Below is some code to read the event records from the "Security" event log.
At the bottom is a link to an MS article describing how to 'decode' the Logon/Logoff event log records, which is even more complicated than reading the records. Since you made no mention of even obtaining the records, I included the code here. If you cannot decode the
EVENTLOGRECORD
, then also let us know, and we will work on a separate function to do that.
There is no claim that this is 'optimal' code, but it will get the record-reading job done.
I generated a simple Win32 application in Visual Studio 6 and tested the code below...
#include "stdafx.h"
#include "stdlib.h"
#define EL_BUFF_SIZE 0x000FFFF
int APIENTRY WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow
){
HANDLE hEventLog = OpenEventLog(NULL, "Security");
if( hEventLog )
{
LPBYTE pBuffer = (LPBYTE)malloc( EL_BUFF_SIZE );
DWORD nNumberOfRecords = 0;
if( pBuffer && GetNumberOfEventLogRecords(hEventLog, &nNumberOfRecords) &&
(nNumberOfRecords > 0) )
{
BOOL bReadSuccess = FALSE;
DWORD nBytesRead = 0;
DWORD nNumberOfBytesToRead;
DWORD nMinNumberOfBytesNeeded;
DWORD nRecordProcessed = 0;
do{
nNumberOfBytesToRead = EL_BUFF_SIZE;
nMinNumberOfBytesNeeded = 0;
nBytesRead = 0;
memset( pBuffer, 0, sizeof(EL_BUFF_SIZE) );
bReadSuccess = ReadEventLog(
hEventLog,
EVENTLOG_SEQUENTIAL_READ|EVENTLOG_FORWARDS_READ,
0,
pBuffer,
nNumberOfBytesToRead,
&nBytesRead,
&nMinNumberOfBytesNeeded
);
if( bReadSuccess && nBytesRead )
{
DWORD nSpaceUsed = 0;
EVENTLOGRECORD* pRecord = NULL;
do{
pRecord = (EVENTLOGRECORD*)((DWORD)pBuffer + nSpaceUsed);
if( EVENTLOG_AUDIT_FAILURE == pRecord->EventType )
{
}
else if(EVENTLOG_AUDIT_SUCCESS == pRecord->EventType )
{
}
nSpaceUsed += pRecord->Length;
nRecordProcessed++;
}while( nSpaceUsed < nBytesRead );
}
}while( bReadSuccess && nBytesRead );
}
free( pBuffer );
if( nNumberOfRecords == nRecordProcessed )
{
}
CloseEventLog(hEventLog);
}
return 0;
}
http://technet.microsoft.com/en-us/library/bb742436.aspx[
^]