ReadEventLog获取windows系统日志描述的一个问题

hurryboylqs 2020-03-19 04:02:56
代码:

#include <atlbase.h>
#include <atlstr.h>
#include <iostream>
#include <string>
using namespace std;


#define BUFFER_SIZE 512*2


int main()
{
HKEY hKey;
DWORD dwType;
char valueBuf[BUFFER_SIZE];
TCHAR dllName[BUFFER_SIZE];
DWORD dwSize;


// Name of the event log.
LPCTSTR logName = TEXT("system");
DWORD fm_flags = 0;
HANDLE h;
EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
DWORD dwRead, dwNeeded;
LPCTSTR lpSourceName;

/* Flags for format event */
fm_flags |= FORMAT_MESSAGE_FROM_HMODULE;
fm_flags |= FORMAT_MESSAGE_ALLOCATE_BUFFER;
fm_flags |= FORMAT_MESSAGE_FROM_SYSTEM;

// Step 1: ---------------------------------------------------------
// Open the event log. ---------------------------------------------
h = OpenEventLog(NULL, logName);
if (h == NULL)
{
std::wcout << L"Could not open the event log." << std::endl;
return 0;
}

// Step 2: ---------------------------------------------------------
// Initialize the event record buffer. -----------------------------
pevlr = (EVENTLOGRECORD *)&bBuffer;

// Step 3: ---------------------------------------------------------
// When the event log is opened, the position of the file pointer
// is at the beginning of the log. Read the event log records
// sequentially until the last record has been read.
if (ReadEventLog(h, // Event log handle
EVENTLOG_FORWARDS_READ | // Reads forward
EVENTLOG_SEQUENTIAL_READ, // Sequential read
0, // Ignored for sequential read
pevlr, // Pointer to buffer
BUFFER_SIZE, // Size of buffer
&dwRead, // Number of bytes read
&dwNeeded)) // Bytes in the next record
{
while (dwRead > 0)
{
// Get the event source name.
lpSourceName = (LPCTSTR)((LPBYTE)pevlr + sizeof(EVENTLOGRECORD));
CString strKey;
strKey.Format(TEXT("SYSTEM\\CURRENTCONTROLSET\\SERVICES\\EVENTLOG\\%s\\%s"), logName, lpSourceName);
if (RegOpenKey(HKEY_LOCAL_MACHINE, strKey, &hKey) == ERROR_SUCCESS) {
dwType = REG_EXPAND_SZ;
dwSize = sizeof(valueBuf);
if (RegQueryValueEx(hKey, "EventMessageFile", 0, &dwType, (unsigned char*)&valueBuf, &dwSize) != ERROR_SUCCESS) {
printf("Some error occurred!\n");
}
ExpandEnvironmentStrings(valueBuf, dllName, dwSize);
}
RegCloseKey(hKey);

// Step 4: ---------------------------------------------------------
// Load the message DLL file. --------------------------------------
HMODULE hResources = NULL;
hResources = LoadLibraryEx(dllName, NULL, LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE);

// Print the information if the event source and the message
// match the parameters
LPTSTR pMessage = NULL;
int num = 0;
// Step 5: ----------------------------------------------
// Retrieve the message string. -------------------------
num = FormatMessage(
fm_flags, // Format of message
hResources, // Handle to the DLL file
pevlr->EventID, // Event message identifier
MAKELCID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&pMessage,
0,
NULL); // Array of insert values

FreeLibrary(hResources);

if (pMessage)
{
std::wcout << L"Event message:" << pMessage << std::endl;
LocalFree(pMessage);
}

dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)((LPBYTE)pevlr + pevlr->Length);
}
}

// Step 6: -------------------------------------------------------------
// Close the event log.
CloseEventLog(h);

return 0;
}



对于64位系统,编译成x64,用管理员执行,发现对于事件源是Microsoft-Windows-Kernel-General的事件,通过对应dll获取到的描述跟在计算机管理看到的内容不一致,比如事件ID是12的描述是:
操作系统已在系统时间 ‎2019‎-‎08‎-‎29T05:44:16.500000000Z 启动。
但是从上面代码获取到的却是:访问码无效
大部分事件类型都能得到正确的内容就有几个event source不正确,不知何故
微软的大拿解析下啥原因?
...全文
188 点赞 收藏 4
写回复
4 条回复
hurryboylqs 2020年03月26日
就这么沉下去了,擦
回复 点赞
hurryboylqs 2020年03月20日
引用 2 楼 zgl7903 的回复:
Querying for Event Information
就是根据MSDN例子写的,代码也就那么几行
回复 点赞
zgl7903 2020年03月19日
zgl7903 2020年03月19日
回复 点赞
发动态
发帖子
VC/MFC
创建于2007-09-28

7889

社区成员

42.1w+

社区内容

VC/MFC相关问题讨论
社区公告
暂无公告