当前位置: 文江博客话题详情

Windows:报告事件函数

发布于 2024-10-25 16:53:54 字数 352 浏览 2 评论 0原文

据我了解, ReportEvent 函数需要 消息文本文件通过注册表关联以接收格式正确的消息。是否有任何常见的事件 ID 或任何简单的方法来报告没有关联消息文本文件的事件?

或者可能是,是否有我可以在我的应用程序中使用的特殊通用事件源?类似 RegisterEventSource(NULL, "Application") 的东西?

原文

As far as I understood, the ReportEvent function requires Message Text Files associated through the registry to receive properly formatted messages. Is there any common Event Ids or any simple way to report an event with no Message Text Files associated?

Or may be, is there special common Event Source which I can use in my application? Something like RegisterEventSource(NULL, "Application")?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

烟雨扶苏 2024-11-01 16:53:54

不必在 HKLM 中注册您的消息。 (这是一件好事,因为如果您不是管理员,则无法注册消息)。

但这并不能阻止您将事件写入 Windows 应用程序事件日志。唯一的缺点是,从 Windows Vista 开始,您只会看到一些难看的文本。

HRESULT LogToEventLog(String Source, String EventText, int EventType, DWORD EventID)
{
   /*
      EventType is one of:
         EVENTLOG_ERROR_TYPE       = $0001;
         EVENTLOG_WARNING_TYPE     = $0002;
         EVENTLOG_INFORMATION_TYPE = $0004;
         EVENTLOG_AUDIT_SUCCESS    = $0008;
         EVENTLOG_AUDIT_FAILURE    = $0010;

      Source is your name for your app or feature, e.g.:
         "My Cool App"
         "Outlook"    
         "ESENT"
         "Chrome"
   */

   HANDLE h = RegisterEventSource(null, Source); //null --> local computer
   if (h == 0) 
      return HResultFromWin32(GetLastError);
   try
   {       
      PChar[1] ss;
      ss[0] = PChar(EventText);

      if (!ReportEvent(
            h,         // event log handle
            EventType, // event type
            0,         // category zero
            EventID,   // event identifier
            null,      // no user security identifier
            1,         // one substitution string
            0,         // no data
            @ss,       // pointer to string array
            null       // pointer to data
      ))
      {
         return HResultFromWin32(GetLastError);
      }
   }
   finally
   {
      DeregisterEventSource(h);
   }
   return S_OK;
}

现在您可以将事件记录到应用程序事件日志中:

LogToEventLog("Stackoverflow", "Question 5399066 was answered by Ian Boyd", 
      EVENTLOG_INFORMATION_TYPE, 0x45);

窃取其他人的注册

不幸的是,从 Windows Vista 开始,Windows 会发出丑陋的抱怨,指出您没有事先注册该事件:

来自 Stackoverflow 的事件 ID 69 的描述无法被
成立。引发此事件的组件未安装在
您的本地计算机或安装已损坏。您可以安装
或修复本地计算机上的组件。

如果事件源自另一台计算机,则显示信息
必须与事件一起保存。

活动中包含以下信息:

问题 5399066 已由 Ian Boyd 回答

但您不必必须忍受它。仅仅因为您没有在 HKLM 中注册消息源文件,并不意味着其他人也没有这样做。

例如,请注意事件日志中来自 Outlook 源的消息:

  • Outlook
  • EventID:< code>0x40000020
  • 事件数据D:\win32app\Exchange\Outlook2003.pst
  • 消息商店 D: \win32app\Exchange\Outlook2003.pst 已检测到目录检查点。

您可以在以下位置检查 Outlook 的注册信息:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Outlook

如果您查看

MessageEventFile: REG_SZ = "D:\Programs\MICROS~4\Office14\1033\MAPIR.DLL"

MAPIR.dll 二进制文件的资源,您将看到它的消息表

1 MESSAGETABLE
{
0x12,       "Connection stats for server (%1).  Rpcs Attempted (%2), Rpcs Succeeded (%3), Rpcs Failed (%4), Rpcs Canceled (%5), Rpc UI shown (%6), Avg request time (%7) ms, Min request time (%8) ms, Max request time (%9) ms.\r\n"
0x14,       "Cancelable RPC started.\r\n"
0x15,       "Cancelable RPC shutdown.\r\n"
0x40000010,     "Cancelable RPC dialog shown for server (%1), total wait time was (%2) ms, result was (%3).\r\n"
0x40000011,     "User canceled request against server (%1) after waiting (%2) ms.\r\n"
0x40000013,     "Rpc call (%1) on transport (%2) to server (%3) failed with error code (%4) after waiting (%5) ms; eeInfo (%6).\r\n"
0x40000016,     "There was a problem reading one or more of your reminders. Some reminders may not appear.\r\n"
0x40000017,     "Unable to update public free/busy data.\r\n"
0x4000001A,     "%1\r\n"
0x4000001B,     "%1\r\n"
0x4000001D,     "The store %1 is being re-pushed to the indexer for the following reason: %2.\r\n"
0x4000001E,     "Starting reconciliation for the store %1 for the following reason: %2.\r\n"
0x4000001F,     "The store %1 has detected a catalog rebuild.\r\n"
0x40000020,     "The store %1 has detected a catalog checkpoint.\r\n"
...
}

您可以看到 eventid 0x40000020 是与格式化字符串关联:

“存储 %1 已检测到目录检查点。\r\n”

您可以劫持 Outlook 的注册:

LogToEventLog("Outlook", "Your mom", EVENTLOG_INFORMATION_TYPE, $40000020);

并且您会将事件添加到事件日志中,而不会出现所有丑陋的警告:

在此处输入图像描述

You don't have to register your messages in HKLM. (Which is a good thing, because you can't register messages if you're not an administrator).

But that doesn't stop you from writing events to the Windows Application event log. The only downside is that starting with Windows Vista you'll just get some ugly text along with it.

HRESULT LogToEventLog(String Source, String EventText, int EventType, DWORD EventID)
{
   /*
      EventType is one of:
         EVENTLOG_ERROR_TYPE       = $0001;
         EVENTLOG_WARNING_TYPE     = $0002;
         EVENTLOG_INFORMATION_TYPE = $0004;
         EVENTLOG_AUDIT_SUCCESS    = $0008;
         EVENTLOG_AUDIT_FAILURE    = $0010;

      Source is your name for your app or feature, e.g.:
         "My Cool App"
         "Outlook"    
         "ESENT"
         "Chrome"
   */

   HANDLE h = RegisterEventSource(null, Source); //null --> local computer
   if (h == 0) 
      return HResultFromWin32(GetLastError);
   try
   {       
      PChar[1] ss;
      ss[0] = PChar(EventText);

      if (!ReportEvent(
            h,         // event log handle
            EventType, // event type
            0,         // category zero
            EventID,   // event identifier
            null,      // no user security identifier
            1,         // one substitution string
            0,         // no data
            @ss,       // pointer to string array
            null       // pointer to data
      ))
      {
         return HResultFromWin32(GetLastError);
      }
   }
   finally
   {
      DeregisterEventSource(h);
   }
   return S_OK;
}

And so now you can log events to the Application event log:

LogToEventLog("Stackoverflow", "Question 5399066 was answered by Ian Boyd", 
      EVENTLOG_INFORMATION_TYPE, 0x45);

Steal someone else's registration

Unfortunately, starting with Windows Vista, Windows will give ugly complaints that you didn't register the event beforehand:

The description for Event ID 69 from source Stackoverflow cannot be
found. Either the component that raises this event is not installed on
your local computer or the installation is corrupted. You can install
or repair the component on the local computer.

If the event originated on another computer, the display information
had to be saved with the event.

The following information was included with the event:

Question 5399066 was answered by Ian Boyd

But you don't have to live with it. Just because you didn't register an message source file in HKLM, doesn't mean nobody else did.

Notice, for example, a message from the Outlook source in the Event log:

  • Source: Outlook
  • EventID: 0x40000020
  • Event Data: D:\win32app\Exchange\Outlook2003.pst
  • Message: The store D:\win32app\Exchange\Outlook2003.pst has detected a catalog checkpoint.

You can check registration information for Outlook in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Outlook

And see:

MessageEventFile: REG_SZ = "D:\Programs\MICROS~4\Office14\1033\MAPIR.DLL"

If you peek into the resources of MAPIR.dll binary, you'll see its Message Table:

1 MESSAGETABLE
{
0x12,       "Connection stats for server (%1).  Rpcs Attempted (%2), Rpcs Succeeded (%3), Rpcs Failed (%4), Rpcs Canceled (%5), Rpc UI shown (%6), Avg request time (%7) ms, Min request time (%8) ms, Max request time (%9) ms.\r\n"
0x14,       "Cancelable RPC started.\r\n"
0x15,       "Cancelable RPC shutdown.\r\n"
0x40000010,     "Cancelable RPC dialog shown for server (%1), total wait time was (%2) ms, result was (%3).\r\n"
0x40000011,     "User canceled request against server (%1) after waiting (%2) ms.\r\n"
0x40000013,     "Rpc call (%1) on transport (%2) to server (%3) failed with error code (%4) after waiting (%5) ms; eeInfo (%6).\r\n"
0x40000016,     "There was a problem reading one or more of your reminders. Some reminders may not appear.\r\n"
0x40000017,     "Unable to update public free/busy data.\r\n"
0x4000001A,     "%1\r\n"
0x4000001B,     "%1\r\n"
0x4000001D,     "The store %1 is being re-pushed to the indexer for the following reason: %2.\r\n"
0x4000001E,     "Starting reconciliation for the store %1 for the following reason: %2.\r\n"
0x4000001F,     "The store %1 has detected a catalog rebuild.\r\n"
0x40000020,     "The store %1 has detected a catalog checkpoint.\r\n"
...
}

You can see that eventid 0x40000020 is assocated with a formatting string:

"The store %1 has detected a catalog checkpoint.\r\n"

You can hijack Outlook's registration:

LogToEventLog("Outlook", "Your mom", EVENTLOG_INFORMATION_TYPE, $40000020);

and you'll get your event added to the event log without all the ugly warnings:

enter image description here

回复 原文
瑾兮 2024-11-01 16:53:54

不,您只需遵循规则并定义消息文本文件,将它们构建到资源中,将它们链接到您的应用程序等。

MSDN 上提供的示例将引导您完成所需执行的所有操作。

No, you just have to follow the rules and define your message text files, build them into resources, link them to your app etc.

The example provided at MSDN leads you through everything you need to do.

回复 原文
如此安好 2024-11-01 16:53:54

试试这个,它之前对我有用..

http://www.codeproject.com/ KB/system/xeventlog.aspx

Try this out, it's worked for me before..

http://www.codeproject.com/KB/system/xeventlog.aspx

回复 原文
~没有更多了~

关于作者

遗弃M

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文