Problem reading event description from Windows Security Eventlog

Problem reading event description from Windows Security Eventlog

Post by fulad » Sat, 21 Aug 2004 06:10:50


Hi,

I am trying to read the event description from Eventlog system, but
when I try to the API to load the dll, it fails.

For example, here is what my code does:

1. strcpy(szKey, "SYSTEM\\CurrentControlSet\\"Services\\EventLog\\Security\\");
2. RegOpenKey(HKEY_LOCAL_MACHINE, szKey, &hKey)
3. RegQueryValueEx(hKey, _T("EventMessageFile"), 0, &dwType,
(LPBYTE)szPath, &dwMaxPath).
4.ExpandEnvironmentStrings (szPath, szPathFile, _MAX_PATH + 1)
5. hm = LoadLibraryEx(szPathFile, 0, DONT_RESOLVE_DLL_REFERENCES);

Lines 1-4 run fine, but when I check the return value from line 2, it
shows that it's zero. However, when I change this code to look for
events under "Application", it works fine.

Any idea what I could be wrong or what I am missing to do? Any help
will be highly appreciated.

Thanks,
 
 
 

Problem reading event description from Windows Security Eventlog

Post by Venus Mill » Sat, 21 Aug 2004 15:54:38

According to docs, when RegOpenKey returns zero it means it was successful
(0 == ERROR_SUCCESS)
If you meant "hKey" is zero, then probably RegOpenKey failed. Check the
returned value to see why.
There is no EventMessageFile value under
SYSTEM\CurrentControlSet\Services\EventLog\Security, but there is one under
SYSTEM\...\Security\Security - maybe this is the one you want.
LoadLibraryEX should better be called with LOAD_LIBRARY_AS_DATA_FILE flag
too.

And finally, it's not a good idea to resolve the messages from Security log
manually. You'll have to deal with ParameterMessageFile and GuidMessageFile
too, which is not easy. Not to mention some ugly FormatMessage calls.

Better use a tool that gives you that for free, like the WMI eventlog
provider.

HTH
Ven



"SYSTEM\\CurrentControlSet\\"Services\\EventLog\\Security\\");