Reading Windows Event Logs

26 views
Skip to first unread message

Tdev Test

unread,
Dec 7, 2023, 5:41:03 AM12/7/23
to Java Native Access
Hi, I try to read windows event logs via:

WinNT.HANDLE OpenEventLog(java.lang.String lpUNCServerName, java.lang.String lpSourceName)

it works in general, but the documentation says:

"...  If you specify a custom log and it cannot be found, the event logging service opens the Application log ..."

How can I:
a) detect this kind of fallback?
b) open the "Setup" log, it is present, I copyed the name, but the function always opens the application log

Thanks.
Thomas

Tres Finocchiaro

unread,
Dec 7, 2023, 4:17:56 PM12/7/23
to jna-...@googlegroups.com
a) detect this kind of fallback?

According to Microsoft:

"If you specify a custom log and it cannot be found, the event logging service opens the Application log; however, there will be no associated message or category string file."

... but I'm not having any luck... 

For example, there are several examples to read the logs (some of which are part of JNA, such as Advapi32Util.EventLogIterator(logName), others of which are offered in online tutorials such as this one https://stackoverflow.com/a/66343548/3196753), and I can get the log category using EventLogRecord.getRecord().EventCategory, however when I pass in a garbage value for "logName", it returns the exact same value for category as when I pass in a valid value (such as "Application").

In regards to "string file", I thought perhaps this was part of record.getStrings(), but those too are identical between garbage values and valid values.  I'm at a loss for detecting this fallback behavior.

I had a third idea to get the last log entry and compare the record number (e.g. GetOldestEventLogRecord), but this will suffer concurrency problems (since it's a live value, it's subject to change) so it would be a crude hack to detect a fallback.

b) open the "Setup" log

This was hard to find, but it's documented under another API here: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-registereventsourcew

Specifically this portion:

"The name of the event source whose handle is to be retrieved. The source name must be a subkey of a log under the Eventlog registry key. Note that the Security log is for system use only."

Following this guidance, I run:
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog

Which returns values such as "Windows PowerShell" and "HardwareEvents", which both are accepted through the API.

According to this post, it appears it's not possible using the OpenEventLog API https://stackoverflow.com/a/7075952/3196753, quoting:

Because the setup eventlog is a new format log it can only be opened using the new API calls EvtQuery, EvtNext etc., the old OpenEventLog/ReadEventLog functions do not work on it.

Note that by adjusting the path in this example: https://stackoverflow.com/a/66343548/3196753, this can be done.

- String path = "C:\\Windows\\System32\\Winevt\\Logs\\System.evtx";
+ String path = "C:\\Windows\\System32\\Winevt\\Logs\\Setup.evtx"; // Change "System" to "Setup"

Partially related:

Tdev Test

unread,
Dec 8, 2023, 4:06:19 AM12/8/23
to Java Native Access
Looks like I'm on a quite cold trail. The links you provided look very intresting, I guess this is the right way to go. Thank you very much.
Reply all
Reply to author
Forward
0 new messages