3

I've been working on an application that use API to get events from the Windows event log. I'm stuck on pointer offsets at the moment. The specific struct I'm using is EVENTLOGRECORD (see: http://msdn.microsoft.com/en-us/library/aa363646(v=vs.85).aspx). My C# struct is defined as:

[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto, Pack = 1)]
internal struct EVENTLOGRECORD
{
    internal UInt32 Length;
    internal UInt32 Reserved;
    internal UInt32 RecordNumber;
    internal UInt32 TimeGenerated;
    internal UInt32 TimeWritten;
    internal UInt32 EventID;
    internal UInt16 EventType;
    internal UInt16 NumStrings;
    internal UInt16 EventCategory;
    internal UInt16 ReservedFlags;
    internal UInt32 ClosingRecordNumber;
    internal UInt32 StringOffset;
    internal UInt32 UserSidLength;
    internal UInt32 UserSidOffset;
    internal UInt32 DataLength;
    internal UInt32 DataOffset;
}

My ReadEventLog function is declared as:

[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto, EntryPoint = "ReadEventLog")]
internal static extern Boolean ReadEventLog(IntPtr hEventLog, EVT_READ_FLAGS dwReadFlags, UInt32 dwRecordOffset, IntPtr lpBuffer, UInt32 nNumberOfBytesToRead, out UInt32 pnBytesRead, out UInt32 pnMinNumberOfBytesNeeded);

I'm able to get the struct filled with data and I can get to SourceName and ComputerName sections by using IntPtr.Add. Example:

IntPtr pSrc = IntPtr.Add(pRecord, Marshal.SizeOf(typeof(EVENTLOGRECORD)));
string sSrc = Marshal.PtrToStringAuto(pSrc);
Console.WriteLine("source: {0}\n", sSrc);

IntPtr pComp = IntPtr.Add(pSrc, (sSrc.Length * 2) + 2);
string sComp = Marshal.PtrToStringAuto(pComp);
Console.WriteLine("computer: {0}\n", sComp);

My issue is trying to get the Strings portion from the struct. I can't seem to figure out what the correct offsets will be. I can do it in C++, but I can't seem to make it work in C#. Here's a snippet of what I use in C++ (elr is (EVENTLOGRECORD*)pRecord):

char* strings = (LPSTR)((LPBYTE) elr + elr->StringOffset);
while (elr->NumStrings)
{
    wprintf(L"String: %s\n", strings);
    strings += (wcslen((wchar_t*)strings) * sizeof(wchar_t)) + sizeof(wchar_t);
    elr->NumStrings--;
}

Hopefully someone can help explain what I'm missing. I'd also be curious if there are any alternatives to IntPtr.Add since that require .NET 4.0. I'm not an expert with p/invoke by any means. Thanks.

Improve this question
4
  • Is this being done as an exercise? Why not use the System.Diagnostics.EventLog class to read entries? Commented Apr 22, 2011 at 17:23
  • 3
    No. Actually it's being done as a result of a bug in the .NET framework: connect.microsoft.com/VisualStudio/feedback/details/654644/… I filed that one and apparently it's truly an issue. Otherwise, I'd be all over the EventLog class. It's a heck of a lot easier. Commented Apr 22, 2011 at 17:25
  • I don't really understand why a writing bug (which it seems is what the Connect link is) would stop you using the built in classes to read events from the log. Commented Apr 22, 2011 at 17:56
  • @Will Dean - You had to say that twice? My end goal is to monitor events. You can't reliably do this with EntryWritten in the framework. So I have gone to the API to provide the needed functionality. Commented Apr 22, 2011 at 18:03

3 Answers 3

Reset to default
1

It you use Marshal.PtrToStructure() to copy the first part of your block of data to a EVENTLOGRECORD, then you should be able to just do something like:

EVENTLOGRECORD record;
... Copy the ptr into record ...
IntPtr pStrings = IntPtr.Add(pRecord, (record.StringOffset * 2));

I'd be happy to get this going for you, but I'm too lazy to do all the other p/invoke bit which get as far as being able to make the ReadEventLog call.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I can fill out the struct fine with ReadEventLog. I also use: IntPtr pRecord = IntPtr.Zero; object o = Marshal.PtrToStructure(pRecord, typeof(EVENTLOGRECORD)); I just can't see to get all the strings. There are usually more than one indicated by NumStrings in EVENTLOGRECORD.
1

After some time away from coding to clear the brain, I finally have a solution. I was incorrectly making the offset too large since I was taking the size of the struct (EVENTLOGRECORD), adding it to StringOffset, then adding that to the existing object. All I really needed to do was add the offset to the existing IntPtr (pRecord). Not sure why that didn't click before.

So simply doing:

int offset = ((int)(((EVENTLOGRECORD)o).StringOffset));
IntPtr pStrings = IntPtr.Add(pRecord, offset);
string sString = Marshal.PtrToStringAuto(pStrings);
Console.WriteLine("string : {0}\n", sString);

..is enough to get the string. Thanks for the assists though. I apparently lack rep to mark suggestions as helpful. Guess I just needed time away from this.

Improve this answer

Comments

0

It might be too late to ask. Why are you not using the System.Diagnostics.EventLog class of .NET? As far as I can see you have problems with the EventLog class. Did you try the EventLogReader class which does work for Windows Versions Vista and later?

With Reflector you can also find out how they do the marshalling. It looks like that it is not possible to let the marshaller do the complete work. They do read the data intoa a simple byte array and store it inside an EventLogEntry class which does read from the byte array directly the required data.

To read the replacement strings they do in the EventLogEntry class. The databuf member is the byte array from the native ReadEventLog call.

[MonitoringDescription("LogEntryReplacementStrings")]
public string[] ReplacementStrings
{
    get
    {
        string[] strArray = new string[this.ShortFrom(this.dataBuf, this.bufOffset + 0x1a)];
        int index = 0;
        int offset = this.bufOffset + this.IntFrom(this.dataBuf, this.bufOffset + 0x24);
        StringBuilder builder = new StringBuilder();
        while (index < strArray.Length)
        {
            char ch = this.CharFrom(this.dataBuf, offset);
            if (ch != '\0')
            {
                builder.Append(ch);
            }
            else
            {
                strArray[index] = builder.ToString();
                index++;
                builder = new StringBuilder();
            }
            offset += 2;
        }
        return strArray;
    }
}

Yours, Alois Kraus

Improve this answer

4 Comments

See my above comment: connect.microsoft.com/VisualStudio/feedback/details/654644/…
@Deviation - some obscure bug in eventlog entry writing is no reason not to seek inspiration in the framework source for reading event log entries. The code Alois has just posted simply does what you're trying to do.
@Will Dean - Some obscure bug? If you can't read events reliably using the framework, you have to go about it another way. The EntryWritten event has a bug that prevents it from being used reliably. His code wasn't posted when I replied. I'm going through it now to see if that resolves the issue I was having.
@Deviation, sorry, I've read the Connect bug and the linked threads, and they all seemed to be about writing events and the subsequent events which aren't reliably raised. You question did start by saying you were writing an application which 'gets' (I assumed this was reads) events from the log.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.