Board index » cppbuilder » Using ReadEventLog()

Using ReadEventLog()


2008-04-14 09:25:03 AM
cppbuilder72
Hi,
I wish to read the "Application" or "Service" event log on a Windows XP Pro.
system using the following code:
// CODE START:
HANDLE hSystemEventLog = OpenEventLog( NULL, "Application" );
//HANDLE hSystemEventLog = OpenEventLog( NULL, "System" );
//HANDLE hSystemEventLog = OpenEventLog( NULL, "Service Control Manager" );
if ( hSystemEventLog != NULL )
{
EVENTLOGRECORD CurrentEventLogRecord = {0};
DWORD dwBytesRead = 0;
DWORD dwBytesNeeded = 0;
bool bSucceeded = ReadEventLog( hSystemEventLog,
EVENTLOG_BACKWARDS_READ |
EVENTLOG_SEQUENTIAL_READ,
0,
&CurrentEventLogRecord,
sizeof( CurrentEventLogRecord ),
&dwBytesRead,
&dwBytesNeeded );
if ( bSucceeded == false )
{
showWindowsLastErrorMessage();
}
else
{
printf( "\nEvent ID: %d\n", CurrentEventLogRecord.EventID );
}
CloseEventLog( hSystemEventLog );
}
// CODE END.
When this code is executed, I get the following error:
The data area passed to a system call is too small.
What's the problem with this code?
Thanks,
Stephane Lambert
 
 

Re:Using ReadEventLog()

Stéphane Lambert wrote:
Quote
EVENTLOGRECORD CurrentEventLogRecord = {0};
bool bSucceeded = ReadEventLog( hSystemEventLog,
EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
0,
&CurrentEventLogRecord,
sizeof( CurrentEventLogRecord ),
&dwBytesRead,
&dwBytesNeeded );
if ( bSucceeded == false )
{
showWindowsLastErrorMessage();
Also display sizeof(CurrentEventLogRecord) and dwBytesNeeded.
I suspect dwBytesNeeded is larger by a few bytes.
Quote
When this code is executed, I get the following error:
The data area passed to a system call is too small.

What's the problem with this code?
Microsoft's example code uses a (large) char buffer,
and a moveable struct pointer. They also mention
there might be padding bytes added to the struct.
If you were supposed to read directly into a struct,
they probably would have shown it that way.
 

Re:Using ReadEventLog()

Hi Bob,
Thanks for your reply.
You are right. There is 112 bytes of difference between "sizeof(
CurrentEventLogRecord )" and "dwBytesNeeded".
Using the line:
sizeof( CurrentEventLogRecord ) + 112;
or better:
EVENTLOGRECORD * pCurrentEventLogRecord = new EVENTLOGRECORD[
dwBytesNeeded ];
correct the problem.
Thanks again,
Stephane
 

{smallsort}