如何读取Windows系统事件日志(获得上次关机时间、本次开机时间等)
2011-03-09 23:24
2031 查看
如何读取Windows系统事件日志(获得上次关机时间、本次开机时间等)
根据开机事件的EventID为6005,关机事件的EventID为6006;来读出相应的时间。(1) 读取事件日志
#include <string>
#include <stdio.h>
#include <time.h>
#include <windows.h>
using namespace std;
int ReadSystemEventLog(const char *Src, string &Result, FILE * pFile)
{
DWORD read_len, next_len;
char Buffer[256], Data[4096], *pchar;
HANDLE Handle = OpenEventLog(NULL, Src);
if (Handle==NULL)
{
CloseHandle(Handle);
return -1;
}
while(ReadEventLog(Handle, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,1, (EVENTLOGRECORD*)Data, sizeof(Data), &read_len, &next_len))
{
for(short i=0; i<read_len;)
{
printf("%d/n",read_len);
EVENTLOGRECORD *ptr = (EVENTLOGRECORD*)(Data+i);
switch(ptr->EventType) //事件类型
{
case EVENTLOG_SUCCESS:
pchar= "成功";
break;
case EVENTLOG_ERROR_TYPE:
pchar= "错误";
break;
case EVENTLOG_WARNING_TYPE:
pchar= "警告";
break;
case EVENTLOG_INFORMATION_TYPE:
pchar= "信息";
break;
case EVENTLOG_AUDIT_SUCCESS:
pchar= "审计成功";
break;
case EVENTLOG_AUDIT_FAILURE:
pchar= "审计失败";
break;
default:
continue;
}
sprintf(Buffer, "事件/t%u/n", (short)ptr->EventID); //事件ID
Result += Buffer;
sprintf(Buffer, "类型/t%s/n", pchar);
Result += Buffer;
tm *ptm = localtime((const long *)&ptr->TimeWritten);
sprintf(Buffer, "时间/t%.4hd-%.2hd-%.2hd %.2hd:%.2hd:%.2hd/n",
ptm->tm_year+1900, ptm->tm_mon+1, ptm->tm_mday,
ptm->tm_hour, ptm->tm_min, ptm->tm_sec);
Result += Buffer;
pchar = Data + sizeof(EVENTLOGRECORD); //pchar指向SourceName[]
sprintf(Buffer, "来源/t%s/n", pchar); //事件来源
Result += Buffer;
pchar += strlen(pchar) + 1; //pchar指向ComputerName[]
sprintf(Buffer, "计算机/t%s/n", pchar); //机器名
Result += Buffer;
pchar += strlen(pchar) + 1;// pchar指向UserSid
if(ptr->UserSidLength>0)
{
char Name[64];
DWORD Length = sizeof(SID), Length1 = sizeof(Buffer);
SID_NAME_USE Type = SidTypeUser;
SID *sid = (SID *)(Data + ptr->UserSidOffset);
if(LookupAccountSid(NULL, sid, Name, &Length, Buffer, &Length1, &Type)) //查找用户名
sprintf(Buffer, "用户/t%s/n", Name); //用户名
Result+=Buffer;
}
if(ptr->DataOffset > ptr->StringOffset) //获取事件描述
{
Result += "[描述]/n";
pchar = Data + i + ptr->StringOffset;
for(short j = 0; j < ptr->NumStrings; j++)
{
Result += pchar;
if(j < ptr->NumStrings-1)
Result += ' ';
pchar += strlen(pchar) + 1;
}
Result += '/n';
// Result+="[数据]/n";
}
Result+='/n';
i+=ptr->Length;
}
}
fwrite(Result.c_str(),Result.length(),1,pFile);
CloseEventLog(Handle);
return 0;
}
void main()
{
string result;
FILE *pFile;
pFile=fopen("EventLog.txt","w");
if(pFile==NULL)
return;
ReadSystemEventLog("System",result,pFile); //读取System事件日志
fclose(pFile);
}
(2) 读取事件日志
#include <stdio.h>
#include <windows.h>
#define BUFFER_SIZE 4096
void DisplayEntries( )
{
FILE *pFile=fopen("log.txt","w");
char *tempBuf=new char[100];
memset(tempBuf,0,100);
HANDLE h;
EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
DWORD dwRead, dwNeeded, dwThisRecord;
// Open the Application event log.
h = OpenEventLog( NULL, // use local computer
"System"); // source name
if (h == NULL)
{
printf("Could not open the Application event log.");
return ;
}
pevlr = (EVENTLOGRECORD *) &bBuffer;
// Get the record number of the oldest event log record.
GetOldestEventLogRecord(h, &dwThisRecord);
// Opening the event log positions the file pointer for this handle at the beginning of the log. //Read the event log records sequentially until the last record has been read.
while (ReadEventLog(h, // event log handle
EVENTLOG_FORWARDS_READ | // reads forward
EVENTLOG_SEQUENTIAL_READ, // sequential read
1, // ignored for sequential reads
pevlr, // pointer to buffer
BUFFER_SIZE, // size of buffer
&dwRead, // number of bytes read
&dwNeeded)) // bytes in next record
{
while (dwRead > 0)
{
// Print the record number, event identifier, type, and source name.
printf("%02d Event ID: 事件/t%u ", dwThisRecord++, (short)pevlr->EventID);
sprintf(tempBuf,"%u/n",(DWORD)pevlr->EventID);
fwrite(tempBuf,strlen(tempBuf),1,pFile);
sprintf(tempBuf, "事件/t%u/n", (short)pevlr->EventID); //事件ID
fwrite(tempBuf,strlen(tempBuf),1,pFile);
printf("EventType: %d Source: %s/n",
pevlr->EventType, (LPSTR) ((LPBYTE) pevlr +
sizeof(EVENTLOGRECORD)));
dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)
((LPBYTE) pevlr + pevlr->Length);
}
pevlr = (EVENTLOGRECORD *) &bBuffer;
}
CloseEventLog(h);
fclose(pFile);
}
int main()
{
DisplayEntries();
return 0;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Windows上次系统关机时间与本次系统运行时间
- Windows上次系统关机时间与本次系统运行时间
- How to know windows last boot time? -如何知道Windows系统上次启动时间?
- Windows 7系统想要查看事件日志时候要如何查看
- 查看系统日志电脑系统的开机启动时间和本次开机运行时间
- Windows 7系统如何查看事件日志?
- Android中如何修改系统时间(应用程序获得系统权限)
- 公司员工没有管理员权限怎么办 C#文件夹、文件添加权限 C#读取windows系统日志 C#设置环境变量
- 如何在C++获得系统时间(转)
- windows event log如何在 Windows XP 的事件查看器中查看和管理事件日志
- 如何遍历Windows的事件日志
- syslog系统日志、Windows事件日志监控
- Windows独享主机如何查看服务器系统日志?
- Android中如何修改系统时间(应用程序获得系统权限)
- windows 如何查看开机时间
- WCF 寄宿于Windows服务 ,可能会报的错:在系统启动时至少有一个服务或驱动程序产生错误。详细信息,请使用事件查看器查看事件日志。
- 公司员工没有管理员权限怎么办 C#文件夹、文件添加权限 C#读取windows系统日志 C#设置环境变量
- Windows 2008 R2系统开机时如何不让Windows进行磁盘检测?
- 如何遍历Windows的事件日志
- C语言 windows下如何获取开机时间