Hi there

Are there any circumstances under which an EVENTLOGRECORD structure
filled in with ReadEventLog will contain too few strings to insert
into the template of the event it describes?

I'm debugging a C++ service that reads from the various event logs. It
works fine except for some instances of event 566 on Server 2003
Domain Controllers (SP1 and SP2). The template in MsAuditE.dll has
space for 16 insertions, however the NumStrings member of the
EVENTLOGRECORD structure I'm getting for these instances contains 15,
and there are indeed 15 strings starting at StringOffset. The non-
existant 16th string then crashes the service in a FormatMessage call
when that tries to merge it into the template.

All other members of the structure for these instances are valid so
I'm discounting memory trashing, and I'm assured the event logs on the
machines it crashes on aren't corrupt.

Any ideas what could be causing this anomaly?

Thanks,
Adrian