[Vista\Longhorn] getting error reading EventLog from Vista\Longhor

Hey,

I am getting error while reading event log for a VISTA - LONGHORN machine. I
am reading EventLog something in this sequence:

::OpenEventLog()
::ReadEventLog() – I read this event log in a buffer size equivalent to
“EVENTLOGRECORD�.

I am able to read the name of the event and Event ID’s correctly. But I am
getting error in reading the event Description. The method I am using is to
read the registry at following location to get path for the image file:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlog\Application

When we read description from this image file I am getting error: here is
one of the error messages for one of the event generated for “Desktop Window
Manager�:

The description for Event ID ( 9009 ) in Source ( Desktop Window Manager )
could not be found. It contains the following insertion string(s): 0x40010004

Error Message: The specified resource type cannot be found in the image
file. (0x00000715)

Message Dll(s): \\<Machine Name>\C$\Windows\system32\dwm.exe


Can anybody tell me what’s going wrong? I am able to read event log for
other OS machines.

As you've probably observed it tells you that the description cannot be
found and then proceeds to give you the details of the description that
cannot be found in the self-same breath - albeit in a comma delimted format.
No idea why it behaves like that, but you can get it in a better format via
wmi queries.

If you want to stick with the same approach, then you should still be able
to parse that to get the information you require.

--
Jon


"Manoj Chanchawat" <> wrote in
message news:C3606CA2-AEB4-44B3-A461-...
> Hey,
>
> I am getting error while reading event log for a VISTA - LONGHORN machine.
> I
> am reading EventLog something in this sequence:
>
> ::OpenEventLog()
> ::ReadEventLog() – I read this event log in a buffer size equivalent to
> “EVENTLOGRECORD�.
>
> I am able to read the name of the event and Event ID’s correctly. But I am
> getting error in reading the event Description. The method I am using is
> to
> read the registry at following location to get path for the image file:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlog\Application
>
> When we read description from this image file I am getting error: here is
> one of the error messages for one of the event generated for “Desktop
> Window
> Manager�:
>
> The description for Event ID ( 9009 ) in Source ( Desktop Window Manager )
> could not be found. It contains the following insertion string(s):
> 0x40010004
>
> Error Message: The specified resource type cannot be found in the image
> file. (0x00000715)
>
> Message Dll(s): \\<Machine Name>\C$\Windows\system32\dwm.exe
>
>
> Can anybody tell me what’s going wrong? I am able to read event log for
> other OS machines.
>

Hey Jon,

thanks. But as you said, i am using the "format" command to parse the string.

::FormatMessage( FORMAT_MESSAGE_FROM_HMODULE |
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_MAX_WIDTH_MASK,

hLibrary, m_dwEventID, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&msgBuffer_out, 0, (va_list*)aInsertStrs);


But it seems that the string is itself not coming from the image file. So i
guess there is no description parameter in the image file where we can read.
Am i right in my understanding?
Also i read at many places there will be new way to read the event log on
long horn machine. Is this related to that??

please reply.

thanks,
Manoj


"Jon" wrote:

> As you've probably observed it tells you that the description cannot be
> found and then proceeds to give you the details of the description that
> cannot be found in the self-same breath - albeit in a comma delimted format.
> No idea why it behaves like that, but you can get it in a better format via
> wmi queries.
>
> If you want to stick with the same approach, then you should still be able
> to parse that to get the information you require.
>
> --
> Jon
>
>
> "Manoj Chanchawat" <> wrote in
> message news:C3606CA2-AEB4-44B3-A461-...
> > Hey,
> >
> > I am getting error while reading event log for a VISTA - LONGHORN machine.
> > I
> > am reading EventLog something in this sequence:
> >
> > ::OpenEventLog()
> > ::ReadEventLog() – I read this event log in a buffer size equivalent to
> > “EVENTLOGRECORD�.
> >
> > I am able to read the name of the event and Event ID’s correctly. But I am
> > getting error in reading the event Description. The method I am using is
> > to
> > read the registry at following location to get path for the image file:
> >
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlog\Application
> >
> > When we read description from this image file I am getting error: here is
> > one of the error messages for one of the event generated for “Desktop
> > Window
> > Manager�:
> >
> > The description for Event ID ( 9009 ) in Source ( Desktop Window Manager )
> > could not be found. It contains the following insertion string(s):
> > 0x40010004
> >
> > Error Message: The specified resource type cannot be found in the image
> > file. (0x00000715)
> >
> > Message Dll(s): \\<Machine Name>\C$\Windows\system32\dwm.exe
> >
> >
> > Can anybody tell me what’s going wrong? I am able to read event log for
> > other OS machines.
> >
>
>

Hello,
Unless the binary is present that contains the description it will not be
available.
If you are reading the event log from one machine say Windows Vista, with
the event log from a WIndows Server 2008 machine, not all the binaries may
be present on machine you are reading from, so the description cannot be
picked up from those binaries.
Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|> Thread-Topic: [Vista\Longhorn] getting error reading EventLog from
Vista\Lon
|> thread-index: AciOYRWcLVjH1P7URY+7PEjYnVxP+g==
|> X-WBNR-Posting-Host: 59.162.68.1
|> From: =?Utf-8?B?TWFub2ogQ2hhbmNoYXdhdA==?=
<>
|> References: <C3606CA2-AEB4-44B3-A461->
<>
|> Subject: Re: [Vista\Longhorn] getting error reading EventLog from
Vista\Lon
|> Date: Tue, 25 Mar 2008 03:15:00 -0700
|> Lines: 78
|> Message-ID: <A68F4569-81F6-4DA1-ADC2->
|> MIME-Version: 1.0
|> Content-Type: text/plain;
|> charset="Utf-8"
|> Content-Transfer-Encoding: 8bit
|> X-Newsreader: Microsoft CDO for Windows 2000
|> Content-Class: urn:content-classes:message
|> Importance: normal
|> Priority: normal
|> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
|> Newsgroups: microsoft.public.windows.vista.general
|> Path: TK2MSFTNGHUB02.phx.gbl
|> Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.general:278498
|> NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
|> X-Tomcat-NG: microsoft.public.windows.vista.general
|>
|> Hey Jon,
|>
|> thanks. But as you said, i am using the "format" command to parse the
string.
|>
|> ::FormatMessage( FORMAT_MESSAGE_FROM_HMODULE |
|> FORMAT_MESSAGE_ALLOCATE_BUFFER |
|> FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_MAX_WIDTH_MASK,

|>
|> hLibrary, m_dwEventID, MAKELANGID(LANG_NEUTRAL,
SUBLANG_DEFAULT),
|> (LPTSTR)&msgBuffer_out, 0, (va_list*)aInsertStrs);
|>
|>
|> But it seems that the string is itself not coming from the image file.
So i
|> guess there is no description parameter in the image file where we can
read.
|> Am i right in my understanding?
|> Also i read at many places there will be new way to read the event log
on
|> long horn machine. Is this related to that??
|>
|> please reply.
|>
|> thanks,
|> Manoj
|>
|>
|> "Jon" wrote:
|>
|> > As you've probably observed it tells you that the description cannot
be
|> > found and then proceeds to give you the details of the description
that
|> > cannot be found in the self-same breath - albeit in a comma delimted
format.
|> > No idea why it behaves like that, but you can get it in a better
format via
|> > wmi queries.
|> >
|> > If you want to stick with the same approach, then you should still be
able
|> > to parse that to get the information you require.
|> >
|> > --
|> > Jon
|> >
|> >
|> > "Manoj Chanchawat" <> wrote
in
|> > message news:C3606CA2-AEB4-44B3-A461-...
|> > > Hey,
|> > >
|> > > I am getting error while reading event log for a VISTA - LONGHORN
machine.
|> > > I
|> > > am reading EventLog something in this sequence:
|> > >
|> > > ::OpenEventLog()
|> > > ::ReadEventLog() – I read this event log in a buffer size
equivalent to
|> > > “EVENTLOGRECORD�.
|> > >
|> > > I am able to read the name of the event and Event ID’s correctly.
But I am
|> > > getting error in reading the event Description. The method I am
using is
|> > > to
|> > > read the registry at following location to get path for the image
file:
|> > >
|> > >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlog\Application
|> > >
|> > > When we read description from this image file I am getting error:
here is
|> > > one of the error messages for one of the event generated for
“Desktop
|> > > Window
|> > > Manager�:
|> > >
|> > > The description for Event ID ( 9009 ) in Source ( Desktop Window
Manager )
|> > > could not be found. It contains the following insertion string(s):
|> > > 0x40010004
|> > >
|> > > Error Message: The specified resource type cannot be found in the
image
|> > > file. (0x00000715)
|> > >
|> > > Message Dll(s): \\<Machine Name>\C$\Windows\system32\dwm.exe
|> > >
|> > >
|> > > Can anybody tell me what’s going wrong? I am able to read event
log for
|> > > other OS machines.
|> > >
|> >
|> >
|>

Hey Darrell,

thanks for reply.
i have checked and the binary is present there on the target machine. Also,
most of binaries related to OS events are in System32 folder.

Regards,
Manoj

""Darrell Gorter[MSFT]"" wrote:

> Hello,
> Unless the binary is present that contains the description it will not be
> available.
> If you are reading the event log from one machine say Windows Vista, with
> the event log from a WIndows Server 2008 machine, not all the binaries may
> be present on machine you are reading from, so the description cannot be
> picked up from those binaries.
> Thanks,
> Darrell Gorter[MSFT]
>
> This posting is provided "AS IS" with no warranties, and confers no rights
> --------------------
> |> Thread-Topic: [Vista\Longhorn] getting error reading EventLog from
> Vista\Lon
> |> thread-index: AciOYRWcLVjH1P7URY+7PEjYnVxP+g==
> |> X-WBNR-Posting-Host: 59.162.68.1
> |> From: =?Utf-8?B?TWFub2ogQ2hhbmNoYXdhdA==?=
> <>
> |> References: <C3606CA2-AEB4-44B3-A461->
> <>
> |> Subject: Re: [Vista\Longhorn] getting error reading EventLog from
> Vista\Lon
> |> Date: Tue, 25 Mar 2008 03:15:00 -0700
> |> Lines: 78
> |> Message-ID: <A68F4569-81F6-4DA1-ADC2->
> |> MIME-Version: 1.0
> |> Content-Type: text/plain;
> |> charset="Utf-8"
> |> Content-Transfer-Encoding: 8bit
> |> X-Newsreader: Microsoft CDO for Windows 2000
> |> Content-Class: urn:content-classes:message
> |> Importance: normal
> |> Priority: normal
> |> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
> |> Newsgroups: microsoft.public.windows.vista.general
> |> Path: TK2MSFTNGHUB02.phx.gbl
> |> Xref: TK2MSFTNGHUB02.phx.gbl
> microsoft.public.windows.vista.general:278498
> |> NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
> |> X-Tomcat-NG: microsoft.public.windows.vista.general
> |>
> |> Hey Jon,
> |>
> |> thanks. But as you said, i am using the "format" command to parse the
> string.
> |>
> |> ::FormatMessage( FORMAT_MESSAGE_FROM_HMODULE |
> |> FORMAT_MESSAGE_ALLOCATE_BUFFER |
> |> FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_MAX_WIDTH_MASK,
>
> |>
> |> hLibrary, m_dwEventID, MAKELANGID(LANG_NEUTRAL,
> SUBLANG_DEFAULT),
> |> (LPTSTR)&msgBuffer_out, 0, (va_list*)aInsertStrs);
> |>
> |>
> |> But it seems that the string is itself not coming from the image file.
> So i
> |> guess there is no description parameter in the image file where we can
> read.
> |> Am i right in my understanding?
> |> Also i read at many places there will be new way to read the event log
> on
> |> long horn machine. Is this related to that??
> |>
> |> please reply.
> |>
> |> thanks,
> |> Manoj
> |>
> |>
> |> "Jon" wrote:
> |>
> |> > As you've probably observed it tells you that the description cannot
> be
> |> > found and then proceeds to give you the details of the description
> that
> |> > cannot be found in the self-same breath - albeit in a comma delimted
> format.
> |> > No idea why it behaves like that, but you can get it in a better
> format via
> |> > wmi queries.
> |> >
> |> > If you want to stick with the same approach, then you should still be
> able
> |> > to parse that to get the information you require.
> |> >
> |> > --
> |> > Jon
> |> >
> |> >
> |> > "Manoj Chanchawat" <> wrote
> in
> |> > message news:C3606CA2-AEB4-44B3-A461-...
> |> > > Hey,
> |> > >
> |> > > I am getting error while reading event log for a VISTA - LONGHORN
> machine.
> |> > > I
> |> > > am reading EventLog something in this sequence:
> |> > >
> |> > > ::OpenEventLog()
> |> > > ::ReadEventLog() – I read this event log in a buffer size
> equivalent to
> |> > > “EVENTLOGRECORD�.
> |> > >
> |> > > I am able to read the name of the event and Event ID’s correctly.
> But I am
> |> > > getting error in reading the event Description. The method I am
> using is
> |> > > to
> |> > > read the registry at following location to get path for the image
> file:
> |> > >
> |> > >
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlog\Application
> |> > >
> |> > > When we read description from this image file I am getting error:
> here is
> |> > > one of the error messages for one of the event generated for
> “Desktop
> |> > > Window
> |> > > Manager�:
> |> > >
> |> > > The description for Event ID ( 9009 ) in Source ( Desktop Window
> Manager )
> |> > > could not be found. It contains the following insertion string(s):
> |> > > 0x40010004
> |> > >
> |> > > Error Message: The specified resource type cannot be found in the
> image
> |> > > file. (0x00000715)
> |> > >
> |> > > Message Dll(s): \\<Machine Name>\C$\Windows\system32\dwm.exe
> |> > >
> |> > >
> |> > > Can anybody tell me what’s going wrong? I am able to read event
> log for
> |> > > other OS machines.
> |> > >
> |> >
> |> >
> |>
>
>