Home > other >  Get Incorrect handle as error with GetFileSizeEx , when trying to get the log file size in event vie
Get Incorrect handle as error with GetFileSizeEx , when trying to get the log file size in event vie

Time:03-08

My goal is to find the size of log files which is present in (%SystemRoot%\System32\winevt\logs) using c (For Eg : To get the file size of Application.evtx). I tried with GetFileSizeEx (https://docs.microsoft.com/fr-fr/windows/win32/api/fileapi/nf-fileapi-getfilesizeex) method but i got error like incorrect handle is passed. Passed three handle with these 3 methods to GetFileSizeEx but i get the same error. Can i know what handle should be passed to get the size:

  1. EvtQuery (https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtquery)

    EVT_HANDLE hResults = NULL;
hResults =EvtQuery(NULL,L"Application",NULL, EvtQueryChannelPath);
if (hResults !=NULL )
{
    LARGE_INTEGER size;
    if (!GetFileSizeEx(hResults, &size))
        std::cout<<GetLastError();
}
else
    std::cout<<GetLastError();

  2. EvtGetChannelConfigProperty (https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtgetchannelconfigproperty)

    EVT_HANDLE hchannel = NULL;
hchannel =EvtOpenChannelConfig(NULL, L"Application", 0);
if (hchannel !=NULL )
{
    LARGE_INTEGER size;
    if (!GetFileSizeEx(hchannel, &size))
        std::cout<<GetLastError();
}
else
    std::cout<<GetLastError();

  3. OpenEventLog (https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openeventloga)

    HANDLE hevent = NULL;
hevent =OpenEventLog(NULL, "Application");
if (hevent !=NULL )
{
    LARGE_INTEGER size;
    if (!GetFileSizeEx(hevent, &size))
        std::cout<<GetLastError();
}
else
    std::cout<<GetLastError();

Please find the similar question (How to find the size of log files using EvtQuery function?). Tried this but I got invalid handle as error with GetFileSizeEx. Have also tried with file operations, stats structure but I get the error as "The system cannot find the path specified". Can anyone help me

CodePudding user response:

The default file location is C:\Windows\System32\winevt\Logs

The application log is called Application.evtx

If you want to get its size do

#include <iostream>
#include <filesystem>

int main() {

    std::filesystem::path example = "C:\\Windows\\System32\\winevt\\Logs\\Application.evtx";
    std::cout << example << " size = " << std::filesystem::file_size(example) << '\n';
}

If you want to be sure to get the correct location becuase an admin can move it then look here in the registry

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\File

to get the file name

CodePudding user response:

According to the Doc:GetFileSizeEx function

The handle must have been created with the FILE_READ_ATTRIBUTES access right or equivalent, or the caller must have sufficient permission on the directory that contains the file.

Whether you have checked the result of opening the file to get the file handle? If the file failed to open, you're calling GetFileSizeEx with an invalid handle.

Page link:https//www.codepudding.com/other/327394.html

Prev:SetWindowsHookEx(WH_SHELL, ...): What is the meaning of event HSHELL_WINDOWREPLACED?
Next:C: Windows not finding HARDWARE\DEVICEMAP\SERIALCOMM even though it can be found using regedit
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding