tags:

views:

1642

answers:

2
Q: 

How to read the Windows Event Log without an EventMessageFile?

I have code that reads the Windows Event Log. It uses OpenEventLog, ReadEventLog and gets the event source and event ID. Then it looks up the source under the 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application

key, loads the appropriate DLL(s) according to what is listed in EventMessageFile and finally uses FormatMessage to merge the event strings with the message DLL content to get the final event message text. This is the recommended way, and although a bit of a pain, it works great.

Until... I go lookup the source and find it doesn't have an EventMessageFile, but rather a ProvideGuid entry. This seems to be the new way (they show up on Vista and Windows 2008). Uggh -- nothing to pass to FormatMessage for looking up the message text and merging in the data strings

:(

Searching the registry for the guid does lead to references to other files (http.sys in the case of the HTTP source), but I can never get the complete message text. Do I have to use those EvtOpenSession APIs? I'm hoping not since I already have the EVENTLOGRECORD* from a call to ReadEventLog, and the fact that the software needs to run on Windows 2003 where EvtOpenSession isn't supported (only available on Vista and Windows 2008). NOTE: Some sources on Vista have ProviderGUID, and others have EventMessageFile, so the old method is still viable.

So what I'm after is a way to look at the ProviderGuid and get the DLL that needs to be passed to FormatMessage for displaying the complete event log message text.

Thanks for any input

A: 

There are Win32 APIs for reading/expanding event log entries.

See MSDN: http://msdn.microsoft.com/en-us/library/aa385780(VS.85).aspx

Anything else, and you are likely to find problems with patches, let alone service packs or new versions.

Richard  2009-03-03 17:50:51
Unfortunately, those APIs only work on Vista and Windows Server 2008 :(
DougN  2009-03-03 20:41:54
May have the wrong link. APIs exist to read the event log in earlier versions of Windows also. (Vista/Win2k8 got the first overhaul of the Event Logging system since WinNT3.1).
Richard  2009-03-03 21:05:09
Right. And those APIs are what I'm using (OpenEventLog, ReadEventLog, etc). However, they pre-suppose that you can load the event source's message file in order to call FormatMessage. If you can't find the file, you can't get the complete event message :(
DougN  2009-03-04 17:54:06
A: 

The APIs that Richard links to are for the new style Eventing system (code-named Crimson, sometimes called Manifest Based Providers) introduced in Vista/Server 2K8. One of the artifacts of this new system is new APIs to consume these logs, another is the ProviderGuid key for certain EventSources that produce events using this new framework.

I think you should use the functions on Windows Vista later to consume these logs, it should handle the work for you. You can use the EvtFormatMessage method to format the strings. I believe these APIs will also read the events produced by "Classic" providers.

If you're consuming these messages from a .NET app you can use types in the System.Diagnostics.Eventing.Reader namespace, introduced in .NET 3.5.

Matt Ellis  2009-03-29 09:02:07
Does that mean an app (the Windows Event Log Viewer for instance) running on a Win2003 machine can't read the events from a Vista machine that uses a new provider?
DougN  2009-11-18 20:48:11

related questions

Setting permissions on application event log
Is there a built-in method to binary search through the entries in the .NET EventLog.Entries collection?
Event Source question
Windows Event Logging
Simple way to backup event log on Windows Server
What is event logging? and how do I write an event log file?
Searching event log to find out when a program was uninstalled
How do you open the event log programatically?
How to identify users which are connected to a windows server via remote desktop
Custom value for the Event Log source property for ASP.NET errors
How to create Windows EventLog source from command line?
EventLog Intermittent Exception
What is the best way to write event log entries?
Event log monitoring
How do I get PowerShell to grab a logfile when it overflows?
What do I need to change to alllow my IIS7 ASP.Net 3.5 application to create an event source and log events to Windows EventLog?
How do I conditionally suppress application exceptions written to the event log?
(Windows) Exception Handling: to Event Log or to Database?
What is the easiest way using .net to check if events have been logged in the eventlog?
.NET : How to set user information in an EventLog Entry?
Deleting Custom Event Log Source Without Using Code
What is the most reliable way to create a custom event log and event source during the installation of a .Net Service
Way to read Windows EventLog with Java
How do you create an event log source using WiX