Eventlog Syntax issue

Dec 2, 2008
212
2
Canada
#1
I am using version 13.04:

Command "EVENLOG" show the following syntax in the manual:

EVENTLOG [S"source" /Cn /E /I /W] message

this syntax works but when using the /= option the following syntax is generated:

EVENTLOG [/S"source" /Cn /E /I /W] message

and this doesn't work.

Craig Gunhouse
 
#4
From the command line,
Code:
eventlog /s"testsource" /c7 /i foo
(as expected) gives an event with source "testsource" and message "foo. This
Code:
eventlog s"testsource" /c7 /i foo
gives an event with source "TCC.EXE" and message "s"testsource" /c7 /i foo" (that would also seem to be as expected).
The problem with the /= dialog is that it doesn't put the "/Ssource" first, where the help says it must be, even of it's the first thing you enter in the dialog. It puts the category first. Below, I entered the source before I entered the category, and recalled the command after it failed.
Code:
v:\> eventlog /=
TCC: (Sys) The parameter is incorrect.
"Stestsource4"
Usage : EVENTLOG [/Ssource] [/Cn /EIW] message
 
v:\> EVENTLOG /C666 /Stestsource4 foo
 
#5
And the error message I get when I use EVENTLOG not elevated is odd:
Code:
v:\> eventlog /s"testsource" /c666 /i foo
TCC: (Sys) The operation completed successfully.
 
#6
And the error message I get when I use EVENTLOG not elevated is odd:
Code:
v:\> eventlog /s"testsource" /c666 /i foo
TCC: (Sys) The operation completed successfully.
And I don't understand why EVENTLOG should fail at all for me, an admin, not elevated, under UAC. Under those circumstances, this feeble attempt results in an event log entry (with the expected "source cannot be found" caveat).
Code:
    HANDLE hEventLog = OpenEventLog(NULL, L"Application");
    if ( hEventLog == NULL )
        Error(L"OpenEventLog()", GetLastError());
    HANDLE hEventSource = RegisterEventSource(NULL, L"NoExist");
    if ( hEventSource == NULL )
        Error(L"RegisterEventSource()", GetLastError());
    LPCWSTR szMessage = L"foo";
    if ( !ReportEvent(hEventSource, EVENTLOG_SUCCESS, 888, 666, NULL, 1, 0, &szMessage, NULL) )
        Error(L"ReportEvent()", GetLastError());
 

rconn

Administrator
Staff member
May 14, 2008
10,753
97
#7
And I don't understand why EVENTLOG should fail at all for me, an admin, not elevated, under UAC. Under those circumstances, this feeble attempt results in an event log entry (with the expected "source cannot be found" caveat).
You're not creating the event source (in the HKLM registry tree), which is where the elevation is required.
 
#8
You're not creating the event source (in the HKLM registry tree), which is where the elevation is required.
Yeah, I figured that out after remembering how it all works.

There's a small error in the help. It says the category may be 0-999999. But it's a WORD and indeed, 65536 results in 0, 65537 results in 1.
 
Dec 2, 2008
212
2
Canada
#9
Sorry after more testing, it appears to be the placement of the "/S" option:

[C:\Program Files\JPSoft\TCMD13x64]EVENTLOG /S"TEST" /E /C1 TEST
TCC: (Sys) The operation completed successfully.

[C:\Program Files\JPSoft\TCMD13x64]EVENTLOG /E /C1 /S"TEST" TEST
TCC: (Sys) The parameter is incorrect.
"S"TEST""
Usage : EVENTLOG [/Ssource] [/Cn /EIW] message

And EVENTLOG /= generates syntax similar to the second fail syntax.

Craig