I have code that reads a Windows event log. It uses OpenEventLog, ReadEventLog and gets the event source and event ID. Then he searches for a source under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
loads the appropriate DLLs according to what is specified in EventMessageFile, and finally uses FormatMessageto merge the event strings with the contents of the message DLL to obtain the final text of the event message. This is the recommended method, and although it's a bit of a pain, it works great.
For now ... I go to look for the source and find that it does not have a record EventMessageFile, but rather << 24>. This seems to be a new way (they appear on Vista and Windows 2008). Uggh - do not pass anything to FormatMessage to search for message text and merge in data lines
: (
A search in the registry guide leads to links to other files (http.sys in the case of an HTTP source), but I can never get the full text of the message. Do I need to use these APIs EvtOpenSession? I hope that since I already have a EVENTLOGRECORD*call ReadEventLog, and the fact that the software should run in Windows 2003, where it is EvtOpenSessionnot supported (available only in Vista and Windows 2008), NOTE. Some Vista sources have a ProviderGUID, while others have an EventMessageFile, so the old method is still viable.
So what I need is to look at ProviderGuid and get the DLL that needs to be passed to FormatMessage to display the full event log message.
Thanks for any input.
Dougn