After doing some research, here goes: W3SVC service has the "EventMessageFile" located at: - c:\winnt\system32\inetsrv\w3svc.dll This file contains the messages written to the event log in case of errors. In this specific matter, the EventID 0x80000064 (event viewer only shows the last eight bits = 0x64 = 100) corresponds to the following message - The server was unable to logon the Windows NT account '%1' due to the following error: %2 In normal circunstances the parameters get replaced by the following: - %1 = <username typed in the authentication dialog box> - %2 = Logon failure: unknown user name or bad password. Everytime an event occurs, the EventID, the parameters and other stuff get stored in the corresponding logfile (in this case - system) which is a file in the hard-disk. There are 2 ways to read the event log (system, application, etc). The 1st, and most used is "Event Viewer". The 2nd is building your own event viewer using Event Log functions like: - BackupEventLog - ClearEventLog - CloseEventLog - DeregisterEventSource - GetEventLogInformation - GetNumberOfEventLogRecords - GetOldestEventLogRecord - NotifyChangeEventLog - OpenBackupEventLog - OpenEventLog - ReadEventLog - RegisterEventSource - ReportEvent I've read the event log using one of the samples that comes with Platform SDK, located at "samples\winbase\Debug\eventlog". Where the "Event Viewer" displays '%1aaaaaa....' (exactly 100 'a'), this sample displays just '%1aa'. The sample, by the way, does not use FormatMessage to build the event message, the sample replaces the '%1' and '%2' by hand. The FormatMessage function is only used to retrieve the following string: - The server was unable to logon the Windows NT account '%1' due to the following error: %2 The data is the error code. For additional information specific to this message please visit the Microsoft Online Supp ort site located at: http://www.microsoft.com/contentredirect.asp. This leads me to the following two conclusions: 1. There is definitely an error going on, but I believe the error is inside the "Event Viewer" application that comes with the operating system. 2. There may be an error with Inetinfo.exe. Inetinfo may be using the ReportEvent function incorrectly sending to the event log an event with the number of strings (see the ReportEvent function in MSDN) and the strings themselves incorrect. NOTE: By the way, if you enter '%2p' in the username, the 'p' gets concatenated to: - Logon failure: unknown user name or bad password. as this: - Logon failure: unknown user name or bad password. p and the parameter '%1' of the message included in the message file "w3svc.dll" gets replaced with it. Why ? Well, read my 2nd conclusion again. One final touch, I've found that each character placed after '%1' get repeated 100 times. So '%1aaa' leaves you with '%1' followed by 300 'a's. Well, enough for now. Hope all is correct. There is much more to study here, but I think Microsoft has definitely a situation here, although I wouldn't consider as serious. Just a bug fix IMHO. Cheers, Tiago Halm
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 17:11:10 PDT