All geek questions in one place

Windows: ReportEvent Function

As I understand it, the ReportEvent function requires Text message files linked through the registry in order to receive correctly formatted messages. Are there any common event identifiers or some simple way to report an event without associated text message files?

Or maybe there is a special common source of events that I can use in my application? Something like RegisterEventSource (NULL, "Application")?

+4
source share
3 answers

No, you just need to follow the rules and define text message files, create them in resources, associate them with your application, etc.

The example provided on MSDN allows you everything you need to do.

+2
source

Try this, it worked for me before.

http://www.codeproject.com/KB/system/xeventlog.aspx

+1
source

You do not have to register your messages in HKLM. (This is good because you cannot post messages unless you are an administrator.)

But that does not stop you from writing events to the Windows application event log. The only drawback is that starting with Windows Vista, you just get ugly text along with it.

HRESULT LogToEventLog(String Source, String EventText, int EventType, DWORD EventID) { /* EventType is one of: EVENTLOG_ERROR_TYPE = $0001; EVENTLOG_WARNING_TYPE = $0002; EVENTLOG_INFORMATION_TYPE = $0004; EVENTLOG_AUDIT_SUCCESS = $0008; EVENTLOG_AUDIT_FAILURE = $0010; Source is your name for your app or feature, eg: "My Cool App" "Outlook" "ESENT" "Chrome" */ HANDLE h = RegisterEventSource(null, Source); //null --> local computer if (h == 0) return HResultFromWin32(GetLastError); try { PChar[1] ss; ss[0] = PChar(EventText); if (!ReportEvent( h, // event log handle EventType, // event type 0, // category zero EventID, // event identifier null, // no user security identifier 1, // one substitution string 0, // no data @ss, // pointer to string array null // pointer to data )) { return HResultFromWin32(GetLastError); } } finally { DeregisterEventSource(h); } return S_OK; }

So now you can log events in the application event log:

 LogToEventLog("Stackoverflow", "Question 5399066 was answered by Ian Boyd", EVENTLOG_INFORMATION_TYPE, 0x45);

Steal another registration

Unfortunately, starting with Windows Vista, Windows will give ugly complaints that you did not register the event in advance:

Description for event ID 69 from Stackoverflow source could not be found. Either the component that raises this event is not installed on your local computer or the installation is damaged. You can install or repair the component on the local computer.

If the event occurred on another computer, the displayed information should have been saved with the event.

The following information was included in the event:

Question 5399066 was answered by Jan Boyd

But you do not have to live with him. Just because you did not register the original message file in HKLM does not mean that no one did.

Notice, for example, a message from an Outlook source in the event log:

  • Source : Outlook
  • EventID : 0x40000020
  • Event Data : D:\win32app\Exchange\Outlook2003.pst
  • Message : The store D:\win32app\Exchange\Outlook2003.pst has detected a catalog checkpoint.

You can check the login information for Outlook at:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ EventLog \ Application \ Outlook

And look:

 MessageEventFile: REG_SZ = "D:\Programs\MICROS~4\Office14\1033\MAPIR.DLL"

If you look into the resources of the binary file MAPIR.dll, you will see its message table :

 1 MESSAGETABLE { 0x12, "Connection stats for server (%1). Rpcs Attempted (%2), Rpcs Succeeded (%3), Rpcs Failed (%4), Rpcs Canceled (%5), Rpc UI shown (%6), Avg request time (%7) ms, Min request time (%8) ms, Max request time (%9) ms.\r\n" 0x14, "Cancelable RPC started.\r\n" 0x15, "Cancelable RPC shutdown.\r\n" 0x40000010, "Cancelable RPC dialog shown for server (%1), total wait time was (%2) ms, result was (%3).\r\n" 0x40000011, "User canceled request against server (%1) after waiting (%2) ms.\r\n" 0x40000013, "Rpc call (%1) on transport (%2) to server (%3) failed with error code (%4) after waiting (%5) ms; eeInfo (%6).\r\n" 0x40000016, "There was a problem reading one or more of your reminders. Some reminders may not appear.\r\n" 0x40000017, "Unable to update public free/busy data.\r\n" 0x4000001A, "%1\r\n" 0x4000001B, "%1\r\n" 0x4000001D, "The store %1 is being re-pushed to the indexer for the following reason: %2.\r\n" 0x4000001E, "Starting reconciliation for the store %1 for the following reason: %2.\r\n" 0x4000001F, "The store %1 has detected a catalog rebuild.\r\n" 0x40000020, "The store %1 has detected a catalog checkpoint.\r\n" ... }

You can see that eventid 0x40000020 is associated with the format string:

"Directory checkpoint found in repository% 1. \ R \ n"

You can block Outlook registration:

 LogToEventLog("Outlook", "Your mom", EVENTLOG_INFORMATION_TYPE, $40000020);

and you add your event to the event log without all the ugly warnings:

enter image description here

0
source

Source: https://habr.com/ru/post/1344852/

More articles:


All Articles