Morning All,
I have a piece of code which reads windows event log records, and gets
the description string by loading the message file and calling
FormatMessage. This all works fine, except when I occassionally come
across what appears to be a corrupt event log entry. I have only ever
seen these entries on customer PCs, so have not been able to examine
it in a debugger, but by looking in the event viewer and some
auditting from my code, I think I know what the problem is.
In the Event Viewer, when I click on the event to see the details, the
description string is mostly filled out, but the last 3 parts do not
have data in them, but have '%13', '%14' and '%15' as their values.
For the event in question (from the security event log), these should
be Transited Services, Source Network Address and Source Port. The
previous 12 bits of data are successfully filled in. Looking at the
auditting from my code, I can see that the event log record has
indicated that there are 12 strings, which I extract and put in an
array for passing to FormatMessage. Looking at the event log record,
there should normally be 15, which is presumably why the '%' entries
are still visible, there is not data to substitute.
When I call FormatMessage with this event log record and an array of
12 strings, it crashes. This is presumably because the message
description from the message file is looking for 15 strings, but there
are only 12 in my array.
Does anyone know if there is any way I can tell, in advance, how many
strings the message description is expecting? This would allow me to
size my array appropriately and hopefully avoid the crash.
Thanks for any thoughts, tips etc.
Al.
