, & amp; DwType, (unsigned char *) & amp; ValueBuf, & amp; DwSize)! ERROR_SUCCESS)={
Printf (" Some error occurred! \n"); 
} 
ExpandEnvironmentStrings (valueBuf dllName, dwSize); 
} 
RegCloseKey (hkeys); 

//Step 4: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
//Load the message DLL file. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
HMODULE hResources=NULL; 
HResources=LoadLibraryEx (dllName, NULL, LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE); 

//Print the information if the event source and the message 
//match the parameters 
LPTSTR pMessage=NULL; 
int num=0; 
//Step 5: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
//Retrieve the message string. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
Num=FormatMessage (
Fm_flags,//the Format of the message 
HResources,//Handle to the DLL file 
Pevlr - & gt; EventID,//the Event message identifier 
MAKELCID (LANG_NEUTRAL, SUBLANG_DEFAULT), 
(LPTSTR) & amp; PMessage, 
0, 
NULL);//an Array of insert values 

FreeLibrary (hResources); 

If (pMessage) 
{
STD: : wcout & lt; LocalFree (pMessage); 
} 

DwRead -=pevlr - & gt; Length; 
Pevlr=(EVENTLOGRECORD *) ((LPBYTE) pevlr + pevlr - & gt; Length); 
} 
} 

//Step 6: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
//Close the event log. 
CloseEventLog (h); 

return 0; 
}



For 64 - bit system, compiled into x64, administrator, found for the event source is a Microsoft Windows - the Kernel - General event, through the description of the corresponding DLL is available with the computer management and see the contents of the inconsistencies, such as the description of the event ID is 12:
Operating system has been in the system time? 2019? -? The euro? -? 29 t05: shall. 500000000 z,
But from the above code access to is: invalid access code
Most event types can be the correct content several event source is not correct, somehow
Microsoft's Montana explain what reason?

CodePudding user response:

Try other types of events?
https://docs.microsoft.com/zh-cn/windows/win32/eventlog/eventlog-key

CodePudding user response:

Querying for Event Information

CodePudding user response:

refer to the second floor zgl7903 response:

Page link:https//www.codepudding.com/Softwareengineering/81956.html

Prev:For big help!!!!! I extracted from essentially a database of information conversion after the header
Next:MFC
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding