7889
社区成员
42.1w+
社区内容
- 主页
ReadEventLog获取windows系统日志描述的一个问题
代码:
对于64位系统,编译成x64,用管理员执行,发现对于事件源是Microsoft-Windows-Kernel-General的事件,通过对应dll获取到的描述跟在计算机管理看到的内容不一致,比如事件ID是12的描述是:
操作系统已在系统时间 2019-08-29T05:44:16.500000000Z 启动。
但是从上面代码获取到的却是:访问码无效
大部分事件类型都能得到正确的内容就有几个event source不正确,不知何故
微软的大拿解析下啥原因?
#include <atlbase.h>
#include <atlstr.h>
#include <iostream>
#include <string>
using namespace std;
#define BUFFER_SIZE 512*2
int main()
{
HKEY hKey;
DWORD dwType;
char valueBuf[BUFFER_SIZE];
TCHAR dllName[BUFFER_SIZE];
DWORD dwSize;
// Name of the event log.
LPCTSTR logName = TEXT("system");
DWORD fm_flags = 0;
HANDLE h;
EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
DWORD dwRead, dwNeeded;
LPCTSTR lpSourceName;
/* Flags for format event */
fm_flags |= FORMAT_MESSAGE_FROM_HMODULE;
fm_flags |= FORMAT_MESSAGE_ALLOCATE_BUFFER;
fm_flags |= FORMAT_MESSAGE_FROM_SYSTEM;
// Step 1: ---------------------------------------------------------
// Open the event log. ---------------------------------------------
h = OpenEventLog(NULL, logName);
if (h == NULL)
{
std::wcout << L"Could not open the event log." << std::endl;
return 0;
}
// Step 2: ---------------------------------------------------------
// Initialize the event record buffer. -----------------------------
pevlr = (EVENTLOGRECORD *)&bBuffer;
// Step 3: ---------------------------------------------------------
// When the event log is opened, the position of the file pointer
// is at the beginning of the log. Read the event log records
// sequentially until the last record has been read.
if (ReadEventLog(h, // Event log handle
EVENTLOG_FORWARDS_READ | // Reads forward
EVENTLOG_SEQUENTIAL_READ, // Sequential read
0, // Ignored for sequential read
pevlr, // Pointer to buffer
BUFFER_SIZE, // Size of buffer
&dwRead, // Number of bytes read
&dwNeeded)) // Bytes in the next record
{
while (dwRead > 0)
{
// Get the event source name.
lpSourceName = (LPCTSTR)((LPBYTE)pevlr + sizeof(EVENTLOGRECORD));
CString strKey;
strKey.Format(TEXT("SYSTEM\\CURRENTCONTROLSET\\SERVICES\\EVENTLOG\\%s\\%s"), logName, lpSourceName);
if (RegOpenKey(HKEY_LOCAL_MACHINE, strKey, &hKey) == ERROR_SUCCESS) {
dwType = REG_EXPAND_SZ;
dwSize = sizeof(valueBuf);
if (RegQueryValueEx(hKey, "EventMessageFile", 0, &dwType, (unsigned char*)&valueBuf, &dwSize) != ERROR_SUCCESS) {
printf("Some error occurred!\n");
}
ExpandEnvironmentStrings(valueBuf, dllName, dwSize);
}
RegCloseKey(hKey);
// Step 4: ---------------------------------------------------------
// Load the message DLL file. --------------------------------------
HMODULE hResources = NULL;
hResources = LoadLibraryEx(dllName, NULL, LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE);
// Print the information if the event source and the message
// match the parameters
LPTSTR pMessage = NULL;
int num = 0;
// Step 5: ----------------------------------------------
// Retrieve the message string. -------------------------
num = FormatMessage(
fm_flags, // Format of message
hResources, // Handle to the DLL file
pevlr->EventID, // Event message identifier
MAKELCID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&pMessage,
0,
NULL); // Array of insert values
FreeLibrary(hResources);
if (pMessage)
{
std::wcout << L"Event message:" << pMessage << std::endl;
LocalFree(pMessage);
}
dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)((LPBYTE)pevlr + pevlr->Length);
}
}
// Step 6: -------------------------------------------------------------
// Close the event log.
CloseEventLog(h);
return 0;
}
对于64位系统,编译成x64,用管理员执行,发现对于事件源是Microsoft-Windows-Kernel-General的事件,通过对应dll获取到的描述跟在计算机管理看到的内容不一致,比如事件ID是12的描述是:
操作系统已在系统时间 2019-08-29T05:44:16.500000000Z 启动。
但是从上面代码获取到的却是:访问码无效
大部分事件类型都能得到正确的内容就有几个event source不正确,不知何故
微软的大拿解析下啥原因?
...全文
hurryboylqs 2020年03月26日
就这么沉下去了,擦
hurryboylqs 2020年03月20日
就是根据MSDN例子写的,代码也就那么几行
zgl7903 2020年03月19日
zgl7903 2020年03月19日