如何读取Windows系统事件日志(获得上次关机时间、本次开机时间等)根据开机事件的EventID为6005,关机事件的EventID为6006;来读出相应的时间。 (1) 读取事件日志 #include <string> #include <stdio.h> #include <time.h> #include <windows.h> using namespace std; int ReadSystemEventLog(const char *Src, string &Result, FILE * pFile) { DWORD read_len, next_len; char Buffer[256], Data[4096], *pchar; HANDLE Handle = OpenEventLog(NULL, Src); if (Handle==NULL) { CloseHandle(Handle); return -1; } while(ReadEventLog(Handle, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,1, (EVENTLOGRECORD*)Data, sizeof(Data), &read_len, &next_len)) { for(short i=0; i<read_len;) { printf("%d/n",read_len); EVENTLOGRECORD *ptr = (EVENTLOGRECORD*)(Data+i); switch(ptr->EventType) //事件类型 { case EVENTLOG_SUCCESS: pchar= "成功"; break; case EVENTLOG_ERROR_TYPE: pchar= "错误"; break; case EVENTLOG_WARNING_TYPE: pchar= "警告"; break; case EVENTLOG_INFORMATION_TYPE: pchar= "信息"; break; case EVENTLOG_AUDIT_SUCCESS: pchar= "审计成功"; break; case EVENTLOG_AUDIT_FAILURE: pchar= "审计失败"; break; default: continue; } sprintf(Buffer, "事件/t%u/n", (short)ptr->EventID); //事件ID Result += Buffer; sprintf(Buffer, "类型/t%s/n", pchar); Result += Buffer; tm *ptm = localtime((const long *)&ptr->TimeWritten); sprintf(Buffer, "时间/t%.4hd-%.2hd-%.2hd %.2hd:%.2hd:%.2hd/n", ptm->tm_year+1900, ptm->tm_mon+1, ptm->tm_mday, ptm->tm_hour, ptm->tm_min, ptm->tm_sec); Result += Buffer; pchar = Data + sizeof(EVENTLOGRECORD); //pchar指向SourceName[] sprintf(Buffer, "来源/t%s/n", pchar); //事件来源 Result += Buffer; pchar += strlen(pchar) + 1; //pchar指向ComputerName[] sprintf(Buffer, "计算机/t%s/n", pchar); //机器名 Result += Buffer; pchar += strlen(pchar) + 1;// pchar指向UserSid if(ptr->UserSidLength>0) { char Name[64]; DWORD Length = sizeof(SID), Length1 = sizeof(Buffer); SID_NAME_USE Type = SidTypeUser; SID *sid = (SID *)(Data + ptr->UserSidOffset); if(LookupAccountSid(NULL, sid, Name, &Length, Buffer, &Length1, &Type)) //查找用户名 sprintf(Buffer, "用户/t%s/n", Name); //用户名 Result+=Buffer; } if(ptr->DataOffset > ptr->StringOffset) //获取事件描述 { Result += "[描述]/n"; pchar = Data + i + ptr->StringOffset; for(short j = 0; j < ptr->NumStrings; j++) { Result += pchar; if(j < ptr->NumStrings-1) Result += ' '; pchar += strlen(pchar) + 1; } Result += '/n'; // Result+="[数据]/n"; } Result+='/n'; i+=ptr->Length; } } fwrite(Result.c_str(),Result.length(),1,pFile); CloseEventLog(Handle); return 0; } void main() { string result; FILE *pFile; pFile=fopen("EventLog.txt","w"); if(pFile==NULL) return; ReadSystemEventLog("System",result,pFile); //读取System事件日志 fclose(pFile); } (2) 读取事件日志 #include <stdio.h> #include <windows.h> #define BUFFER_SIZE 4096 void DisplayEntries( ) { FILE *pFile=fopen("log.txt","w"); char *tempBuf=new char[100]; memset(tempBuf,0,100); HANDLE h; EVENTLOGRECORD *pevlr; BYTE bBuffer[BUFFER_SIZE]; DWORD dwRead, dwNeeded, dwThisRecord; // Open the Application event log. h = OpenEventLog( NULL, // use local computer "System"); // source name if (h == NULL) { printf("Could not open the Application event log."); return ; } pevlr = (EVENTLOGRECORD *) &bBuffer; // Get the record number of the oldest event log record. GetOldestEventLogRecord(h, &dwThisRecord); // Opening the event log positions the file pointer for this handle at the beginning of the log. //Read the event log records sequentially until the last record has been read. while (ReadEventLog(h, // event log handle EVENTLOG_FORWARDS_READ | // reads forward EVENTLOG_SEQUENTIAL_READ, // sequential read 1, // ignored for sequential reads pevlr, // pointer to buffer BUFFER_SIZE, // size of buffer &dwRead, // number of bytes read &dwNeeded)) // bytes in next record { while (dwRead > 0) { // Print the record number, event identifier, type, and source name. printf("%02d Event ID: 事件/t%u ", dwThisRecord++, (short)pevlr->EventID); sprintf(tempBuf,"%u/n",(DWORD)pevlr->EventID); fwrite(tempBuf,strlen(tempBuf),1,pFile); sprintf(tempBuf, "事件/t%u/n", (short)pevlr->EventID); //事件ID fwrite(tempBuf,strlen(tempBuf),1,pFile); printf("EventType: %d Source: %s/n", pevlr->EventType, (LPSTR) ((LPBYTE) pevlr + sizeof(EVENTLOGRECORD))); dwRead -= pevlr->Length; pevlr = (EVENTLOGRECORD *) ((LPBYTE) pevlr + pevlr->Length); |
|