问题描述

我有读取Windows事件日志的代码.它使用OpenEventLog，ReadEventLog并获取事件源和事件ID.然后在

I have code that reads the Windows Event Log. It uses OpenEventLog, ReadEventLog and gets the event source and event ID. Then it looks up the source under the

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application

键，根据 EventMessageFile 中列出的内容加载适当的DLL，最后使用 FormatMessage 将事件字符串与消息DLL内容合并以获取最终事件消息文本.这是推荐的方法，尽管有些痛苦，但效果很好.

key, loads the appropriate DLL(s) according to what is listed in EventMessageFile and finally uses FormatMessage to merge the event strings with the message DLL content to get the final event message text. This is the recommended way, and although a bit of a pain, it works great.

直到...我去查找源，发现它没有 EventMessageFile ，而是一个 ProvideGuid 条目.这似乎是新方法(它们显示在Vista和Windows 2008中).糟糕-没有任何内容传递给FormatMessage来查找消息文本并合并到数据字符串中

Until... I go lookup the source and find it doesn't have an EventMessageFile, but rather a ProvideGuid entry. This seems to be the new way (they show up on Vista and Windows 2008). Uggh -- nothing to pass to FormatMessage for looking up the message text and merging in the data strings

:(

在注册表中搜索guid确实会导致引用其他文件(在HTTP源的情况下为http.sys)，但是我永远无法获得完整的消息文本.我必须使用那些 EvtOpenSession API吗?我希望不会，因为我已经从对 ReadEventLog 的调用中获得了 EVENTLOGRECORD * ，并且该软件需要在Windows 2003上运行，而 EvtOpenSession (仅在Vista和Windows 2008上可用).注意:Vista上的某些源具有ProviderGUID，而其他源具有EventMessageFile，因此旧方法仍然可行.

Searching the registry for the guid does lead to references to other files (http.sys in the case of the HTTP source), but I can never get the complete message text. Do I have to use those EvtOpenSession APIs? I'm hoping not since I already have the EVENTLOGRECORD* from a call to ReadEventLog, and the fact that the software needs to run on Windows 2003 where EvtOpenSession isn't supported (only available on Vista and Windows 2008). NOTE: Some sources on Vista have ProviderGUID, and others have EventMessageFile, so the old method is still viable.

因此，我要做的是一种查看ProviderGuid并获取需要传递给DLL的DLL的方法，以显示完整的事件日志消息文本.

So what I'm after is a way to look at the ProviderGuid and get the DLL that needs to be passed to FormatMessage for displaying the complete event log message text.

感谢您的任何输入

推荐答案

Richard链接到的API适用于Vista/Server 2K8中引入的新型Eventing系统(代号为Crimson，有时称为基于清单的提供程序).这个新系统的构件之一是使用这些日志的新API，另一个是使用该新框架生成事件的某些EventSource的ProviderGuid键.

The APIs that Richard links to are for the new style Eventing system (code-named Crimson, sometimes called Manifest Based Providers) introduced in Vista/Server 2K8. One of the artifacts of this new system is new APIs to consume these logs, another is the ProviderGuid key for certain EventSources that produce events using this new framework.

我认为您以后应该使用Windows Vista上的功能来使用这些日志，它应该为您处理工作.您可以使用EvtFormatMessage方法来格式化字符串.我相信这些API还将读取经典"提供程序产生的事件.

I think you should use the functions on Windows Vista later to consume these logs, it should handle the work for you. You can use the EvtFormatMessage method to format the strings. I believe these APIs will also read the events produced by "Classic" providers.

如果您从.NET应用程序中使用这些消息，则可以使用.NET 3.5中引入的System.Diagnostics.Eventing.Reader命名空间中的类型.

If you're consuming these messages from a .NET app you can use types in the System.Diagnostics.Eventing.Reader namespace, introduced in .NET 3.5.