事件 ID 与事件查看器中显示的不匹配
系统事件日志中的事件具有以下详细信息:
Source: Kernel-General
Event ID: 1
Details: The system time has changed to 2010-07-17T02:58:20.285000000Z from 2010-07-17T02:58:20.285868600Z.
EVENTLOGRECORD 的 EventID 字段也为 1,因此它与我们在事件日志查看器中看到的内容相匹配。
到目前为止,一切都很好。
问题是,当您查看 advapi32.dll(该源从中获取消息的位置)时,您会看到以下内容:
ID:01000001
String: The system time has changed to %1 from %2.
事件日志查看器如何神奇地知道将这些额外位添加到 ID 中以找到正确的字符串?并非所有事件字符串都具有该高位,有些事件字符串还设置了其他高位。
使用 1 调用 FormatMessage 失败。用 x01000001 调用成功。但这不是事件日志记录包含的内容...:(
我找不到任何文档讨论这个问题(除了描述显示错误/严重性/设施/代码位的 ID 格式)。
In the System event log is an event with the following details:
Source: Kernel-General
Event ID: 1
Details: The system time has changed to 2010-07-17T02:58:20.285000000Z from 2010-07-17T02:58:20.285868600Z.
The EVENTLOGRECORD also has a 1 for the EventID field, so it matches what we see in the Event Log viewer.
So far so good.
The problem is, when you look in advapi32.dll which is where this source gets it's messages from, you see this:
ID:01000001
String: The system time has changed to %1 from %2.
How does the Event Log Viewer magically know to add those extra bits to the ID to find the right string? Not all event strings have that upper bit, and some have other upper bits set.
Calling FormatMessage with 1 fails. Calling it with x01000001 succeeds. But that's not what the event log record contains... :(
No docs that I can find discuss this at all (other that describing the ID format which shows error/severity/facility/code bits).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
据推测,在 Windows XP 及更早版本中,事件 ID 直接映射到消息表中的消息 ID。在 Vista 及更高版本中,可以通过两种方式将事件 ID 映射到消息 ID。
本文更详细地描述了这两种方法:
https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#message-string-identifier
对于这个“系统时间有尤其是更改...”事件,Windows 10 正在使用 Windows 事件模板资源。如果您在注册表中查找此事件的 EventMessageFile 项(基于事件源 = Microsoft-Windows-Kernel-General),您将找到提供程序 DLL。
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-Kernel-General
然后,您可以使用 Windows 事件实用程序查看提供程序 dll 的内容(添加 /gm :true 标志将显示消息文本):
wevtutil gp Microsoft-Windows-Kernel-General /ge:true
输出显示事件任务 5 的事件 ID 1 的消息 ID = 16777217 (0x01000001 )。
Supposedly, in Windows XP and earlier the Event ID was directly mapped to the Message ID within the message table. With Vista and later there are two ways that the Event ID can be mapped to the Message ID.
This article describes the two ways in more detail:
https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#message-string-identifier
For this "The system time has changed..." event in particular, Windows 10 is using the Windows Event Template Resource. If you lookup the EventMessageFile key, in the registry, for this event (based on the Event Source = Microsoft-Windows-Kernel-General) you find the Provider DLL.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-Kernel-General
You can then use the windows event utility to look at the contents of the provider dll (adding the /gm:true flag will display the message text):
wevtutil gp Microsoft-Windows-Kernel-General /ge:true
The output shows that Event ID 1 with an Event Task 5 has a Message ID = 16777217 (0x01000001).
和你一样,我在任何地方都找不到它的记录,但看起来事件查看器将
EVENTLOGRECORD结构的EventType成员映射到 Severity 位消息表标识符。例如,服务控制管理器事件 7035 的类型为“信息”,它映射到严重性值 1,生成消息 ID 0x40001B7B,这确实是事件查看器从 netevent.dll 显示的文本:%1 服务已成功发送 %2 控制。
同样,事件 7000 的类型为“错误”,映射到严重性 3 和消息 ID 0xC0001B58:< em>由于以下错误,%1 服务无法启动:%n%2
当然,这与您的示例不太相符;你确定你的 0 和 1 放在正确的位置吗?
Like you I can't find it documented anywhere, but it looks like Event Viewer maps the
EventTypemember of theEVENTLOGRECORDstructure to the Severity bits of the message table identifier.So for example, Service Control Manager event 7035 is of type "Information", which maps to Severity value 1, yielding a message ID of 0x40001B7B, which is indeed the text that Event Viewer displays from netevent.dll: The %1 service was successfully sent a %2 control.
Similarly, event 7000 is of type "Error", mapping to Severity 3 and a message ID of 0xC0001B58: The %1 service failed to start due to the following error: %n%2
Of course that doesn't quite fit with your example; are you sure you've got your 0s and 1s in the right place?