David_Bennett

I am on the Windows Vista Parental controls team, working on the next version of windows and specifically the parental controls aspects of it. I worked on the web filter, and many other aspects of the system from the control panel up.

Blogs

Reading in Crimson Logs

  • Comments 6
  • Likes

Crimson logs can be read in through c# by use of some bindings to the APIs.  Crimson is a new logging protocol in Windows Vista.

I will start by including all the bindings to the actual apis, then talk about the specific classes than can wrap around them to get useful information out of Crimson.

This has all the crimson functions divided up into sections, when I go through each part of the session I will talk about what Crimson can support for the various types of logging.

///////////////////////////////////////////////////////////////////////////
///
/// <summary>
///     CrimsonEventLog: The structures and functions using P/Invoke for
///     accessing the CrimsonEventLog (Crimson).
/// </summary>
///
///////////////////////////////////////////////////////////////////////////
internal static class CrimsonEventLog
{
    //-----------------------------------------------------------------

    #region Cluster channels

    internal const string ClusterChannelRoot = "Microsoft-Windows-FailoverClustering";
    internal const string ClusterChannelAdmin = "Microsoft-Windows-FailoverClustering/Admin";
    internal const string ClusterChannelOperational = "Microsoft-Windows-FailoverClustering/Operational";

    #endregion

    //-----------------------------------------------------------------

    #region Utility routines

    [DllImport("wevtapi.dll", EntryPoint = "EvtClose",
                             CallingConvention = CallingConvention.Winapi,
                             SetLastError = true)]
    [return: MarshalAs(UnmanagedType.Bool)]
    public static extern bool EventClose(IntPtr handlePtr);

#if DEBUG_TEST
    [DllImport( "wevtapi.dll", EntryPoint = "EvtGetExtendedStatus",
                             CallingConvention = CallingConvention.Winapi,
                             CharSet = CharSet.Auto,
                             SetLastError = true )]
    [return: MarshalAs(UnmanagedType.Bool)]
    public static extern bool EventGetExtendedStatus( int size,
                                                     StringBuilder buffer,
                                                 ref int charsWritten );
#endif

    #endregion

    //-----------------------------------------------------------------

    #region Session routines

    public enum EventLoginClass
    {
        EvtRpcLogin = 1
    }

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    public struct EventRPCLogin
    {
        // all str params are optional
        internal String server;
        internal String user;
        internal String domain;
        internal String password;
        internal Int32 flags; // currently must be 0.
    }

    [DllImport("wevtapi.dll", EntryPoint = "EvtOpenSession",
                             CallingConvention = CallingConvention.Winapi,
                             CharSet = CharSet.Auto,
                             SetLastError = true)]
    public static extern IntPtr EventOpenSession(EventLoginClass loginClass,
                                             ref EventRPCLogin Login,
                                                 int timeout,
                                                 int flags);

    #endregion

    //-----------------------------------------------------------------

    #region Log Maintence routines
    [DllImport("wevtapi.dll", EntryPoint = "EvtClearLog",
                             CallingConvention = CallingConvention.Winapi,
                             CharSet = CharSet.Auto,
                             SetLastError = true)]
    public static extern bool EventClearLog(EventSafeHandle sessionHandle,
                                             string path,
                                             string targetPath,
                                             int flags);

    public enum EventExportLogFlags
    {
        ChannelPath = 1,
        LogFilePath = 2
    };

    [DllImport("wevtapi.dll", EntryPoint = "EvtExportLog",
                             CallingConvention = CallingConvention.Winapi,
                             CharSet = CharSet.Auto,
                             SetLastError = true)]
    public static extern bool EventExportLog(EventSafeHandle sessionHandle,
                                             string path,
                                             string query,
                                             string targetPath,
                                             [MarshalAs(UnmanagedType.I4)]EventExportLogFlags flags);

    [DllImport("wevtapi.dll", EntryPoint = "EvtArchiveExportedLog",
                     CallingConvention = CallingConvention.Winapi,
                     CharSet = CharSet.Auto,
                     SetLastError = true)]
    public static extern bool EventArchiveLog(EventSafeHandle sessionHandle,
                                             string path,
                                             int lcid,
                                             int flags);

    public enum EventLogOpenFlags
    {
        ChannelPath = 1,
        FilePath = 2
    };

    [DllImport("wevtapi.dll", EntryPoint = "EvtOpenLog",
             CallingConvention = CallingConvention.Winapi,
             CharSet = CharSet.Auto,
             SetLastError = true)]
    public static extern IntPtr EventOpenLog(EventSafeHandle sessionHandle,
                                             string path,
                                             [MarshalAs(UnmanagedType.I4)]EventLogOpenFlags flags);

    public enum EventLogPropertyId
    {
        CreationTime = 0,
        LastAccessTime = 1,
        LastWriteTime = 2,
        FileSize = 3,
        Attributes = 4,
        NumberOfLogRecords = 5,
        OldestRecordNumber = 6,
        Full = 7
    };

    [DllImport("wevtapi.dll", EntryPoint = "EvtGetLogInfo",
             CallingConvention = CallingConvention.Winapi,
             CharSet = CharSet.Auto,
             SetLastError = true)]
    public static extern bool EventGetLogInfo(EventSafeHandle logHandle,
                                             [MarshalAs(UnmanagedType.I4)]EventLogPropertyId propId,
                                             int bufferSize,
                                             ref EventVariant propertyValueBuffer,
                                             ref int propertyValueBufferUsed);

    #endregion

    //-----------------------------------------------------------------

    #region Subscription routines

    public enum EventSubscribeFlags
    {
        EvtSubscribeToFutureEvents = 0x1,
        EvtSubscribeStartAtOldestRecord = 0x2,
        EvtSubscribeStartAfterBookmark = 0x3,
        EvtSubscribeInternal = 0x4
    }

    public enum EventSubscribeNotifyAction
    {
        EvtSubscribeActionError = 0x0,
        EvtSubscribeActionDeliver = 0x1
    }

    public enum EventEventPropertyId
    {
        EvtEventQueryIDs = 0x0,
        EvtEventPath = 0x1
    }

    public delegate Int32 EventSubscribeCallback([MarshalAs(UnmanagedType.I4)]EventSubscribeNotifyAction action,
                                                    IntPtr context,
                                                    IntPtr eventPtr);

    [DllImport("wevtapi.dll", EntryPoint = "EvtSubscribe",
                             CallingConvention = CallingConvention.Winapi,
                             CharSet = CharSet.Auto,
                             SetLastError = true)]
    public static extern IntPtr EventSubscribe(EventSafeHandle sessionHandle,
                                                IntPtr signalEvent,
                                                String channelPath,
                                                String query,
                                                IntPtr bookMark,
                                                IntPtr context,
                                                [MarshalAs(UnmanagedType.I4)]EventSubscribeCallback eventCallback,
                                                int flags);

    #endregion

    //-----------------------------------------------------------------

    #region Query routines

    public enum EventQueryFlags
    {
        EvtQueryChannelPath = 0x1,
        EvtQueryFilePath = 0x2,
        EvtQueryForwardDirection = 0x100,
        EvtQueryReverseDirection = 0x200,
    }

    [DllImport("wevtapi.dll", EntryPoint = "EvtQuery", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
    public static extern IntPtr EventQuery(
        EventSafeHandle sessionHandle,
        String path,
        String query,
        [MarshalAs(UnmanagedType.I4)]EventQueryFlags flags);

    [DllImport("wevtapi.dll", EntryPoint = "EvtNext", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
    public static extern bool EventNext(
        EventSafeHandle resultSet,
        int eventsSize,
        IntPtr[] events,
        int timeout,
        int flags,
        ref int returned);

    #endregion

    //-----------------------------------------------------------------

    #region Channel enumeration routines

    [DllImport("wevtapi.dll", EntryPoint = "EvtOpenChannelEnum", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
    public static extern IntPtr EventOpenChannelEnum(
        EventSafeHandle session,
        int flags);

    [DllImport("wevtapi.dll", EntryPoint = "EvtNextChannelPath", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
    public static extern bool EventNextChannelPath(
        EventSafeHandle channelEnum,
        int channelPathBufferSize,
        StringBuilder channelPathBuffer,
        out int channelPathBufferUsed);

    #endregion

    //-----------------------------------------------------------------

    #region Channel config routines

    public enum ChannelConfigPropertyID
    {
        ChannelConfigEnabled = 0,
        ChannelConfigIsolation = 1,
        ChannelConfigType = 2,
        ChannelConfigIsClassicChannel = 3,
        ChannelConfigAccess = 4,
        ChannelLoggingConfigRetention = 5,
        ChannelLoggingConfigAutoBackup = 6,
        ChannelLoggingConfigMaxSize = 7,
        ChannelLoggingConfigLogFilePath = 8,
        ChannelPublishingConfigLevel = 9,
        ChannelPublishingConfigKeywords = 10,
        ChannelPublishingConfigControlGuid = 11,
        ChannelConfigPropertyIdEND
    };

    public enum ChannelType
    {
        Admin = 0,
        Operational = 1,
        Analytic = 2,
        Debug = 3,
        Unknown = 4
    };

    [DllImport("wevtapi.dll", EntryPoint = "EvtOpenChannelConfig", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
    public static extern IntPtr EventOpenChannelConfig(
        EventSafeHandle session,
        string channelPath,
        int flags);

    [DllImport("wevtapi.dll", EntryPoint = "EvtGetChannelConfigProperty", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
    public static extern bool EventGetChannelConfigProperty(
        EventSafeHandle channelConfig,
        [MarshalAs(UnmanagedType.I4)]ChannelConfigPropertyID propertyId,
        int flags,
        int propertyValueBufferSize,
        ref EventVariant propertyValueBuffer,
        out int propertyValueBufferUsed);

    [DllImport("wevtapi.dll", EntryPoint = "EvtSetChannelConfigProperty", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
    public static extern bool EventSetChannelConfigProperty(
        EventSafeHandle channelConfig,
        [MarshalAs(UnmanagedType.I4)]ChannelConfigPropertyID propertyId,
        int flags,
        ref EventVariant propertyValueBuffer);

    [DllImport("wevtapi.dll", EntryPoint = "EvtSaveChannelConfig", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)]
    public static extern bool EventSaveChannelConfig(
        EventSafeHandle channelConfig,
        int Flags
        );
    #endregion

    //-----------------------------------------------------------------

    #region Rendering routines

    public enum EventRenderContextFlags
    {
        EvtRenderContextValues = 0x0, // Render specific properties
        EvtRenderContextSystem = 0x1,    // Render all system properties (System)
        EvtRenderContextUser = 0x2     // Render all user properties (User/EventData)
    }

    public enum EventRenderFlags
    {
        EvtRenderEventValues = 0x0,     // Variants
        EvtRenderEventXml = 0x1,         // System properties, ForwardingInfo, User/EventData
        EvtRenderBookmark = 0x2
    }

    [DllImport("wevtapi.dll", EntryPoint = "EvtCreateRenderContext",
                             CallingConvention = CallingConvention.Winapi,
                             CharSet = CharSet.Auto,
                             SetLastError = true)]
    public static extern IntPtr EventCreateRenderContext(Int32 countOfValues,
                                                         String[] valuePaths,
                                                         Int32 flags);

    [DllImport("wevtapi.dll", EntryPoint = "EvtRender",
                             CallingConvention = CallingConvention.Winapi,
                             CharSet = CharSet.Auto,
                             SetLastError = true)]
    [return: MarshalAs(UnmanagedType.Bool)]
    public static extern bool EventRender(IntPtr context,
                                         PushEventHandle eventHandle,
                                         int flags,
                                         int buffSize,
                                         byte[] buffer,
                                     ref int buffUsed,
                                     ref int propCount);

#if DEBUG_TEST

    [DllImport( "wevtapi.dll", EntryPoint = "EvtRender",
                             CallingConvention = CallingConvention.Winapi,
                             CharSet = CharSet.Auto,
                             SetLastError = true )]
    [return: MarshalAs(UnmanagedType.Bool)]
    public static extern bool EventRender( IntPtr context,
                                         PushEventHandle eventHandle,
                                         int flags,
                                         int buffSize,
                                         StringBuilder buffer,
                                     ref int buffUsed,
                                     ref int propCount );

#endif

    #endregion

    //-----------------------------------------------------------------

    #region Formatting routines

    public enum EventFormatMessageFlags
    {
        EvtFormatMessageEvent = 0x1,
        EvtFormatMessageLevel = 0x2,
        EvtFormatMessageTask = 0x3,
        EvtFormatMessageOpcode = 0x4,
        EvtFormatMessageKeyword = 0x5
    }

    [DllImport("wevtapi.dll", EntryPoint = "EvtFormatMessage",
                     CallingConvention = CallingConvention.Winapi,
                     CharSet = CharSet.Auto,
                     SetLastError = true)]
    [return: MarshalAs(UnmanagedType.Bool)]
    public static extern bool EventFormatMessage(EventSafeHandle publisherHandle,
                                                 PushEventHandle eventHandle,
                                                 int messageId,
                                                 int valueCount,
                                                 [In] byte[] valueBuffer,
                                                 int flags,
                                                 int buffSize,
                                                 StringBuilder buffer,
                                             ref int buffUsed);
#endregion

    //-----------------------------------------------------------------

    #region Publisher routines
    internal enum EventPublisherMetadataId
    {
        EvtPublisherMetadataPublisherGuid = 0,     // EvtVarTypeGuid
        EvtPublisherMetadataResourceFilePath,     // EvtVarTypeString
        EvtPublisherMetadataParameterFilePath,     // EvtVarTypeString
        EvtPublisherMetadataMessageFilePath,        // EvtVarTypeString
        EvtPublisherMetadataHelpLink,             // EvtVarTypeString
        EvtPublisherMetadataPublisherMessageID,     // EvtVarTypeUInt32

        EvtPublisherMetadataChannelReferences,     // EvtVarTypeEvtHandle, ObjectArray
        EvtPublisherMetadataChannelReferencePath, // EvtVarTypeString
        EvtPublisherMetadataChannelReferenceIndex, // EvtVarTypeUInt32
        EvtPublisherMetadataChannelReferenceID,     // EvtVarTypeUInt32
        EvtPublisherMetadataChannelReferenceFlags, // EvtVarTypeUInt32
        EvtPublisherMetadataChannelReferenceMessageID, // EvtVarTypeUInt32

        EvtPublisherMetadataLevels,                 // EvtVarTypeEvtHandle, ObjectArray
        EvtPublisherMetadataLevelName,             // EvtVarTypeString
        EvtPublisherMetadataLevelValue,             // EvtVarTypeUInt32
        EvtPublisherMetadataLevelMessageID,         // EvtVarTypeUInt32

        EvtPublisherMetadataTasks,                 // EvtVarTypeEvtHandle, ObjectArray
        EvtPublisherMetadataTaskName,             // EvtVarTypeString
        EvtPublisherMetadataTaskEventGuid,         // EvtVarTypeGuid
        EvtPublisherMetadataTaskValue,             // EvtVarTypeUInt32
        EvtPublisherMetadataTaskMessageID,         // EvtVarTypeUInt32

        EvtPublisherMetadataOpcodes,                // EvtVarTypeEvtHandle, ObjectArray
        EvtPublisherMetadataOpcodeName,             // EvtVarTypeString
        EvtPublisherMetadataOpcodeValue,            // EvtVarTypeUInt32
        EvtPublisherMetadataOpcodeMessageID,        // EvtVarTypeUInt32

        EvtPublisherMetadataKeywords,             // EvtVarTypeEvtHandle, ObjectArray
        EvtPublisherMetadataKeywordName,            // EvtVarTypeString
        EvtPublisherMetadataKeywordValue,         // EvtVarTypeUInt64
        EvtPublisherMetadataKeywordMessageID,     // EvtVarTypeUInt32
    };

    [DllImport("wevtapi.dll", EntryPoint = "EvtOpenPublisherMetadata",
             CallingConvention = CallingConvention.Winapi,
             CharSet = CharSet.Auto,
             SetLastError = true)]
    public static extern IntPtr EventOpenPublisherMetadata(EventSafeHandle sessionHandle,
                                                            string publisherId,
                                                            string logFilePath,
                                                            int locale,
                                                            int flags);

    [DllImport("wevtapi.dll", EntryPoint = "EvtGetPublisherMetadataProperty",
             CallingConvention = CallingConvention.Winapi,
             CharSet = CharSet.Auto,
             SetLastError = true)]
    public static extern bool EventGetPublisherMetadataProperty(
        EventSafeHandle publisherHandle,
        [MarshalAs(UnmanagedType.I4)]EventPublisherMetadataId propId,
        int flags,
        int buffsize,
        ref EventVariant buffer,
        ref int buffUsed);

    [DllImport("wevtapi.dll", EntryPoint = "EvtGetObjectArraySize",
             CallingConvention = CallingConvention.Winapi,
             CharSet = CharSet.Auto,
             SetLastError = true)]
    public static extern bool EventGetObjectArraySize(PushEventHandle arrayHandle,
                                                         ref int count);

    [DllImport("wevtapi.dll", EntryPoint = "EvtGetObjectArrayProperty",
             CallingConvention = CallingConvention.Winapi,
             CharSet = CharSet.Auto,
             SetLastError = true)]
    public static extern bool EventGetObjectArrayProperty(
        PushEventHandle arrayHandle,
        [MarshalAs(UnmanagedType.I4)]EventPublisherMetadataId propId,
        int arrayIndex,
        int flags,
        int buffSize,
        ref EventVariant buffer,
        ref int buffUsed);

    [DllImport("wevtapi.dll", EntryPoint = "EvtGetObjectArrayProperty",
             CallingConvention = CallingConvention.Winapi,
             CharSet = CharSet.Auto,
             SetLastError = true)]
    public static extern bool EventGetObjectArrayProperty(
        PushEventHandle arrayHandle,
        [MarshalAs(UnmanagedType.I4)]EventPublisherMetadataId propId,
        int arrayIndex,
        int flags,
        int buffSize,
        ref EventVariantString buffer,
        ref int buffUsed);
    #endregion

    //-----------------------------------------------------------------

    #region Variant structures

    public enum EventVariantType
    {
        EvtVarTypeNull = 0,
        EvtVarTypeString = 1,
        EvtVarTypeAnsiString = 2,
        EvtVarTypeSByte = 3,
        EvtVarTypeByte = 4,
        EvtVarTypeInt16 = 5,
        EvtVarTypeUInt16 = 6,
        EvtVarTypeInt32 = 7,
        EvtVarTypeUInt32 = 8,
        EvtVarTypeInt64 = 9,
        EvtVarTypeUInt64 = 10,
        EvtVarTypeSingle = 11,
        EvtVarTypeDouble = 12,
        EvtVarTypeBoolean = 13,
        EvtVarTypeBinary = 14,
        EvtVarTypeGuid = 15,
        EvtVarTypeSizeT = 16,
        EvtVarTypeFileTime = 17,
        EvtVarTypeSysTime = 18,
        EvtVarTypeSid = 19,
        EvtVarTypeHexInt32 = 20,
        EvtVarTypeHexInt64 = 21,

        // These types used internally
        EvtVarTypeEvtHandle = 32,
        EvtVarTypeEvtXml = 35
    }

    public enum EventVariantTypeMask
    {
        EvtVarTypeMask = 0x7f,
        EvtVarTypeArray = 128
    }

    //Commenting some members to reduce the number
    // of fxcop errors
    [ComVisible(false)]
    [StructLayout(LayoutKind.Explicit)]
    unsafe public struct EventVariant
    {
        [FieldOffset(0)]
        public int BooleanVal;
        [FieldOffset(0)]
        public sbyte SByteVal;
        [FieldOffset(0)]
        public Int16 Int16Val;
        [FieldOffset(0)]
        public Int32 Int32Val;
        [FieldOffset(0)]
        public Int64 Int64Val;
        [FieldOffset(0)]
        public byte ByteVal;
        [FieldOffset(0)]
        public UInt16 UInt16Val;
        [FieldOffset(0)]
        public UInt32 UInt32Val;
        [FieldOffset(0)]
        public UInt64 UInt64Val;
        [FieldOffset(0)]
        public float SingleVal;
        [FieldOffset(0)]
        public double DoubleVal;
        [FieldOffset(0)]
        public UInt64 FileTimeVal;
        [FieldOffset(0)]
        public UInt64 SysTimeVal;
        [FieldOffset(0)]
        public IntPtr ByteArr;

        [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2006:UseSafeHandleToEncapsulateNativeResources")]
        [FieldOffset(0)]
        public IntPtr StringVal;

        [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2006:UseSafeHandleToEncapsulateNativeResources")]
        [FieldOffset(0)]
        public IntPtr SidVal;

        [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Reliability", "CA2006:UseSafeHandleToEncapsulateNativeResources")]
        [FieldOffset(0)]
        public IntPtr EvtHandleVal;

        [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Performance", "CA1823:AvoidUnusedPrivateFields")]
        [FieldOffset(8)]
        public int ItemCount; // number of elements (not length) in bytes.
        [FieldOffset(12)]
        public int Type;
    }

    /// <summary>
    /// Use this structure to deal with variants that require strings.
    /// </summary>
    [ComVisible(false)]
    [StructLayout(LayoutKind.Explicit)]
    unsafe public struct EventVariantString
    {
        [FieldOffset(0)]
        public EventVariant var;
        [FieldOffset(16)]
        public fixed byte data[2000];
    }
    #endregion

    //-----------------------------------------------------------------
}
Comments
  • I was going thru yor Crimson Log. I am primarily a C++ guy, I tried to make out what u had bloged in C#, can you tell me how to translate a "Security" event log using the new APIs say "EvtFormatMessage". I had used successfully the old FormatMessage API to translate security events. But the new one is bit confusing. Can you help me in solving this. It will be very helpful for me if you use C++.

  • Sorry, I didn't see this earlier.

    Not quite sure what you are after with your crimson question, I hope you got an answer for it though.

    If you want to translate the security event into xml you would use the method EvtRender(eventHandle, EvtRenderEventXml, buffer, buffsize, &sizeret, &numProps);

    The other way to get at the values is to use EvtRender(eventHandle, EvtRenderEventValues, ...);  This will turn the return collection into an array of type EventVariant of the size of the numProps that is passed back.  In this case you cannot find out the names of each of the fields, but you can get the data of each one by index.  So if you know the indexes for the security event you want to read you can pull them our using this mechanism.

    There is a EvtFormatMessage as well, it will turn the event into a text representation of the event but it is likely this is not what you want.

  • Thanks for the comments.

    Actually I want the events not in XML but in text format. I was able to translate all the logs, say, Security, System and application; including the event description part in text format in VISTA Beta2. But the moment I installed the publicly released Windows VISTA Business, downloaded from MSDN subscriber downloads, I am getting all event properties like event id, source name, username, system name etc., but fails to get the event description which I used to get when using EvtFormatMessage function in old Vista Beta2. I am getting the error code 1815, which says, The specified resource language ID cannot be found in the image file.

    The code, which I used to get event description, is given below:

    In VISTA Beta2:

    EvtFormatMessage(hpublisherConfig, hEvent, NULL, dwPropertyCount, valArray, EvtFormatMessageEvent, dwBuffSize, wcBuf, &dwBuffUsed);

    In VISTA Release:

    As the same code which I was using in VISTA Beta was not working, I thought of replacing the third para of EvtFormatMessage, which is, DWORD MessageId, with publisher's message resource, instead of NULL as given above. But still its not working for me. Can you please shed some light into this problem.

    The new code, which I discussed, is given below:

    EvtGetPublisherMetadataProperty(

           hpublisherConfig, EvtPublisherMetadataPublisherMessageID,

           0, bufferSize, metadataProperty, &bufferSize);

    EvtFormatMessage(hpublisherConfig, hEvent, (*metadataProperty).UInt32Val, dwPropertyCount, valArray, EvtFormatMessageEvent, dwBuffSize, wcBuf, &dwBuffUsed);

  • There were a bunch of changes to the Crimson Logs since beta 2.  They changed how the security and system logs were logged, amongst other things.

    The error you are getting is because the system cannot find the dll with the resources it needs for the logs you are looking at, vista compiles the manifest for the logs and puts it into a resource dll which is then loaded to get the various display strings for the various events.

    Are you seeing this for the system logs?  One way to check and make sure that the resource dll's exist correctly is to use the control panel event log code to look at the event logs.  If it can display the event logs correctly then anything can.

    You can also use wevtutil to find out the resource dll's using:

    wevtutil gp Microsoft-Windows-ParentalCOntrols

    This will show you the resource dll and all the known channels, levels, opcodes, keywords and tasks with their numbers and text translations.

    Hope this helps.

  • Thanks David, for the comments. After reading what you had commented, saying, bunch of changes to the Crimson Logs since beta 2. I checked out the SDK I was using. It was an old one then I updated my Windows SDK for Vista posted at MSDN link on 29 Nov 2006. After that my event translation issue got solved.

    But now a new issue has come up. What is happening is, some of the values in event description is not translated. MSDN says, when the EvtFormatMessageEvent or EvtFormatMessageId flag is specified, the EvtFormatMessage function performs insertions and parameter substitutions. I had used EvtFormatMessageEvent in EvtFormatMessage flag parameter. But its not doing the translation or insertion of values in event description. I don't understand, the way I am written the code is right or not or even VISTA or Win SDK got any issues with EvtFormatMessage API. Can you please through some light into it.

    I had given the code and the event desc. which I am getting.

    The code which I am using is given below:

    -----------------------------------

    I am subscribing events from the event log, so in the callback subscription function after EvtRender:

    hpublisherConfig = EvtOpenPublisherMetadata( NULL, publisherName, NULL, GetUserDefaultLCID(), 0);

    bRet = EvtFormatMessage(hpublisherConfig, hEvent, NULL, dwPropertyCount, valArray, EvtFormatMessageEvent, dwBuffSize, wcBuf, &dwBuffUsed);

    Event details from windows event viewer:

    ----------------------------------------

    Event Id: 4656

    Evt Source: Security-Auditing

    log type  : Security

    Description:

    ======================================================================================

    ======================================================================================

    A handle to an object was requested. ==

    ==

    Subject: ==

    Security ID: vistadev\Administrator ==

    Account Name: Administrator ==

    Account Domain: vistadev ==

    Logon ID: 0x8591b ==

    ==

    Object: ==

    Object Server: Security ==

    Object Type: File ==

    Object Name: C:\Windows\System32\eventvwr.msc ==

    Handle ID: 0x0 ==

    ==

    Process Information: ==

    Process ID: 0xde0 ==

    Process Name: C:\Windows\System32\mmc.exe ==

    ==

    Access Request Information: ==

    Transaction ID: {00000000-0000-0000-0000-000000000000} ==

    Accesses: READ_CONTROL ==

    SYNCHRONIZE ==

    WriteData (or AddFile) ==

    AppendData (or AddSubdirectory or CreatePipeInstance) ==

    WriteEA ==

    ReadAttributes ==

    WriteAttributes ==

    ==

    Access Mask: 0x120196 ==

    Privileges Used for Access Check: - ==

    Restricted SID Count: 0 ==

    ======================================================================================

    ======================================================================================

    For the same event the details fetched using EvtFormatMessage API

    -----------------------------------------------------------------

    ======================================================================================

    ======================================================================================

    A handle to an object was requested. ==

    ==

    Subject: ==

    Security ID: Microsoft-Windows-Security-Auditing ==

    Account Name: {54849625-5478-4994-A5BA-3E3B0328C30D} ==

    Account Domain: 4656 ==

    Logon ID: ==

    ==

    Object: ==

    Object Server: 0 ==

    Object Type: 12800 ==

    Object Name: 0 ==

    Handle ID: 0x8010000000000000 ==

    ==

    Process Information: ==

    Process ID: 64 ==

    Process Name: Security ==

    ==

    Access Request Information: ==

    Transaction ID: 2007-01-04T07:20:44.505Z ==

    Accesses: 400106 ==

    Access Mask: ==

    Privileges Used for Access Check: ==

    Restricted SID Count: 4 ==

    ======================================================================================

    ======================================================================================

    Environment:

    OS: Windows VISTA Business (public release)

    Tool : VS 2005 (VC++ 8)

    SDK  : Windows Software Development Kit (SDK) for Windows Vista, posted at MSDN link on 29 Nov 2006.

  • Hi,

    I am using .Net 3.5 to access the crimson logs from a remote computer. I need to extract some information from user defined Properties(EventData) in each record.

    EventRecord class only provides list of property Values and does not provide Name based lookup.

    Is there any way I can lookup property value(EventData) based on the name?

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

    - <System>

     <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6d64f02c-a125-4dac-9a01-f0555b41ca84}" />

     <EventID>75</EventID>

     <Version>0</Version>

     <Level>4</Level>

     <Task>0</Task>

     <Opcode>0</Opcode>

     <Keywords>0x8000000000000000</Keywords>

     <TimeCreated SystemTime="2008-10-07T17:06:53.016356400Z" />

     <EventRecordID>2</EventRecordID>

     <Correlation />

     <Execution ProcessID="2788" ThreadID="2352" />

     <Channel>Microsoft-Windows-Dhcp-Server/Operational</Channel>

     <Computer>DHCPCLUSTER2.fareast.corp.microsoft.com</Computer>

     <Security UserID="S-1-5-21-2146773085-903363285-719344707-222982" />

     </System>

    - <EventData>

     <Data Name="IP_ScopeName">[[172.23.90.0]test scope]</Data>

     <Data Name="ModifiedDuration">1200</Data>

     <Data Name="ClientName">FAREAST\dhcpilab</Data>

     <Data Name="OriginalDuration">19200</Data>

     </EventData>

     </Event>

    Nimish

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment