Announcement

Collapse
No announcement yet.

TYPE question

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Scott Turchin
    replied
    PS, this is working:

    Code:
        'Read the event log
dwRecordOffset = 1
pnMinNumberOfBytesNeeded = 50000&

lResult = ReadEventLog(ByVal hEventLog, _
                       ByVal (%EVENTLOG_SEEK_READ Or %EVENTLOG_FORWARDS_READ), _
                       ByVal dwRecordOffset, _
                       ByVal VarPtr(eBuff(1)), _
                       pnMinNumberOfBytesNeeded, _
                       pnBytesRead, _
                       pnBytesNeeded)

MoveMemory VarPtr(lpBuffer), VarPtr(eBuff(1)), Len(EVENTLOGRECORD)
If IsFalse lResult Then
   MsgBox "Could not read event log",%MB_ICONSTOP,"EventLog"
   GoTo DONE
End If
'MsgBox ReturnDate(lpBuffer.TimeGenerated)
MsgBox "Source Name: " & lpBuffer.SourceName & $CRLF & "Computer Name: " & lpBuffer.ComputerName & $CRLF & "Strings: " & lpBuffer.Strings
'MsgBox "Length:" & Str$(EvtRecLen) & "   pnBytesRead:" & Str$(pnBytesRead) & "   pnMinNumberOfBytesNeeded:" & Str$(pnMinNumberOfBytesNeeded) & "   Len(EVENTLOGRECORD):" & Str$(Len(EVENTLOGRECORD))
'MsgBox "StringOffset:" & Str$(lpBuffer.StringOffset) & "   NumStrings:" & Str$(lpBuffer.NumStrings) & "   UserSidLength:" & Str$(lpBuffer.UserSidLength)
For lLoop = lpBuffer.StringOffset To lpBuffer.Length    ' print Source name and Computer name (may need more/fewer bytes printed)
    If( eBuff(lLoop) > 31 ) Then
        OutBuff = OutBuff & Chr$(eBuff(lLoop))
    ElseIf eBuff(lLoop) = 0 Then
        OutBuff = OutBuff & $CRLF
    End If
Next
Function = OutBuff
DONE:
lResult = CloseEventLog(ByVal hEventLog)
    ------------------
    Scott

    Leave a comment:

  • Scott Turchin
    started a topic TYPE question

    TYPE question

    Still on the eventlog, the function I have returns:
    lpBuffer as EVENTLOG

    and so far returns everything correctly, which leads me to believe I do not have to parse the original byte record to get the data.

    So far this is what I have, I have to modify the Win32api.inc file to make this work but it is so far:

    Question: How do I get a BYTE array into the TYPE structure?
    Specifically STRINGS, etc, and ComputerName is not yet working...


    I'm going to do this the right way...hehe

    Code:
    TYPE EVENTLOGRECORD
  Length AS DWORD              ' Length of full record
  Reserved AS DWORD            ' Used by the service
  RecordNumber AS DWORD        ' Absolute record number
  TimeGenerated AS DWORD       ' Seconds since 1-1-1970
  TimeWritten AS DWORD         ' Seconds since 1-1-1970
  EventID AS DWORD
  EventType AS WORD
  NumStrings AS WORD
  EventCategory AS WORD
  ReservedFlags AS WORD        ' For use with paired events (auditing)
  ClosingRecordNumber AS DWORD ' For use with paired events (auditing)
  StringOffset AS DWORD        ' Offset from beginning of record
  UserSidLength AS DWORD
  UserSidOffset AS DWORD
  DataLength AS DWORD
  DataOffset AS DWORD          ' Offset from beginning of record
  SourceName As String * 17
  ComputerName As String * 17
  Strings As String * 255
  '
  ' Then follow:
  '
  ' WCHAR SourceName[]
  ' WCHAR Computername[]
  ' SID   UserSid
  ' WCHAR Strings[]
  ' BYTE  Data[]
  ' CHAR  Pad[]
  ' DWORD Length;
END TYPE

    ------------------
    Scott
    Tags: None
Previous template Next
Working...
X

We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, and to analyze site activity. For additional details, refer to our Privacy Policy.

By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

I Agree