代碼:
#include <atlbase.h>
#include <atlstr.h>
#include <iostream>
#include <string>
using namespace std;
#define BUFFER_SIZE 512*2
int main()
{
HKEY hKey;
DWORD dwType;
char valueBuf[BUFFER_SIZE];
TCHAR dllName[BUFFER_SIZE];
DWORD dwSize;
// Name of the event log.
LPCTSTR logName = TEXT("system");
DWORD fm_flags = 0;
HANDLE h;
EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
DWORD dwRead, dwNeeded;
LPCTSTR lpSourceName;
/* Flags for format event */
fm_flags |= FORMAT_MESSAGE_FROM_HMODULE;
fm_flags |= FORMAT_MESSAGE_ALLOCATE_BUFFER;
fm_flags |= FORMAT_MESSAGE_FROM_SYSTEM;
// Step 1: ---------------------------------------------------------
// Open the event log. ---------------------------------------------
h = OpenEventLog(NULL, logName);
if (h == NULL)
{
std::wcout << L"Could not open the event log." << std::endl;
return 0;
}
// Step 2: ---------------------------------------------------------
// Initialize the event record buffer. -----------------------------
pevlr = (EVENTLOGRECORD *)&bBuffer;
// Step 3: ---------------------------------------------------------
// When the event log is opened, the position of the file pointer
// is at the beginning of the log. Read the event log records
// sequentially until the last record has been read.
if (ReadEventLog(h, // Event log handle
EVENTLOG_FORWARDS_READ | // Reads forward
EVENTLOG_SEQUENTIAL_READ, // Sequential read
0, // Ignored for sequential read
pevlr, // Pointer to buffer
BUFFER_SIZE, // Size of buffer
&dwRead, // Number of bytes read
&dwNeeded)) // Bytes in the next record
{
while (dwRead > 0)
{
// Get the event source name.
lpSourceName = (LPCTSTR)((LPBYTE)pevlr + sizeof(EVENTLOGRECORD));
CString strKey;
strKey.Format(TEXT("SYSTEM\\CURRENTCONTROLSET\\SERVICES\\EVENTLOG\\%s\\%s"), logName, lpSourceName);
if (RegOpenKey(HKEY_LOCAL_MACHINE, strKey, &hKey) == ERROR_SUCCESS) {
dwType = REG_EXPAND_SZ;
dwSize = sizeof(valueBuf);
if (RegQueryValueEx(hKey, "EventMessageFile", 0, &dwType, (unsigned char*)&valueBuf, &dwSize) != ERROR_SUCCESS) {
printf("Some error occurred!\n");
}
ExpandEnvironmentStrings(valueBuf, dllName, dwSize);
}
RegCloseKey(hKey);
// Step 4: ---------------------------------------------------------
// Load the message DLL file. --------------------------------------
HMODULE hResources = NULL;
hResources = LoadLibraryEx(dllName, NULL, LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE);
// Print the information if the event source and the message
// match the parameters
LPTSTR pMessage = NULL;
int num = 0;
// Step 5: ----------------------------------------------
// Retrieve the message string. -------------------------
num = FormatMessage(
fm_flags, // Format of message
hResources, // Handle to the DLL file
pevlr->EventID, // Event message identifier
MAKELCID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&pMessage,
0,
NULL); // Array of insert values
FreeLibrary(hResources);
if (pMessage)
{
std::wcout << L"Event message:" << pMessage << std::endl;
LocalFree(pMessage);
}
dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)((LPBYTE)pevlr + pevlr->Length);
}
}
// Step 6: -------------------------------------------------------------
// Close the event log.
CloseEventLog(h);
return 0;
}
對于64位系統,編譯成x64,用管理員執行,發現對于事件源是Microsoft-Windows-Kernel-General的事件,通過對應dll獲取到的描述跟在計算機管理看到的內容不一致,比如事件ID是12的描述是:
作業系統已在系統時間 ?2019?-?08?-?29T05:44:16.500000000Z 啟動。
但是從上面代碼獲取到的卻是:訪問碼無效
大部分事件型別都能得到正確的內容就有幾個event source不正確,不知何故
微軟的大拿決議下啥原因?
uj5u.com熱心網友回復:
試試其它的事件型別呢https://docs.microsoft.com/zh-cn/windows/win32/eventlog/eventlog-key
uj5u.com熱心網友回復:
Querying for Event Informationuj5u.com熱心網友回復:
就是根據MSDN例子寫的,代碼也就那么幾行
uj5u.com熱心網友回復:
就這么沉下去了,擦轉載請註明出處,本文鏈接:https://www.uj5u.com/gongcheng/20128.html
標籤:基礎類
上一篇:求大佬幫忙!!我從SQLserver資料庫中提取出的圖片資訊轉換之后表頭不是圖片
下一篇:MFC