下面是一个读取系统日志的例子,我有些看不懂。其中long mRet什么意思??~为什么能把结构里面的值附给一个long型??
我觉得很奇怪!~~我从“while(ReadEventLog(hdle,EVENTLOG_FORWARDS_READ|EVENTLOG_SEQUENTIAL_READ,
1,ptr,sizeof(buff),&read_len,&next_len)) "之后不是很看得懂能否谁帮我解释下!!
HANDLE hdle;
EVENTLOGRECORD *ptr;
BYTE buff[4096];
DWORD read_len, next_len;
ptr=(EVENTLOGRECORD *)&buff;
hdle=OpenEventLog("", "Application");// System
if (hdle==NULL)
{
MessageBox("打开日志失败");
}
else
{
long mRet;
char lpszSourceName[255]={0};
char lpszComputerName[255]={0};
unsigned uStepOfString;
char* pStrings;
char szExpandedString[1024]={0};
while(ReadEventLog(hdle,EVENTLOG_FORWARDS_READ|EVENTLOG_SEQUENTIAL_READ,
1,ptr,sizeof(buff),&read_len,&next_len))
{
[color=#FF0000]mRet=ptr->EventID;//事件id
mRet=ptr->EventType;//事件类型
mRet=ptr->TimeWritten;//
mRet=ptr->NumStrings;//
mRet=ptr->Length;//
mRet=sizeof(EVENTLOGRECORD);
strcpy(lpszSourceName, (LPTSTR)((LPBYTE)ptr +mRet));//事件源
mRet+= strlen(lpszSourceName) + 1;
strcpy(lpszComputerName, (LPTSTR)((LPBYTE)ptr + mRet));//机器名
mRet+= strlen(lpszComputerName) + 1;
if(ptr->UserSidLength>0){;}//
mRet=ptr->DataOffset-ptr->StringOffset;
if(mRet>0)//事件描述
{
pStrings=new char[mRet];
memcpy(pStrings,(LPBYTE)ptr+ptr->StringOffset,mRet);
uStepOfString=0;
for(int x=0;x<ptr->NumStrings;x++)
{
if(x==0)
{
strcpy(szExpandedString, (TCHAR *)pStrings + uStepOfString);
if(x<(UINT)ptr->NumStrings - 1)strcat(szExpandedString, ",");
}
else strcat(szExpandedString, pStrings + uStepOfString);
uStepOfString = strlen(pStrings + uStepOfString) + 1;
}
delete [] pStrings;
}
MessageBox(lpszSourceName,szExpandedString);
}
CloseEventLog(hdle);
}
}
我觉得很奇怪!~~我从“while(ReadEventLog(hdle,EVENTLOG_FORWARDS_READ|EVENTLOG_SEQUENTIAL_READ,
1,ptr,sizeof(buff),&read_len,&next_len)) "之后不是很看得懂能否谁帮我解释下!!
HANDLE hdle;
EVENTLOGRECORD *ptr;
BYTE buff[4096];
DWORD read_len, next_len;
ptr=(EVENTLOGRECORD *)&buff;
hdle=OpenEventLog("", "Application");// System
if (hdle==NULL)
{
MessageBox("打开日志失败");
}
else
{
long mRet;
char lpszSourceName[255]={0};
char lpszComputerName[255]={0};
unsigned uStepOfString;
char* pStrings;
char szExpandedString[1024]={0};
while(ReadEventLog(hdle,EVENTLOG_FORWARDS_READ|EVENTLOG_SEQUENTIAL_READ,
1,ptr,sizeof(buff),&read_len,&next_len))
{
[color=#FF0000]mRet=ptr->EventID;//事件id
mRet=ptr->EventType;//事件类型
mRet=ptr->TimeWritten;//
mRet=ptr->NumStrings;//
mRet=ptr->Length;//
mRet=sizeof(EVENTLOGRECORD);
strcpy(lpszSourceName, (LPTSTR)((LPBYTE)ptr +mRet));//事件源
mRet+= strlen(lpszSourceName) + 1;
strcpy(lpszComputerName, (LPTSTR)((LPBYTE)ptr + mRet));//机器名
mRet+= strlen(lpszComputerName) + 1;
if(ptr->UserSidLength>0){;}//
mRet=ptr->DataOffset-ptr->StringOffset;
if(mRet>0)//事件描述
{
pStrings=new char[mRet];
memcpy(pStrings,(LPBYTE)ptr+ptr->StringOffset,mRet);
uStepOfString=0;
for(int x=0;x<ptr->NumStrings;x++)
{
if(x==0)
{
strcpy(szExpandedString, (TCHAR *)pStrings + uStepOfString);
if(x<(UINT)ptr->NumStrings - 1)strcat(szExpandedString, ",");
}
else strcat(szExpandedString, pStrings + uStepOfString);
uStepOfString = strlen(pStrings + uStepOfString) + 1;
}
delete [] pStrings;
}
MessageBox(lpszSourceName,szExpandedString);
}
CloseEventLog(hdle);
}
}
mRet=ptr->EventType;//事件类型
mRet=ptr->TimeWritten;//
mRet=ptr->NumStrings;//
mRet=ptr->Length;//
这几行就表示取出了EventType、TimeWritten、NumStrings、Length,没有实际意义。
HANDLE hdle;
EVENTLOGRECORD *ptr;
BYTE buff[4096];
DWORD read_len, next_len;
ptr=(EVENTLOGRECORD *)&buff;
hdle=OpenEventLog("", "Application");// System
if (hdle==NULL)
{
MessageBox("打开日志失败");
}
else
{
long mRet;
char lpszSourceName[255]={0};
char lpszComputerName[255]={0};
unsigned uStepOfString;
char* pStrings;
char szExpandedString[1024]={0};
while(ReadEventLog(hdle,EVENTLOG_FORWARDS_READ |EVENTLOG_SEQUENTIAL_READ,
1,ptr,sizeof(buff),&read_len,&next_len)) //此时ptr中已经有第一条Application的日志
{
mRet=ptr->EventID;//事件id
mRet=ptr->EventType;//事件类型
mRet=ptr->TimeWritten;//
mRet=ptr->NumStrings;//
mRet=ptr->Length;//
//以上6句为无用操作
mRet=sizeof(EVENTLOGRECORD);
strcpy(lpszSourceName, (LPTSTR)((LPBYTE)ptr +mRet));//事件源
mRet+= strlen(lpszSourceName) + 1;
strcpy(lpszComputerName, (LPTSTR)((LPBYTE)ptr + mRet));//机器名
mRet+= strlen(lpszComputerName) + 1;
if(ptr->UserSidLength>0){;}// 这样写想判断什么?
mRet=ptr->DataOffset-ptr->StringOffset; //得到事件描述名称所占大小
if(mRet>0)//事件描述
{
pStrings=new char[mRet];
memcpy(pStrings,(LPBYTE)ptr+ptr->StringOffset,mRet); //将事件描述复制到pStrings中
uStepOfString=0;
for(int x=0;x <ptr->NumStrings;x++)
{ //将事件描述拼接到szExpandedString中
if(x==0)
{
strcpy(szExpandedString, (TCHAR *)pStrings + uStepOfString);
if(x <(UINT)ptr->NumStrings - 1)strcat(szExpandedString, ","); //将事件描述头部用逗号隔开
}
else strcat(szExpandedString, pStrings + uStepOfString); //进行拼接
uStepOfString = strlen(pStrings + uStepOfString) + 1; //移动位移
}
delete [] pStrings; //释放new的空间
}
MessageBox(lpszSourceName,szExpandedString); //用MessageBox将日志内容显示出来,接着读下一条日志
}
CloseEventLog(hdle); //关闭日志句柄
}
/*
ReadEventLog读的缓冲区是这样的,我以"|"进行分割,"|"实际并不存在:
| EVENTLOGRECORD | 事件源 | \0 | 机器名 | \0 | ... | 事件描述 | ... */
这句话的意思是自己是这样理解的。。在ptr开头的地址+ eventlogrecord地址之后开始读取事件源,系统把字符指针指向这里,然后开始读取并且复制给lpzsourcename...
mRet=ptr->EventType;//事件类型
mRet=ptr->TimeWritten;//
mRet=ptr->NumStrings;//
mRet=ptr->Length;//
这几行就表示取出了EventType、TimeWritten、NumStrings、Length,没有实际意