Getting hold of certain event entries
-
Hi all, I'm using the following function to read the Source of the System events. I'm trying to check if the source name is equal to "Windows Agent" or if the EventId is equal to 21. Which would indicate that the computer needs a restart. But I don't get any result and there is without a doubt such an entry in the event log.
oid DisplayEntries( ) { HANDLE h; EVENTLOGRECORD *pevlr; BYTE bBuffer[BUFFER_SIZE]; DWORD dwRead, dwNeeded, cRecords, dwThisRecord; int counter=0; // Open the Application event log. h = OpenEventLog( NULL, // use local computer "System"); // source name if (h == NULL) { Form1->msg = Form1->msg.sprintf("Could not open the Application event log."); Form1->Memo2->Lines->Add(Form1->msg); } pevlr = (EVENTLOGRECORD *) &bBuffer; GetOldestEventLogRecord(h, &dwThisRecord); while (ReadEventLog(h, // event log handle EVENTLOG_FORWARDS_READ | // reads forward EVENTLOG_SEQUENTIAL_READ, // sequential read 0, // ignored for sequential reads pevlr, // pointer to buffer BUFFER_SIZE, // size of buffer &dwRead, // number of bytes read &dwNeeded)) // bytes in next record { while (dwRead > 0) { printf("%02d Event ID: 0x%08X ", dwThisRecord++, pevlr->EventID); printf("EventType: %d Source: %s\n", pevlr->EventType, (LPSTR) ((LPBYTE) pevlr + sizeof(EVENTLOGRECORD))); if ((LPSTR)((LPBYTE) pevlr + sizeof(EVENTLOGRECORD))=="Windows Agent") { MessageBox(NULL, "FOUND", "INFO",MB_OK); } dwRead -= pevlr->Length; pevlr = (EVENTLOGRECORD *) ((LPBYTE) pevlr + pevlr->Length); } pevlr = (EVENTLOGRECORD *) &bBuffer; } CloseEventLog(h); }
Many Thanks in advance Regards,
The only programmers that are better that C programmers are those who code in 1's and 0's :bob: :)Programm3r My Blog: ^_^
-
Hi all, I'm using the following function to read the Source of the System events. I'm trying to check if the source name is equal to "Windows Agent" or if the EventId is equal to 21. Which would indicate that the computer needs a restart. But I don't get any result and there is without a doubt such an entry in the event log.
oid DisplayEntries( ) { HANDLE h; EVENTLOGRECORD *pevlr; BYTE bBuffer[BUFFER_SIZE]; DWORD dwRead, dwNeeded, cRecords, dwThisRecord; int counter=0; // Open the Application event log. h = OpenEventLog( NULL, // use local computer "System"); // source name if (h == NULL) { Form1->msg = Form1->msg.sprintf("Could not open the Application event log."); Form1->Memo2->Lines->Add(Form1->msg); } pevlr = (EVENTLOGRECORD *) &bBuffer; GetOldestEventLogRecord(h, &dwThisRecord); while (ReadEventLog(h, // event log handle EVENTLOG_FORWARDS_READ | // reads forward EVENTLOG_SEQUENTIAL_READ, // sequential read 0, // ignored for sequential reads pevlr, // pointer to buffer BUFFER_SIZE, // size of buffer &dwRead, // number of bytes read &dwNeeded)) // bytes in next record { while (dwRead > 0) { printf("%02d Event ID: 0x%08X ", dwThisRecord++, pevlr->EventID); printf("EventType: %d Source: %s\n", pevlr->EventType, (LPSTR) ((LPBYTE) pevlr + sizeof(EVENTLOGRECORD))); if ((LPSTR)((LPBYTE) pevlr + sizeof(EVENTLOGRECORD))=="Windows Agent") { MessageBox(NULL, "FOUND", "INFO",MB_OK); } dwRead -= pevlr->Length; pevlr = (EVENTLOGRECORD *) ((LPBYTE) pevlr + pevlr->Length); } pevlr = (EVENTLOGRECORD *) &bBuffer; } CloseEventLog(h); }
Many Thanks in advance Regards,
The only programmers that are better that C programmers are those who code in 1's and 0's :bob: :)Programm3r My Blog: ^_^
The first error lies in the following line if ((LPSTR)((LPBYTE) pevlr + sizeof(EVENTLOGRECORD))=="Windows Agent") What you are performing is a pointer comparison with a static string. This is only going to work in two ways if the expression (LPSTR)((LPBYTE) pevlr + sizeof(EVENTLOGRECORD)) is used to initialise a string class like std::string or CString etc a more straight forward way is to use a string compariosn function eg strcmp or its wide equivalent if you have a Unicode project. i.e. if(strcmnp((LPSTR)((LPBYTE) pevlr + sizeof(EVENTLOGRECORD)),"Windows Agent") == 0) The other problem you might face is user priveledge as access to a system resource like the event logs may be restricted if you are not an Admin user.