Log Mechanism in Windows

 

For logs, most people should have the same idea as I initially thought. Just write a function, open a file in the function, and write the event information to the file. Call this function where logs are to be recorded.

However, there are many issues to consider at this time, including the definition of the file name, whether to create a new file every time a log is written or write all the information in a file. If the same file is controlled by multiple threads at the same time, if the log file is too large, if the previous records are deleted. Log reading methods, including retrieval functions and security issues. So don't underestimate the log mechanism that only supports auxiliary functions, but don't worry. windows has defined a well-developed log architecture for us.

The CLFS (Common Log File System) mechanism introduced by Windows vista is the Event Logging mechanism supported from NT3.5. Most of the functions in it start with Elf (Event Log File, ELF for short.

Windows XP defines three types of logs: Application, Security, and system. The file names are AppEvent. evt, SecEvent. evt and SysEvent. evt. these files are used to store the Registry file and configuration information under the CONFIG directory % SystemRoot % \ SYSTEM32 \ CONFIG \

Windows Vista adds log categories such as HardvareEvents and DFS Replication, and creates a separate directory for all log files, that is, % SystemRoot % \ SYSTEM32 \ winevt \ Logs directory, the log file extension is also composed. change EVT. EVTX.

Log configuration information is stored in the registry

HKEY_LOACAL_MACHINE \ SYSTEM \ CurrentControlSet \ Sercices \ Eventlog

 

The following describes the API that generates windows logs and its execution process:

1. register the event source in the registry. The event source is registered under the Registry HKLM \ SYSTEM \ CurrentControlSet \ Services \ EventLog \ Application, if you need to register the event source yourself, you can add a new key in the registry and add two more items. Let's take a look at the example. The event source of outlook

It contains three keys. EvetMessageFile is used to specify the location and name of the message file of the event source. Message files can be used as templates to format log events or other messages, similar to string resources and dialog box resources. You can use the Event ID described later to find the corresponding display information and provide support for a template. TypesSupported indicates the types supported by the event, including EVENTLOG_ERROR_TYPE (0x0001) and EVENTLOG_WARBUBG_TYPE (0x0002. Version indicates the Version of the event source. The message file can be an effective PE file such as DLL and exe. The method for writing the message file is not described here. Here, the path of the application can be written.

2. Call the RegisterEventSource API to obtain the event source handle. The prototype is:

HANDLE RegisterEventSource (maid, maid)

Here, lpUNCServerName indicates the machine name. If you operate on the local machine, add NULL. lpSourceName indicates the name of the event source, and enter the created key name. If the event source name cannot be found in the Registry, the Application Event source under the Application log is used by default.

3. Use the ReportEvent API to add logs. Prototype:

BOOL ReportEvent (HANLE hEventLog, WORD wType, WORD wCategory, DWORD dwEventID, PSID lpUserSid, DWORD wNumStrings, DWORD dwDataSize, LPCTSTR * lpStrings, LPVOID lpRawData );

The first parameter is hEventLog, which is the event source handle obtained using RegisterEventSource. The second parameter wType is used to specify the event type, which can be the following constants: EVENTLOG_SUCCESS, EVENTLOG_AUDIT_FAILURE, etc. The third parameter wCategory is used to specify the Category Number of an event in the event source. Its classification rules are defined by the application. The fourth parameter, dwEventID, is used to specify the ID of an event. This ID is used to locate the information in the message file. Therefore, IDs are defined by applications. The fifth parameter lpUserSid is used to specify the user's Security ID. It can be set to NULL. The sixth parameter wNumStrings is used to specify the number of string pointers contained in the string array pointed to by the eighth parameter lpStrings. The eighth parameter is used to display information in the Event Description field, as shown in:

The seventh parameter dwDataSize is used to specify the Data Length of the original data buffer pointed to by the ninth parameter lpRawData. Either of these two parameters is set to 0, and the other is set to NULL.

In this way, you can write a Daily Record. Let's take a look at the code.

First, register the event source code:

BOOL AddEventSource (CString csName, DWORD dwCategoryCount)

{

HKEY hRegKey = NULL;

DWORD dwerror = 0;

Tchar szpath [max_path];

 

_ Stprintf (szpath, _ T ("SYSTEM \ CurrentControlSet \ Services \ Eventlog \ Application \ % s"), csname );

 

// Create the event Source Registry Key

Dwerror = regcreatekey (HKEY_LOCAL_MACHINE, szpath, & hregkey );

If (dwerror! = 0)

{

Outmsg ("regcreatekey failed for % d", getlasterror ());

Return E_FAIL;

}

 

// Name of the PE module that contains the message resource

GetModuleFileName (NULL, szPath, MAX_PATH );

 

// Register EventMessageFile

DwError = RegSetValueEx (hRegKey, _ T ("EventMessageFile"), 0, REG_EXPAND_SZ, (PBYTE) szPath, (_ tcslen (szPath) + 1) * sizeof TCHAR );

If (dwError = 0)

{

// Register supported event types

DWORD dwtypes = eventlog_error_type | eventlog_warning_type | eventlog_information_type;

Dwerror = regsetvalueex (hregkey, _ T ("typessupported"), 0, REG_DWORD, (lpbyte) & dwtypes, sizeof dwtypes );

 

// If we want to support event categories, we have also to register the categorymessagefile.

// And set CategoryCount. Note that categories need to have the message ids 1 to CategoryCount!

 

If (dwError = 0 & dwCategoryCount> 0)

{

DwError = RegSetValueEx (hRegKey, _ T ("CategoryMessageFile"), 0, REG_EXPAND_SZ, (PBYTE) szPath, (_ tcslen (szPath) + 1) * sizeof TCHAR );

If (dwError = 0)

DwError = RegSetValueEx (hRegKey, _ T ("CategoryCount"), 0, REG_DWORD, (PBYTE) & dwCategoryCount, sizeof dwCategoryCount );

}

}

 

RegCloseKey (hRegKey );

 

Return TRUE;

}

Come to software debugging

 

Next is the process of adding records:

LPCTSTR ppszArgs [] = {"I make a trick !!!!!!! "}; // Information to be displayed

HANDLE hLog =: RegisterEventSource (NULL, "MyEventSource"); // previously registered event Source

 

BOOL bRet = ReportEvent (hLog, EVENTLOG_INFORMATION_TYPE,

0, 1024, NULL, 1, 0, ppszArgs, NULL); // display records

 

In addition to the day record display function, there are other APIs to implement more functions, as shown in other APIs: