I need to read the Security Event Log and then show the EVENTLOGRECORD as a
String. Reading records works fine but when I format the string that I'm
going to show the FormatMessage function generate an "Unhandled exception ...
(NTDLL.DLL) ... Access violation". I found a code sample on the net that I've
used to format the string but this generate the same problem. I need your
help. Now, I posted this code this funtion to format the EVENTLOGRECORD data,
any suggestions?.
BOOL GetDescription(char *Log, EVENTLOGRECORD *EventLogRecPtr, char *tmpStr)
{
int i=0,I ,j;
unsigned long FileNameModuleSize = 100;
char tmp[200];
HKEY nKeyHandle=0;
BYTE FileNameModule[100],expbuffer[BUFFER_SIZE];
LPTSTR message, *strings, AllocedStr[20] ;
LPVOID lpBuffer;
sprintf(tmp,"SYSTEM\\CurrentControlSet\\Services\\ EventLog\\%s\\%s",
Log, (LPBYTE)EventLogRecPtr + sizeof(EVENTLOGRECORD));
RegOpenKey(HKEY_LOCAL_MACHINE,(LPTSTR) tmp,&nKeyHandle);
RegQueryValueEx(nKeyHandle,"EventMessageFile",NULL ,NULL,
FileNameModule, &FileNameModuleSize);
ExpandEnvironmentStrings((LPCTSTR)FileNameModule, (LPSTR)expbuffer,
BUFFER_SIZE);
RegCloseKey(HKEY_LOCAL_MACHINE);
if (nKeyHandle)
{
message = (LPTSTR)((LPBYTE)EventLogRecPtr + EventLogRecPtr->StringOffset);
strings = (char**)malloc(sizeof(LPVOID)*EventLogRecPtr->NumStrings);
for (j = 0; j < EventLogRecPtr->NumStrings;j++)
{
if (strstr(message,"%%"))
{
(LPTSTR) strings[j] = GetParameterMsg(message, tmp);
AllocedStr[i++] = strings[j];
}
else
(LPTSTR) strings[j] = message;
message = message + strlen(message) +1;
}
HMODULE hlib = LoadLibraryEx((LPCTSTR)expbuffer, NULL,
LOAD_LIBRARY_AS_DATAFILE);
I=FormatMessage( FORMAT_MESSAGE_FROM_HMODULE |
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_ARGUMENT_ARRAY,
hlib,
EventLogRecPtr->EventID,
0,
(LPTSTR)&lpBuffer,
sizeof(lpBuffer),
(LPTSTR *)(strings));
if( I == 0)
{
while (i >0)
{
free(AllocedStr[--i]);
}
MissatgesError();
if(lpBuffer == NULL)
LocalFree( lpBuffer );
return False;
}
strcpy(tmpStr, (char *) lpBuffer);
for(I = 0; I< (int) strlen(tmpStr);I++)
{
if((tmpStr[i] != 0) && ((tmpStr[i] > 0 && tmpStr[i] < 32)))
tmpStr[i] = 32;
}
LocalFree( lpBuffer );
FreeLibrary(hlib);
return True;
}
return False;
}