How to read Hyper-V events from event log in C++
I'm trying to get access to windows events log for Hyper-V VMMS service from C++ application. In the Windows Event Viewer the log I'm interested in resides in Applications and services logs\Microsoft\Windows\Hyper-V-VMMS\Admin.
I've tried example from MS Querying for Event Information, passing "Application", "System" and "Microsoft-Windows-Hyper-V-VMMS-Admin" as a log name parameter to the function OpenEventLog, but in each case subsequent calls to ReadEventLog didn't contain events that I'm interested in.
Please, explain, how can I read those Hyper-V events. Thanks in advice :-)
UPD:
Target machine is Windows Server 2012 R2 Datacenter x64 with hyper-v role enabled.
Code that I use
#include <windows.h>
#include <stdio.h>
#include <strsafe.h>
#include <clocale>
#define MAX_TIMESTAMP_LEN 23 + 1 // mm/dd/yyyy hh:mm:ss.mmm
#define MAX_RECORD_BUFFER_SIZE 0x10000 // 64K
DWORD DumpRecordsInBuffer(PBYTE pBuffer, DWORD dwBytesRead);
DWORD GetEventTypeName(DWORD EventType);
void GetTimestamp(const DWORD Time, WCHAR DisplayString[]);
CONST LPWSTR pEventTypeNames[] = {L"Error", L"Warning", L"Informational", L"Audit Success", L"Audit Failure"};
void wmain(void)
{
HANDLE hEventLog = NULL;
DWORD status = ERROR_SUCCESS;
DWORD dwBytesToRead = 0;
DWORD dwBytesRead = 0;
DWORD dwMinimumBytesToRead = 0;
PBYTE pBuffer = NULL;
PBYTE pTemp = NULL;
setlocale( LC_ALL, "Russian" );
// The source name (provider) must exist as a subkey of Application.
LPCWSTR journalFileName = L"Microsoft-Windows-Hyper-V-VMMS-Admin";
hEventLog = OpenEventLog(NULL, journalFileName );
if (NULL == hEventLog)
{
wprintf(L"OpenEventLog failed with 0x%x.\n", GetLastError());
goto cleanup;
}
// Allocate an initial block of memory used to read event records. The number
// of records read into the buffer will vary depending on the size of each event.
// The size of each event will vary based on the size of the user-defined
// data included with each event, the number and length of insertion
// strings, and other data appended to the end of the event record.
dwBytesToRead = MAX_RECORD_BUFFER_SIZE;
pBuffer = (PBYTE)malloc(dwBytesToRead);
if (NULL == pBuffer)
{
wprintf(L"Failed to allocate the initial memory for the record buffer.\n");
goto cleanup;
}
ZeroMemory( pBuffer, dwMinimumBytesToRead );
getchar();
// Read blocks of records until you reach the end of the log or an
// error occurs. The records are read from newest to oldest. If the buffer
// is not big enough to hold a complete event record, reallocate the buffer.
while (ERROR_SUCCESS == status)
{
if (!ReadEventLog(hEventLog,
EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
0,
pBuffer,
dwBytesToRead,
&dwBytesRead,
&dwMinimumBytesToRead))
{
status = GetLastError();
if (ERROR_INSUFFICIENT_BUFFER == status)
{
status = ERROR_SUCCESS;
pTemp = (PBYTE)realloc(pBuffer, dwMinimumBytesToRead);
if (NULL == pTemp)
{
wprintf(L"Failed to reallocate the memory for the record buffer (%d bytes).\n", dwMinimumBytesToRead);
goto cleanup;
}
ZeroMemory( pTemp, dwMinimumBytesToRead );
pBuffer = pTemp;
dwBytesToRead = dwMinimumBytesToRead;
}
else
{
if (ERROR_HANDLE_EOF != status)
{
wprintf(L"ReadEventLog failed with %lu.\n", status);
goto cleanup;
}
}
}
else
{
// Print the contents of each record in the buffer.
DumpRecordsInBuffer(pBuffer, dwBytesRead);
}
}
cleanup:
if (hEventLog)
CloseEventLog(hEventLog);
if (pBuffer)
free(pBuffer);
system( "pause" );
}
// Loop through the buffer and print the contents of each record
// in the buffer.
DWORD DumpRecordsInBuffer(PBYTE pBuffer, DWORD dwBytesRead)
{
DWORD status = ERROR_SUCCESS;
PBYTE pRecord = pBuffer;
PBYTE pEndOfRecords = pBuffer + dwBytesRead;
LPWSTR pMessage = NULL;
LPWSTR pFinalMessage = NULL;
WCHAR TimeStamp[MAX_TIMESTAMP_LEN];
while (pRecord < pEndOfRecords)
{
LPWSTR provName = (LPWSTR)(pRecord + sizeof(EVENTLOGRECORD));
LPWSTR found = wcsstr( provName, L"Hyper-V" );
if( NULL != found ) {
// For debugging purposes
wprintf( L"Provider: %s\n", provName );
}
LPWSTR providerNameInterested = L"Microsoft-Windows-Hyper-V-VMMS";
size_t nameLen = wcslen( providerNameInterested );
if (0 == wcsncmp( providerNameInterested, provName, nameLen ) ) {
GetTimestamp(((PEVENTLOGRECORD)pRecord)->TimeGenerated, TimeStamp);
wprintf(L"Time stamp: %s\n", TimeStamp);
wprintf(L"record number: %lu\n", ((PEVENTLOGRECORD)pRecord)->RecordNumber);
wprintf(L"status code: %d\n", ((PEVENTLOGRECORD)pRecord)->EventID & 0xFFFF);
wprintf(L"event type: %s\n", pEventTypeNames[GetEventTypeName(((PEVENTLOGRECORD)pRecord)->EventType)]);
wprintf(L"\n");
}
pRecord += ((PEVENTLOGRECORD)pRecord)->Length;
}
return status;
}
// Get an index value to the pEventTypeNames array based on
// the event type value.
DWORD GetEventTypeName(DWORD EventType)
{
DWORD index = 0;
switch (EventType)
{
case EVENTLOG_ERROR_TYPE:
index = 0;
break;
case EVENTLOG_WARNING_TYPE:
index = 1;
break;
case EVENTLOG_INFORMATION_TYPE:
index = 2;
break;
case EVENTLOG_AUDIT_SUCCESS:
index = 3;
break;
case EVENTLOG_AUDIT_FAILURE:
index = 4;
break;
}
return index;
}
// Get a string that contains the time stamp of when the event
// was generated.
void GetTimestamp(const DWORD Time, WCHAR DisplayString[])
{
ULONGLONG ullTimeStamp = 0;
ULONGLONG SecsTo1970 = 116444736000000000;
SYSTEMTIME st;
FILETIME ft, ftLocal;
ullTimeStamp = Int32x32To64(Time, 10000000) + SecsTo1970;
ft.dwHighDateTime = (DWORD)((ullTimeStamp >> 32) & 0xFFFFFFFF);
ft.dwLowDateTime = (DWORD)(ullTimeStamp & 0xFFFFFFFF);
FileTimeToLocalFileTime(&ft, &ftLocal);
FileTimeToSystemTime(&ftLocal, &st);
StringCchPrintf(DisplayString, MAX_TIMESTAMP_LEN, L"%d/%d/%d %.2d:%.2d:%.2d",
st.wMonth, st.wDay, st.wYear, st.wHour, st.wMinute, st.wSecond);
}
I change value of journalFileName on line 27 in source, recompile and run exe on target machine with Administrator privileges.
if journalFileName equals L"Microsoft-Windows-Hyper-V-VMMS-Admin" or L"Microsoft-Windows-Hyper-V-VMMS/Admin"
I get no output at all (only pause command message)
if journalFileName equals L"Microsoft-Windows-Hyper-V-VMMS" or L"System"
I get the following output:
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/30/2018 17:51:19
status code: 102 record number: 2164 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/30/2018 17:51:19
status code: 102 record number: 2162 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/30/2018 16:58:18
status code: 22 record number: 2077 event type: Warning
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/30/2018 16:58:12
status code: 24 record number: 2076 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/30/2018 16:58:12
status code: 17 record number: 2075 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/30/2018 16:58:12
status code: 5 record number: 2073 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/30/2018 16:58:12
status code: 5 record number: 2072 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/30/2018 16:58:12
status code: 7 record number: 2071 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/30/2018 16:58:08
status code: 9 record number: 2066 event type: Informational
Provider: Microsoft-Windows-Hyper-V-Hypervisor Time stamp: 7/30/2018 16:57:55
status code: 1 record number: 2061 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/25/2018 12:34:19
status code: 22 record number: 1856 event type: Warning
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/25/2018 12:34:13
status code: 24 record number: 1855 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/25/2018 12:34:13
status code: 17 record number: 1854 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/25/2018 12:34:13
status code: 5 record number: 1852 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/25/2018 12:34:13
status code: 5 record number: 1851 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/25/2018 12:34:13
status code: 7 record number: 1850 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/25/2018 12:34:11
status code: 9 record number: 1845 event type: Informational
Provider: Microsoft-Windows-Hyper-V-Hypervisor Time stamp: 7/25/2018 12:34:01
status code: 1 record number: 1840 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 20:17:26
status code: 22 record number: 1721 event type: Warning
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 20:17:20
status code: 24 record number: 1720 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 20:17:20
status code: 17 record number: 1719 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 20:17:20
status code: 5 record number: 1717 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 20:17:20
status code: 5 record number: 1716 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 20:17:20
status code: 7 record number: 1715 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 20:17:18
status code: 9 record number: 1710 event type: Informational
Provider: Microsoft-Windows-Hyper-V-Hypervisor Time stamp: 7/24/2018 20:17:12
status code: 1 record number: 1705 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:47:59
status code: 22 record number: 1577 event type: Warning
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:47:53
status code: 24 record number: 1576 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:47:53
status code: 17 record number: 1575 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:47:53
status code: 5 record number: 1573 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:47:53
status code: 5 record number: 1572 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:47:53
status code: 7 record number: 1571 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:47:52
status code: 9 record number: 1566 event type: Informational
Provider: Microsoft-Windows-Hyper-V-Hypervisor Time stamp: 7/24/2018 19:47:45
status code: 1 record number: 1561 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:26:49
status code: 22 record number: 1419 event type: Warning
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:26:43
status code: 24 record number: 1418 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:26:43
status code: 17 record number: 1417 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:26:42
status code: 5 record number: 1415 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:26:42
status code: 5 record number: 1414 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:26:42
status code: 7 record number: 1413 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:26:42
status code: 9 record number: 1408 event type: Informational
Provider: Microsoft-Windows-Hyper-V-Hypervisor Time stamp: 7/24/2018 19:26:35
status code: 1 record number: 1403 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:16:14
status code: 22 record number: 1276 event type: Warning
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:16:08
status code: 24 record number: 1275 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:16:08
status code: 17 record number: 1274 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:16:08
status code: 7 record number: 1272 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:16:08
status code: 5 record number: 1271 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:16:07
status code: 9 record number: 1266 event type: Informational
Provider: Microsoft-Windows-Hyper-V-Hypervisor Time stamp: 7/24/2018 19:16:00
status code: 1 record number: 1261 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:10:24
status code: 22 record number: 1113 event type: Warning
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:10:18
status code: 24 record number: 1110 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:10:18
status code: 17 record number: 1109 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:10:18
status code: 5 record number: 1107 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:10:18
status code: 5 record number: 1106 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:10:18
status code: 7 record number: 1105 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 7/24/2018 19:10:17
status code: 9 record number: 1100 event type: Informational
Provider: Microsoft-Windows-Hyper-V-Hypervisor Time stamp: 7/24/2018 19:10:06
status code: 1 record number: 1096 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:21:04
status code: 22 record number: 965 event type: Warning
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:20:58
status code: 24 record number: 964 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:20:58
status code: 17 record number: 963 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:20:58
status code: 7 record number: 961 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:20:58
status code: 5 record number: 960 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:20:57
status code: 9 record number: 955 event type: Informational
Provider: Microsoft-Windows-Hyper-V-Hypervisor Time stamp: 5/31/2018 12:20:51
status code: 1 record number: 951 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:17:37
status code: 24 record number: 899 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:17:37
status code: 22 record number: 898 event type: Warning
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:13:00
status code: 23 record number: 823 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:13:00
status code: 24 record number: 822 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:13:00
status code: 21 record number: 821 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:13:00
status code: 17 record number: 820 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:13:00
status code: 7 record number: 817 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:13:00
status code: 5 record number: 816 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:12:59
status code: 9 record number: 811 event type: Informational
Provider: Microsoft-Windows-Hyper-V-Hypervisor Time stamp: 5/31/2018 12:12:53
status code: 1 record number: 807 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:08:52
status code: 7 record number: 753 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:08:51
status code: 23 record number: 751 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:08:51
status code: 24 record number: 750 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:08:51
status code: 17 record number: 749 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:08:47
status code: 19 record number: 746 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:08:47
status code: 23 record number: 744 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:08:47
status code: 24 record number: 743 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:08:47
status code: 24 record number: 742 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:08:47
status code: 17 record number: 741 event type: Informational
Provider: Microsoft-Windows-Hyper-V-VmSwitch Time stamp: 5/31/2018 12:08:44
status code: 9 record number: 740 event type: Informational
Provider: Microsoft-Windows-Hyper-V-Hypervisor Time stamp: 5/31/2018 12:06:48
status code: 1 record number: 665 event type: Informational
Для продолжения нажмите любую клавишу . . .
These events are in System journal, one of them is opened in Event Viewer on screenshot:
But I need events from another journal
George G
0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0