My goal is to find the size of log files which is present in (%SystemRoot%\System32\winevt\logs) using c (For Eg : To get the file size of Application.evtx). I tried with GetFileSizeEx (https://docs.microsoft.com/fr-fr/windows/win32/api/fileapi/nf-fileapi-getfilesizeex) method but i got error like incorrect handle is passed. Passed three handle with (EvtQuery,EvtGetChannelConfigProperty,OpenEventLog) to GetFileSizeEx but i get the same error. Can i know what handle should be passed to get the size:

Find the similar question (How to find the size of log files using EvtQuery function?). Tried this but I got invalid handle as error with GetFileSizeEx.

CodePudding user response：

The default file location is C:\Windows\System32\winevt\Logs

The application log is called Application.evtx

If you want to get its size do

#include <iostream>
#include <filesystem>

int main() {

    std::filesystem::path example = "C:\\Windows\\System32\\winevt\\Logs\\Application.evtx";
    std::cout << example << " size = " << std::filesystem::file_size(example) << '\n';
}

If you want to be sure to get the correct location becuase an admin can move it then look here in the registry

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\File

to get the file name

CodePudding user response：

According to the Doc:GetFileSizeEx function

The handle must have been created with the FILE_READ_ATTRIBUTES access right or equivalent, or the caller must have sufficient permission on the directory that contains the file.

Whether you have checked the result of opening the file to get the file handle? If the file failed to open, you're calling GetFileSizeEx with an invalid handle.