Reading and Writing the Windows Event Log

From Liberty BASIC Family
Jump to navigation Jump to search

by StPendl (talk) 21:47, 2 September 2020 (UTC)


Read Event Log

struct EVENTLOGRECORD, _
        Length              as uLong, _
        Reserved            as uLong, _
        RecordNumber        as uLong, _
        TimeGenerated       as uLong, _
        TimeWritten         as uLong, _
        EventID             as uLong, _
        EventType           as word, _
        NumStrings          as word, _
        EventCategory       as word, _
        ReservedFlags       as word, _
        ClosingRecordNumber as uLong, _
        StringOffset        as uLong, _
        UserSidLength       as uLong, _
        UserSidOffset       as uLong, _
        DataLength          as uLong, _
        DataOffset          as uLong

    Open "advapi32.dll" for dll as #advapi32

    lpSourceName$ = "Application"; chr$(0)

    calldll #advapi32, "OpenEventLogA", _
        lpUNCServerName as ulong, _
        lpSourceName$   as ptr, _
        hEventLog       as ulong

    print
    print "Open Event Log Handle: "; hEventLog

    if hEventLog = 0 then call DisplayError

    struct OldestRecord, value as ulong

    calldll #advapi32, "GetOldestEventLogRecord", _
        hEventLog    As uLong, _
        OldestRecord as struct, _
        result       as long

    print
    print "Oldest Event Log result: "; result
    print "Oldest Event Log Number: "; OldestRecord.value.struct

    if result = 0 then call DisplayError

    struct NumberOfRecords, value as ulong

    calldll #advapi32, "GetNumberOfEventLogRecords", _
        hEventLog       As uLong, _
        NumberOfRecords as struct, _
        result          as long

    print
    print "Number of Event Log Records result: "; result
    print "Number of Event Logs: "; NumberOfRecords.value.struct

    if result = 0 then call DisplayError

    Struct pnBytesRead, value As uLong
    Struct pnMinNumberOfBytesNeeded, value As uLong

    dwReadFlags = _EVENTLOG_SEEK_READ or _EVENTLOG_FORWARDS_READ
    dwRecordOffset = OldestRecord.value.struct + NumberOfRecords.value.struct - 1
    nNumberOfBytesToRead = hexdec("7ffff")
    lpBuffer$ = space$(nNumberOfBytesToRead); chr$(0)

    calldll #advapi32, "ReadEventLogA", _
        hEventLog                As uLong, _
        dwReadFlags              As uLong, _
        dwRecordOffset           As uLong, _
        lpBuffer$                As ptr , _
        nNumberOfBytesToRead     As uLong, _
        pnBytesRead              As Struct , _
        pnMinNumberOfBytesNeeded As struct , _
        result                   As long

    'print something i can check
    print
    print "Results: "
    print pnMinNumberOfBytesNeeded.value.struct, pnBytesRead.value.struct
    print "Buffer: "
    print left$(lpBuffer$, pnBytesRead.value.struct)

    print
    print "Read Event Log result: "; result

    if result = 0 then call DisplayError

    calldll #advapi32, "CloseEventLog", _
        hEventLog as ulong, _
        result    as long

    print
    print "Close Event Log result: "; result

    if result = 0 then call DisplayError

    close #advapi32
    end

sub DisplayError
    calldll #kernel32, "GetLastError", _
        ErrorCode as ulong

    dwFlags = _FORMAT_MESSAGE_FROM_SYSTEM
    nSize = 1024
    lpBuffer$ = space$(nSize); chr$(0)
    dwMessageID = ErrorCode

    calldll #kernel32, "FormatMessageA", _
        dwFlags      as ulong, _
        lpSource     as ulong, _
        dwMessageID  as ulong, _
        dwLanguageID as ulong, _
        lpBuffer$    as ptr, _
        nSize        as ulong, _
        Arguments    as ulong, _
        result       as ulong

    print "Error "; ErrorCode; ": "; left$(lpBuffer$, result)
end sub

Write Event Log


    open "advapi32.dll" for dll as #advapi32

    struct lpStrings, string$ as ptr

    lpSourceName$ = "Application"; chr$(0)

    wType = _EVENTLOG_INFORMATION_TYPE
    '    dwEventID = 8194
    '    wCategory = 5
    wNumStrings = 1
    lpStrings.string$.struct = "LB Event Log Test"; chr$(0)

    calldll #advapi32, "RegisterEventSourceA", _
        lpUNCServerName as ulong, _   'local computer if 0
        lpSourceName$   as ptr, _     'source eg. application name
        handle          as ulong      'handle for ReportEvent

    print
    print "Register Event Source Handle: "; handle

    if handle = 0 then call DisplayError

    calldll #advapi32, "ReportEventA", _
        handle      as ulong, _  'event log handle
        wType       as word, _   'event type
        wCategory   as word, _   'category zero
        dwEventID   as ulong, _  'event identifier
        lpUserSID   as ulong, _  'no user security identifier
        wNumStrings as word, _   'one substitution string
        dwDataSize  as ulong, _  'no data
        lpStrings   as struct, _ 'address of string array
        lpRawData   as ulong, _  'address of data
        result      as long

    print
    print "Report Event Result: "; result

    if result = 0 then call DisplayError

    calldll #advapi32, "DeregisterEventSource", _
        handle as ulong, _
        result as long

    print
    print "Deregister Event Source Result: "; result

    if result = 0 then call DisplayError

    print
    print "Finished ..."

    close #advapi32
    end

sub DisplayError
    calldll #kernel32, "GetLastError", _
        ErrorCode as ulong

    dwFlags = _FORMAT_MESSAGE_FROM_SYSTEM
    nSize = 1024
    lpBuffer$ = space$(nSize); chr$(0)
    dwMessageID = ErrorCode

    calldll #kernel32, "FormatMessageA", _
        dwFlags      as ulong, _
        lpSource     as ulong, _
        dwMessageID  as ulong, _
        dwLanguageID as ulong, _
        lpBuffer$    as ptr, _
        nSize        as ulong, _
        Arguments    as ulong, _
        result       as ulong

    print "Error "; ErrorCode; ": "; left$(lpBuffer$, result)
end sub