Muhammed: Re: (1) %1 %2 ... are message-specific parameters that can only be resolved by accessing the relevant message DLL's that ship with the product creating the message. This is true regardless of the platform (WinNT, 2k and XP). Resolving these requires that the application reading the log also access the registry to determine the DLL, extract the message text using the ID(s) in the event log data, and then format the resulting string with the Win32 API function FormatMessage(). It's fairly complex Win32 API code which can take a long time to build and test (the protocol allows for multiple message DLL's which have to be prioritized etc.), which is why many event log shell covers simply don't bother. It gets a lot worse when you are looking for remote log reading, because the DLL and registry key you're after are on the remote system. Also you run into performance and scalability issues as remote calls run over the network, so you then have to write a smarter log reader to be able to handle the volume. Even on local machines, you many see %1 etc. in the event log - what this means is that the event viewer either couldn't locate the DLL's (because they're not there or the registry hasn't been set up correctly), or that the message ID in the event log isn't in the DLL that it found. If you need all the data properly populated and you want to write it yourself then you have to do a lot of work on google and MSDN to find the right samples (it isn't obvious, unfortunately, as this is relatively arcane) and be a decent Windows API developer. Or acquire a third party tool that will do this for you. Thanks, Phil Hollows OpenService, Inc. www.openservice.com -----Original Message----- From: loganalysis-bounces+phil=open.com@private [mailto:loganalysis-bounces+phil=open.com@private] On Behalf Of Muhammad Khan Sent: Monday, June 13, 2005 7:33 AM To: loganalysis@private Subject: [logs] Windows Event Logs Hi Eric, Thanks for your kind assistance and providing links for Windows Security logs. This information is really useful. I had two questions. 1. The event logs in Windows 2000,XP, 2003 are stored in .evt format. I am interested in studying the information stored in parameters labelled as %1, %2 etc. Could you please guide me how can I directly or indirectly read these parameters separately. Though the whole information of all the parameters of an event are accessible through "Message" property of "LogEntry" class of .Net Framwork. But, I want to access each parameter separately. How can I do it? 2. How do "Home" and "Professional2 editions of XP differ with particulr reference to events they generate. I shall be grateful for your kind help in this regard. regards, Muhammad Naeem Khan _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Jun 13 2005 - 10:52:56 PDT