5

Using the EvtExportLog function, I currently fail to specify a correct value for the Path and/or Query parameter.

My goal is to export the local Application and System event log.

I've tried:

EvtExportLog(
    IntPtr.Zero, 
    "Application", 
    "*", 
    "C:\\SomePath\\Application.evtx", 
    EventExportLogFlags.LogFilePath);

with the following P/Invoke definition:

[Flags]
private enum EventExportLogFlags
{
    ChannelPath = 1,
    LogFilePath = 2,
    TolerateQueryErrors = 0x1000
};

[DllImport(@"wevtapi.dll", 
    CallingConvention = CallingConvention.Winapi,
    CharSet = CharSet.Auto,
    SetLastError = true)]
private static extern bool EvtExportLog(
    IntPtr sessionHandle,
    string path,
    string query,
    string targetPath,
    [MarshalAs(UnmanagedType.I4)] EventExportLogFlags flags);

Unfortunately the function returns false and a last error code of 2 (ERROR_FILE_NOT_FOUND).

My question:

What to put in the Path and Query parameters to export the local Application and System event log?

Improve this question

1 Answer 1

Reset to default
5

To answer my own question:

My Path and Query was actually correct. What was wrong, was the Flags parameter.

Instead of specifying the EventExportLogFlags.LogFilePath parameter, I had to specify the EventExportLogFlags.ChannelPath parameter.

Then the export succeeds:

EvtExportLog(
    IntPtr.Zero, 
    "Application", 
    "*", 
    "C:\\SomePath\\Application.evtx", 
    EventExportLogFlags.ChannelPath); // <-- HERE!
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.