How to read the Windows Event Log without an EventMessageFile?

StackOverflow https://stackoverflow.com/questions/607345

Question

I have code that reads the Windows Event Log. It uses OpenEventLog, ReadEventLog and gets the event source and event ID. Then it looks up the source under the 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application

key, loads the appropriate DLL(s) according to what is listed in EventMessageFile and finally uses FormatMessage to merge the event strings with the message DLL content to get the final event message text. This is the recommended way, and although a bit of a pain, it works great.

Until... I go lookup the source and find it doesn't have an EventMessageFile, but rather a ProvideGuid entry. This seems to be the new way (they show up on Vista and Windows 2008). Uggh -- nothing to pass to FormatMessage for looking up the message text and merging in the data strings

:(

Searching the registry for the guid does lead to references to other files (http.sys in the case of the HTTP source), but I can never get the complete message text. Do I have to use those EvtOpenSession APIs? I'm hoping not since I already have the EVENTLOGRECORD* from a call to ReadEventLog, and the fact that the software needs to run on Windows 2003 where EvtOpenSession isn't supported (only available on Vista and Windows 2008). NOTE: Some sources on Vista have ProviderGUID, and others have EventMessageFile, so the old method is still viable.

So what I'm after is a way to look at the ProviderGuid and get the DLL that needs to be passed to FormatMessage for displaying the complete event log message text.

Thanks for any input

Was it helpful?

Solution

The APIs that Richard links to are for the new style Eventing system (code-named Crimson, sometimes called Manifest Based Providers) introduced in Vista/Server 2K8. One of the artifacts of this new system is new APIs to consume these logs, another is the ProviderGuid key for certain EventSources that produce events using this new framework.

I think you should use the functions on Windows Vista later to consume these logs, it should handle the work for you. You can use the EvtFormatMessage method to format the strings. I believe these APIs will also read the events produced by "Classic" providers.

If you're consuming these messages from a .NET app you can use types in the System.Diagnostics.Eventing.Reader namespace, introduced in .NET 3.5.

OTHER TIPS

There are Win32 APIs for reading/expanding event log entries.

See MSDN: http://msdn.microsoft.com/en-us/library/aa385780(VS.85).aspx

Anything else, and you are likely to find problems with patches, let alone service packs or new versions.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top