Displaying the User for an Event

  • Article

The following example retrieves the name of the user for an event. An EVENTLOGRECORD structure is returned for a query for an event in the Application log, and the event identifier, source, and user are displayed for the returned event. For information about querying for more than one event, see Querying for Event Information. To get extended error information, call GetLastError.

#include <stdafx.h>
#include <windows.h>
#include <iostream>

#define BUFFER_SIZE 512

void __cdecl wmain(int argc, LPWSTR *argv)
{
    // Name of the event log.
    wchar_t *logName = L"Application";  
   
    HANDLE h;
    EVENTLOGRECORD *pevlr;
    BYTE bBuffer[BUFFER_SIZE];
    DWORD dwRead, dwNeeded, dwThisRecord;
    LPCTSTR lpSourceName;

    // Open the event log.
    h = OpenEventLog( NULL,     // Use the local computer.
        logName);
    if (h == NULL)
    {
        std::wcout << L"Could not open the event log." << std::endl;;
        return;
    }
    
    // Initialize the event record buffer.
    pevlr = (EVENTLOGRECORD *) &bBuffer;

    // Get the record number of the oldest event log record. 
    GetOldestEventLogRecord(h, &dwThisRecord);

    // When the event log is opened, the position of the file pointer
    // is at the beginning of the log. Read the event log records
    // sequentially.
    ReadEventLog(h,                // Event log handle
        EVENTLOG_FORWARDS_READ |          // Reads forward
        EVENTLOG_SEQUENTIAL_READ,         // Sequential read
        0,                                // Ignored for sequential read
        pevlr,                            // Pointer to buffer
        BUFFER_SIZE,                      // Size of buffer
        &dwRead,                          // Number of bytes read
        &dwNeeded);                       // Bytes in the next record
    
    if (dwRead > 0)
    {
        // Get the event source name.
        lpSourceName = (LPCTSTR) ((LPBYTE) pevlr + sizeof(EVENTLOGRECORD));        

        // Print the event identifier and event source.
        std::wcout << L"Event ID: " << pevlr->EventID << std::endl;   
        std::wcout << L" Event Source: " <<
            lpSourceName << std::endl;

        // Get the user for the event.
        PSID lpSid;
        WCHAR szName[256];
        WCHAR szDomain[256];
        SID_NAME_USE snu;
        DWORD dwLen;
        DWORD cbName = 256;
        DWORD cbDomain = 256;

        // Point to the SID. 
        lpSid = (PSID)((LPBYTE) pevlr + pevlr->UserSidOffset); 

        if (LookupAccountSid(NULL, lpSid, szName, &cbName, szDomain,
             &cbDomain, &snu))
        {
            // Return the user's name.
            std::wcout << L" User: " <<
            szName << std::endl;
        }
        else
        {
            // Use the error status from LookupAccountSid.
        }    
    }
     
    // Close the event log.
    CloseEventLog(h);
}

Send comments about this topic to Microsoft

Build date: 3/29/2009