How to output a log event for self defined catalog

Hi all,
I’d like to output some messages to Windows event viewer. I found the code
below, it works and it will output to SYSTEM catalog in event viewer. Is
there any way to output it to self defined catalog?

VOID LogEvent(NTSTATUS code, PDEVICE_OBJECT fdo)
{ // LogEvent

PWSTR myname = L"EventLog";

ULONG packetlen = (wcslen(myname) + 1) * sizeof(WCHAR) +
sizeof(IO_ERROR_LOG_PACKET) + 4;
if (packetlen > ERROR_LOG_MAXIMUM_SIZE)
return; // packet will be too big

PIO_ERROR_LOG_PACKET p = (PIO_ERROR_LOG_PACKET)
IoAllocateErrorLogEntry(fdo, (UCHAR) packetlen);
if (!p)
return;

memset(p, 0, sizeof(IO_ERROR_LOG_PACKET));
p->MajorFunctionCode = IRP_MJ_PNP;
p->ErrorCode = code;
p->DumpDataSize = 4;
p->DumpData[0] = 0x2A2A2A2A;

p->StringOffset = sizeof(IO_ERROR_LOG_PACKET) + p->DumpDataSize -
sizeof(ULONG);
p->NumberOfStrings = 1;
wcscpy((PWSTR) ((PUCHAR) p + p->StringOffset), myname);

IoWriteErrorLogEntry(p);
}

Thanks.
Marvin

i dont know how to write to a custom log using IoWriteLogEntry

if it was user mode it is simple

C:\>reg add hklm\system\currentcontrolset\services\eventlog\wha_tis_tis_babe

The operation completed successfully

int _tmain(int argc, _TCHAR* argv)
{
HANDLE hEventLog = NULL;
PCWSTR Buff = { L"my mess no 1", L"my mess no 2" };
PVOID BinData = { 0,0,0,0,0,0,0,0,0,0 };
BOOL repevtretval = 0;
if (( hEventLog = OpenEventLog(NULL,L"wha_tis_tis_babe")) == NULL)
{
printf(“cannot open a handle to custom eventlog\n”);
exit(FALSE);
}
if (( repevtretval = ReportEvent( hEventLog,
EVENTLOG_INFORMATION_TYPE, 0, 0, NULL, 2, 10, Buff, BinData )) ==
NULL)
{
printf(“ReportEvent( Failed\n”);
exit(FALSE);
}
printf(“Success \n Check Event Log\n”); \ if (!reg entry) open
application but no strings
exit(TRUE);
}

wmic ntevent get /format:list

Category=0
CategoryString=
ComputerName=XXXXXX
Data={0,0,0,0,0,0,0,0,0,0}
EventCode=0
EventIdentifier=0
EventType=3
InsertionStrings={“my mess no 1”,“my mess no 2”}
Logfile=wha_tis_tis_babe
Message=
RecordNumber=4
SourceName=wha_tis_tis_babe
TimeGenerated=20130124054007.000000+330
TimeWritten=20130124054007.000000+330
Type=information
User=

On 1/23/13, Marvin Zhang wrote:
> Hi all,
> I’d like to output some messages to Windows event viewer. I found the code
> below, it works and it will output to SYSTEM catalog in event viewer. Is
> there any way to output it to self defined catalog?
>
> VOID LogEvent(NTSTATUS code, PDEVICE_OBJECT fdo)
> { // LogEvent
>
>
> PWSTR myname = L"EventLog";
>
> ULONG packetlen = (wcslen(myname) + 1) * sizeof(WCHAR) +
> sizeof(IO_ERROR_LOG_PACKET) + 4;
> if (packetlen > ERROR_LOG_MAXIMUM_SIZE)
> return; // packet will be too big
>
> PIO_ERROR_LOG_PACKET p = (PIO_ERROR_LOG_PACKET)
> IoAllocateErrorLogEntry(fdo, (UCHAR) packetlen);
> if (!p)
> return;
>
> memset(p, 0, sizeof(IO_ERROR_LOG_PACKET));
> p->MajorFunctionCode = IRP_MJ_PNP;
> p->ErrorCode = code;
> p->DumpDataSize = 4;
> p->DumpData[0] = 0x2A2A2A2A;
>
> p->StringOffset = sizeof(IO_ERROR_LOG_PACKET) + p->DumpDataSize -
> sizeof(ULONG);
> p->NumberOfStrings = 1;
> wcscpy((PWSTR) ((PUCHAR) p + p->StringOffset), myname);
>
> IoWriteErrorLogEntry(p);
> }
>
> Thanks.
> Marvin
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Classic Event Log API only supports System/Security/Application

You need to use WINEVT API (Vista+) which is WMI-based.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Marvin Zhang” wrote in message news:xxxxx@ntdev…
Hi all,
I’d like to output some messages to Windows event viewer. I found the code below, it works and it will output to SYSTEM catalog in event viewer. Is there any way to output it to self defined catalog?

VOID LogEvent(NTSTATUS code, PDEVICE_OBJECT fdo)
{ // LogEvent

PWSTR myname = L"EventLog";

ULONG packetlen = (wcslen(myname) + 1) * sizeof(WCHAR) + sizeof(IO_ERROR_LOG_PACKET) + 4;
if (packetlen > ERROR_LOG_MAXIMUM_SIZE)
return; // packet will be too big

PIO_ERROR_LOG_PACKET p = (PIO_ERROR_LOG_PACKET) IoAllocateErrorLogEntry(fdo, (UCHAR) packetlen);
if (!p)
return;

memset(p, 0, sizeof(IO_ERROR_LOG_PACKET));
p->MajorFunctionCode = IRP_MJ_PNP;
p->ErrorCode = code;
p->DumpDataSize = 4;
p->DumpData[0] = 0x2A2A2A2A;

p->StringOffset = sizeof(IO_ERROR_LOG_PACKET) + p->DumpDataSize - sizeof(ULONG);
p->NumberOfStrings = 1;
wcscpy((PWSTR) ((PUCHAR) p + p->StringOffset), myname);

IoWriteErrorLogEntry(p);
}

Thanks.

Marvin

in xp and below the OpenEventLog and ReportEvent that i posted upthread passes
um->km boundary via rpc interface ndrSendRecieve2 and Get/SetBuffer
calls and Finally
ZwWaitRequestReply

no I AM not saying you use undocumented @#$@&*&$^ in your release version code

On 1/25/13, Maxim S. Shatskih wrote:
> Classic Event Log API only supports System/Security/Application
>
> You need to use WINEVT API (Vista+) which is WMI-based.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “Marvin Zhang” wrote in message news:xxxxx@ntdev…
> Hi all,
> I’d like to output some messages to Windows event viewer. I found the code
> below, it works and it will output to SYSTEM catalog in event viewer. Is
> there any way to output it to self defined catalog?
>
>
> VOID LogEvent(NTSTATUS code, PDEVICE_OBJECT fdo)
> { // LogEvent
>
>
>
>
> PWSTR myname = L"EventLog";
>
>
> ULONG packetlen = (wcslen(myname) + 1) * sizeof(WCHAR) +
> sizeof(IO_ERROR_LOG_PACKET) + 4;
> if (packetlen > ERROR_LOG_MAXIMUM_SIZE)
> return; // packet will be too big
>
>
> PIO_ERROR_LOG_PACKET p = (PIO_ERROR_LOG_PACKET)
> IoAllocateErrorLogEntry(fdo, (UCHAR) packetlen);
> if (!p)
> return;
>
>
> memset(p, 0, sizeof(IO_ERROR_LOG_PACKET));
> p->MajorFunctionCode = IRP_MJ_PNP;
> p->ErrorCode = code;
> p->DumpDataSize = 4;
> p->DumpData[0] = 0x2A2A2A2A;
>
>
> p->StringOffset = sizeof(IO_ERROR_LOG_PACKET) + p->DumpDataSize -
> sizeof(ULONG);
> p->NumberOfStrings = 1;
> wcscpy((PWSTR) ((PUCHAR) p + p->StringOffset), myname);
>
>
> IoWriteErrorLogEntry(p);
> }
>
>
> Thanks.
>
> Marvin
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

> um->km boundary via rpc interface ndrSendRecieve2 and Get/SetBuffer

The boundary is between advapi32.dll in the client process and EventLog service process, not um->km one.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> not um->km one.
thanks maxim my mistake i must have realized it is a message delivery mechanism

On 1/25/13, Maxim S. Shatskih wrote:
>> um->km boundary via rpc interface ndrSendRecieve2 and Get/SetBuffer
>
> The boundary is between advapi32.dll in the client process and EventLog
> service process, not um->km one.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>