win32utils devel - Nov 2007 - Can''t write to "Windows PowerShell" source with win32-eventlog

Hi all,

Tim Uckun reported, and I''ve confirmed, that you can''t write
to the
Windows PowerShell event source for some reason.

Tim thought it might be because of the space in the name, but my attempt 
to quote it did not seem to help.

In order to follow along, install PowerShell, create the foo.dll using 
the foo.mc file in the ''test'' directory, and try the following
code:

require ''win32/eventlog''
include Win32

EventLog.add_event_source(
    :source                => ''Windows PowerShell'',
    :key_name              => ''foo'',
    :category_count        => 2,
    :event_message_file    => ''foo.dll'',
    :category_message_file => ''foo.dll''
)

EventLog.open(''Windows PowerShell'') do |log|
    log.report_event(
       :source     => "foo",
       :event_type => EventLog::WARN,
       :category   => "0x00000002L".hex,
       :event_id   => "0x00000003L".hex,
       :data       => "I''m warning you!"
    )
end

As Tim mentioned, this doesn''t raise an error. It just doesn''t
seem to
do anything.

Any ideas? Anything special about the Windows PowerShell source?

In unrelated news, my attempts to replace RegCreateKey with 
RegCreateKeyEx in EventLog.add_event_source failed. Or shouldn''t I 
bother with it?

Regards,

Dan

On Nov 27, 2007 6:15 PM, Daniel Berger <djberg96 at gmail.com>
wrote:
> Hi all,
<snip>
> In unrelated news, my attempts to replace RegCreateKey with
> RegCreateKeyEx in EventLog.add_event_source failed. Or shouldn''t I
> bother with it?
Scratch that. Got it working.

The PowerShell log issue is still there, though.

dan

Hi,

2007/11/28, Daniel Berger <djberg96 at gmail.com>:
>
> Hi all,
>
> Tim Uckun reported, and I''ve confirmed, that you can''t
write to the
> Windows PowerShell event source for some reason.
>
> Tim thought it might be because of the space in the name, but my attempt
> to quote it did not seem to help.
>
> In order to follow along, install PowerShell, create the foo.dll using
> the foo.mc file in the ''test'' directory, and try the
following code:
>
> require ''win32/eventlog''
> include Win32
>
> EventLog.add_event_source(
>    :source                => ''Windows PowerShell'',
>    :key_name              => ''foo'',
>    :category_count        => 2,
>    :event_message_file    => ''foo.dll'',
>    :category_message_file => ''foo.dll''
> )
>
> EventLog.open(''Windows PowerShell'') do |log|
>    log.report_event(
>       :source     => "foo",
>       :event_type => EventLog::WARN,
>       :category   => "0x00000002L".hex,
>       :event_id   => "0x00000003L".hex,
>       :data       => "I''m warning you!"
>    )
> end
>
> As Tim mentioned, this doesn''t raise an error. It just
doesn''t seem to
> do anything.
>
> Any ideas? Anything special about the Windows PowerShell source?
>
> In unrelated news, my attempts to replace RegCreateKey with
> RegCreateKeyEx in EventLog.add_event_source failed. Or shouldn''t I
> bother with it?
>
> Regards,
>
> Dan

I guess Custom Log event must have log file name.

After inserting following code at add_event_source methods, it works fine.

        # The key_name must be specified
         unless hash[''key_name'']
            raise Error, ''no event_type specified''
         end

###########  insert begin

        key = key_base + hash[''source'']

         if RegCreateKey(HKEY_LOCAL_MACHINE, key, hkey) != ERROR_SUCCESS
            error = ''RegCreateKey() failed: '' + get_last_error
            raise Error, error
         end
         hkey = hkey.unpack(''L'')[0]
         data =
"%SystemRoot%\\System32\\config\\#{hash[''source'']}.evt"

            rv = RegSetValueEx(
               hkey,
               ''File'',
               0,
               REG_EXPAND_SZ,
               data,
               data.size
            )

            if rv != ERROR_SUCCESS
               error = ''RegSetValueEx() failed: '',
get_last_error
               RegCloseKey(hkey)
               raise Error, error
            end
         RegCloseKey(hkey)

         hkey = [0].pack(''L'')

         key = key_base + hash[''source''] + "\\" +
hash[''key_name'']

###########  insert end

         if RegCreateKey(HKEY_LOCAL_MACHINE, key, hkey) != ERROR_SUCCESS
            error = ''RegCreateKey() failed: '' + get_last_error
            raise Error, error
         end
Regards,

Park Heesob
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/win32utils-devel/attachments/20071128/9fe8e52d/attachment.html

Heesob Park wrote:

<snip>
> I guess Custom Log event must have log file name.
Is that documented somewhere? I didn''t see it. Just curious.
> After inserting following code at add_event_source methods, it works fine.
Odd, I still couldn''t make it work. The first thing I noticed is that 
the .evt file names don''t necessarily match the source name. I see 
"Internet.evt", not "Internet Explorer.evt", for example.
The
WindowsPowerShell.evt file has no space in it on my system.

But, even after I changed the key value I still couldn''t write to the 
Windows PowerShell event log. Hmm.

I''m on vacation this weekend so I''ll have to take a look at it
next
week. In the meantime botp sent me an eventlog he says is suffering from 
missing description issues, but only on Win2k3. Attached if anyone wants 
to take a look.

Regards,

dan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: botp_sample_dmpi_security_log_2007_nov_27.evt
Type: application/octet-stream
Size: 38184 bytes
Desc: not available
Url :
http://rubyforge.org/pipermail/win32utils-devel/attachments/20071128/894aae27/attachment-0001.obj

Hi,

2007/11/29, Daniel Berger <djberg96 at gmail.com>:
>
> Heesob Park wrote:
>
> <snip>
>
> > I guess Custom Log event must have log file name.
>
> Is that documented somewhere? I didn''t see it. Just curious.
>
> > After inserting following code at add_event_source methods, it works
> fine.
>
> Odd, I still couldn''t make it work. The first thing I noticed is
that
> the .evt file names don''t necessarily match the source name. I see
> "Internet.evt", not "Internet Explorer.evt", for
example. The
> WindowsPowerShell.evt file has no space in it on my system.
>
> But, even after I changed the key value I still couldn''t write to
the
> Windows PowerShell event log. Hmm.

Event file name does not matter. I attached the modified eventlog.rb

I''m on vacation this weekend so I''ll have to take a look at it
next
> week. In the meantime botp sent me an eventlog he says is suffering from
> missing description issues, but only on Win2k3. Attached if anyone wants
> to take a look.

The attached eventlog has no problem on WinXP and Win2k3 in my test.

Regards,
>
> dan

Regards,

Park Heesob
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/win32utils-devel/attachments/20071130/4c617d97/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eventlog.rb
Type: application/octet-stream
Size: 28171 bytes
Desc: not available
Url :
http://rubyforge.org/pipermail/win32utils-devel/attachments/20071130/4c617d97/attachment-0001.obj