How do I read boot time events on Windows 7?

Question

I am trying to use the ETW functions without success to read the file:

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

In order to capture boot time events.

I have tried various functions -

• OpenTrace gives an error 161
• EvtQuery gives an error 15000

Does anyone have a native code example of reading system trace files?

Answer 1

I got this working as follows -

LPWSTR pwsPath = L"Microsoft-Windows-Diagnostics-Performance/Operational";
LPWSTR pwsQuery = L"Event/System[EventID=100]";

hResults = EvtQuery(NULL, pwsPath, pwsQuery,
                    EvtQueryChannelPath | EvtQueryReverseDirection);

The channel name can be found by going to Properties on an eventlog and using it's Full Name.

The error 15000 was due to me trying to open the log file with the given flags rather than the channel name.

Answer 2

Not sure what API is returning error to you. Have you looked at this post, this provides an example of how to open and read an event log.