Eventlog Syntax issue

Dec 2, 2008
212
2
Canada
I am using version 13.04:

Command "EVENLOG" show the following syntax in the manual:

EVENTLOG [S"source" /Cn /E /I /W] message

this syntax works but when using the /= option the following syntax is generated:

EVENTLOG [/S"source" /Cn /E /I /W] message

and this doesn't work.

Craig Gunhouse
 
May 20, 2008
9,859
69
Syracuse, NY, USA
From the command line,
Code:
eventlog /s"testsource" /c7 /i foo
(as expected) gives an event with source "testsource" and message "foo. This
Code:
eventlog s"testsource" /c7 /i foo
gives an event with source "TCC.EXE" and message "s"testsource" /c7 /i foo" (that would also seem to be as expected).
The problem with the /= dialog is that it doesn't put the "/Ssource" first, where the help says it must be, even of it's the first thing you enter in the dialog. It puts the category first. Below, I entered the source before I entered the category, and recalled the command after it failed.
Code:
v:\> eventlog /=
TCC: (Sys) The parameter is incorrect.
"Stestsource4"
Usage : EVENTLOG [/Ssource] [/Cn /EIW] message
 
v:\> EVENTLOG /C666 /Stestsource4 foo
 
May 20, 2008
9,859
69
Syracuse, NY, USA
And the error message I get when I use EVENTLOG not elevated is odd:
Code:
v:\> eventlog /s"testsource" /c666 /i foo
TCC: (Sys) The operation completed successfully.
 
May 20, 2008
9,859
69
Syracuse, NY, USA
And the error message I get when I use EVENTLOG not elevated is odd:
Code:
v:\> eventlog /s"testsource" /c666 /i foo
TCC: (Sys) The operation completed successfully.
And I don't understand why EVENTLOG should fail at all for me, an admin, not elevated, under UAC. Under those circumstances, this feeble attempt results in an event log entry (with the expected "source cannot be found" caveat).
Code:
    HANDLE hEventLog = OpenEventLog(NULL, L"Application");
    if ( hEventLog == NULL )
        Error(L"OpenEventLog()", GetLastError());
    HANDLE hEventSource = RegisterEventSource(NULL, L"NoExist");
    if ( hEventSource == NULL )
        Error(L"RegisterEventSource()", GetLastError());
    LPCWSTR szMessage = L"foo";
    if ( !ReportEvent(hEventSource, EVENTLOG_SUCCESS, 888, 666, NULL, 1, 0, &szMessage, NULL) )
        Error(L"ReportEvent()", GetLastError());
 

rconn

Administrator
Staff member
May 14, 2008
11,423
108
And I don't understand why EVENTLOG should fail at all for me, an admin, not elevated, under UAC. Under those circumstances, this feeble attempt results in an event log entry (with the expected "source cannot be found" caveat).
You're not creating the event source (in the HKLM registry tree), which is where the elevation is required.
 
May 20, 2008
9,859
69
Syracuse, NY, USA
You're not creating the event source (in the HKLM registry tree), which is where the elevation is required.
Yeah, I figured that out after remembering how it all works.

There's a small error in the help. It says the category may be 0-999999. But it's a WORD and indeed, 65536 results in 0, 65537 results in 1.
 
Dec 2, 2008
212
2
Canada
Sorry after more testing, it appears to be the placement of the "/S" option:

[C:\Program Files\JPSoft\TCMD13x64]EVENTLOG /S"TEST" /E /C1 TEST
TCC: (Sys) The operation completed successfully.

[C:\Program Files\JPSoft\TCMD13x64]EVENTLOG /E /C1 /S"TEST" TEST
TCC: (Sys) The parameter is incorrect.
"S"TEST""
Usage : EVENTLOG [/Ssource] [/Cn /EIW] message

And EVENTLOG /= generates syntax similar to the second fail syntax.

Craig