I asked the same quesiton at the General windows vista development issues. Maybe here is a right forum to ask this question as well.
I
have code which reads the windowsXP security events to a file. It finds
the
path of EventMessageFile by reading registry key information of
”HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security\Security". Then it loads the library for the EventMessageFile dll,
i.e.%SystemRoot%\System32\MsAuditE.dll, at
last it uses the FormatMessage() to get the Event Message Description. However,
when I execute it on Vista machine, I get error 317
for FormatMessage(), which is "ERROR_MR_MID_NOT_FOUND At first I thought I didn't get the correct dll loaded. The security event
log entry in the Vista has a different event source from
windowsXP, in vista the event source is
"Microsoft-Windows-Security-Auditing", in windowsXP event source is
"Security". But there is
no"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security\Microsoft-Windows-Security-Auditing",
in registry key. I used the "wevtutil gp
Microsoft-Windows-Security-Auditing" to get the "
Microsoft-Windows-Security-Auditing" configuration information. The result
is as following:" name: Microsoft-Windows-Security-Auditing guid: 54849625-5478-4994-a5ba-3e3b0328c30d ...." I think the "SystemRoot%\system32\adtschema.dll"
is the EventMessageFile for "Microsoft-Windows-Security-Auditing", so
I updated the code to load this dll too, however I get the same error 317 for
the FormatMessage(). The evnetId I passed for this message is 4648.
317 the system cannot find message text for message number 0x%1 in the
message file for %2.”
helpLink:
http://go.microsoft.com/fwlink/events.asp CoName=Microsoft%20Corporati
on&ProdName=Microsoft%c2%ae%20Windows%c2%ae%20Operating%20System&ProdVer=6.0.600
0.16386&FileName=adtschema.dll&FileVer=6.0.6000.16386
resourceFileName: %SystemRoot%\system32\adtschema.dll
parameterFileName: %SystemRoot%\system32\msobjs.dll
messageFileName: %SystemRoot%\system32\adtschema.dll
Can anybody tell me what the problem is Does Vista use different
EventMessageFile for windows Security event Is there a way I use my old event
logging APIs to read vista windows events
Thank you very much
compatibilty question about the EventLogging API and vista Windows Event Log service
Hot Topic
- Using multiple cards on the same request
- SourceElement Bug/Feature?
- Source filter problem
- COM functions don't return HRESULT values?
- Getting WLX_NOTIFICATION_INFO values like htoken and hdesktop
- XPS Viewer Scriptable?
- Worked on one computer now SqlWorkflowPersistenceService fails to persist on new computer.
- Create "Custom SetState" activity
- Save As / Open File function in all programs crashes
- Power icon problemw
Windows Vista
- Graph Works in GraphEdit but not in Code
- printer/MFP workflows
- Workflow event does not get fired
- Problem with EventDriven dnrtv example by michael stiefel.
- How to add manifest to setup.exe file?
- Problem with InstanceOwnershipDuration
- enter "this user" everyday
- Custom Human Workflow Activity
- WS-AT problem: The MSDTC transaction manager's WS-AtomicTransaction protocol service is disabled
- Problem with Preview handler and Thumbnail provider in Vista beta 2 build 5472
compatibilty question about the EventLogging API and vista Windows Event Log service
Missouri Mule
Hi,
I had a try with EvtFormatMessage. But with this function I receive only a very few mesages for "Application".
For "Security" and "System" I receive no messages.
In the case of an Error I receive Error 15100.
This is part of my code....
[...]
EVT_HANDLE pubMetadata = EvtOpenPublisherMetadata(NULL, vPublisherName->StringVal, NULL, GetUserDefaultLCID(), 0);
[...]
lastError = EvtFormatMessage(pubMetadata, events[cnt], -1, 0, NULL, EvtFormatMessageEvent, size, &buffer[0], &size)
[...]
Can you see the error or tell me what the problem is
Is there an example for reading event messages existing
Thanks, Diana
WayneW