问题
I am trying to use the ETW functions without success to read the file:
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
In order to capture boot time events.
I have tried various functions -
- OpenTrace gives an error 161
- EvtQuery gives an error 15000
Does anyone have a native code example of reading system trace files?
回答1:
I got this working as follows -
LPWSTR pwsPath = L"Microsoft-Windows-Diagnostics-Performance/Operational";
LPWSTR pwsQuery = L"Event/System[EventID=100]";
hResults = EvtQuery(NULL, pwsPath, pwsQuery,
EvtQueryChannelPath | EvtQueryReverseDirection);
The channel name can be found by going to Properties on an eventlog and using it's Full Name.
The error 15000 was due to me trying to open the log file with the given flags rather than the channel name.
来源:https://stackoverflow.com/questions/4194675/how-do-i-read-boot-time-events-on-windows-7