WinAPI ReportEvent - component not installed - c++

I've implemented a simple function to log on event viewer from my application. However, I'm getting the following message every time I log something, regardless the error level:
The description for Event ID 0 from source MyAppEvents cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
I'm not an expert on Event log, actually, this is the first time I'm using it in C++, and the documentation is confusing and misleading...
Here is the method I've implemented, to encapsulate event log calls:
HANDLE source = NULL;
void app_log(std::string m, WORD level) {
std::wstring msg_temp (m.begin(), m.end());
LPCWSTR msg = msg_temp.c_str();
std::wstring name(L"MyAppEvents");
if (source == NULL)
source = RegisterEventSource(NULL, name.c_str());
if (source) {
if (!ReportEvent(source, level, 0, 0, NULL, 1, 0, &msg, NULL))
std::cerr << "Error when logging";
}
else
std::cerr << "Error when logging";
}
I have an installer for my app, built with WIX (this installer creates the key needed to log on event viewer - subkey of Application) and it runs smoothly. However, I didn't understand that message, and also don't know how to attach my installed app to the event log - I'm actually not even sure if this is the problem, or if it is maybe one of the parameters I'm passing as NULL or 0.
This message appears also when I debug (without installing, but with the "application subkey" manually created).
Could you help me?
I can't use C++ managed code...

There is nothing wrong with your logging code. The warning message simply means that you have not properly registered the MyAppEvents event source in the Registry. This is documented on MSDN:
RegisterEventSource function:
pSourceName [in]
The name of the event source whose handle is to be retrieved. The source name must be a subkey of a log under the Eventlog registry key. Note that the Security log is for system use only.
Event Sources:
The structure of the event sources is as follows:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
EventLog
Application
AppName
Security
System
DriverName
CustomLog
AppName
...
Each event source contains information (such as a message file) specific to the software that will be logging the events
...
An application can use the Application log without adding a new event source to the registry. If the application calls RegisterEventSource and passes a source name that cannot be found in the registry, the event-logging service uses the Application log by default. However, because there are no message files, the Event Viewer cannot map any event identifiers or event categories to a description string, and will display an error. For this reason, you should add a unique event source to the registry for your application and specify a message file.
It is not enough to just create the MyAppEvents subkey, you also have to point it to the message files for your app. If you store your event log categories and event messages as resources of your app executable, the subkey can register the executable itself as the message files.

Related

RegisterEventSource(0, "App1.exe") => what if there are multiple "App1.exe"s under ...\Eventlog registry key?

I am trying to use the Windows Event Logging service and in struggle with RegisterEventSource owing to the insufficient/ambiguous description.
Let's assume "App1.exe" is the event source name that will be used from an application program App1.exe.
And I will use my own custom event log subkey named "MyCustLog" under which "App1.exe" subkey will be created.
So, my custom event log subkey for App1.exe will look like "... \MyCustLog\App1.exe" under which EventMessageFile/CategoryMessageFile/CategoryCount will be set as "App1.exe"/"App1.exe"/3, respectively.
Now, there happens and/or will happen to be another "App1.exe" event source name registered under a 3rd party custom event log key as shown below:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
Eventlog
Application
Security
System
3rdPartyLog
App1.exe
After I create my own custom event log key it looks like:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
Eventlog
Application
Security
System
3rdPartyLog
App1.exe
MyCustLog
App1.exe
Now, I call RegisterEventSource follows:
HANDLE hEvtSrc = RegisterEventSource(0, "App1.exe");
=> returns an event log handle to hEvtSrc, but how can I be sure that the handle is returned for MyCustLog's App1.exe, not 3rdPartyLog's App1.exe?
What I have tried:
I tried the following:
HANDLE hEvtSrc2 = RegisterEventSource(0, "MyCustLog\\App1.exe");
=> this also successfully returns an event log handle but not sure if it is for MyCustLog's App1.exe, nonetheless. Moreover, an event fired by the following ReportEvent with this handle shows failure description in its property window from Windows Event Log Viewer.
CONST LPCTSTR pBadCommand = _T("The command that was not valid");
DWORD dwEventDataSize = ((DWORD)_tcslen(pBadCommand) + 1) * sizeof(TCHAR);
BOOL bRet = ReportEvent(hEventLog, EVENTLOG_ERROR_TYPE, UI_CATEGORY, MSG_INVALID_COMMAND, NULL, 0, dwEventDataSize, NULL, (LPVOID)pBadCommand);
The failure message says: The description for event id MSG_INVALID_COMMAND cannot be found from the source MyCustLog\App1.exe
I also tried the third way:
HANDLE hEvtSrc3 = RegisterEventSource(0, "MyCustLog/App1.exe");
=> this again successfully returns an event log handle, but still an event fired by ReportEvent with this handle shows the almost the same failure description in its property window from event viewer. The only difference in failure message is MyCustLog/App1.exe instead of MyCustLog\App1.exe.
Therefore, "MyCustLog\App1.exe" or "MyCustLog/App1.exe" cannot be used instead of "App1.exe" to get the right handle of my own for RegisterEventSource. So we are back to the square one again.
So, once again, how can I be sure the returned handle for RegisterEventSource(0, "App1.exe") is for MyCustLog\App1.exe, not for 3rdPartyLog\App1.exe?
Below is shown the .mc file in use for App1.exe.
[Message file]
; // App1.mc
; // This is the header section.
SeverityNames=(Success=0x0:STATUS_SEVERITY_SUCCESS
Informational=0x1:STATUS_SEVERITY_INFORMATIONAL
Warning=0x2:STATUS_SEVERITY_WARNING
Error=0x3:STATUS_SEVERITY_ERROR
)
FacilityNames=(System=0x0:FACILITY_SYSTEM
Runtime=0x2:FACILITY_RUNTIME
Stubs=0x3:FACILITY_STUBS
Io=0x4:FACILITY_IO_ERROR_CODE
)
LanguageNames=(English=0x409:MSG00409)
; // The following are the categories of events.
MessageIdTypedef=WORD
MessageId=0x1
SymbolicName=NETWORK_CATEGORY
Language=English
Network Events
.
MessageId=0x2
SymbolicName=DATABASE_CATEGORY
Language=English
Database Events
.
MessageId=0x3
SymbolicName=UI_CATEGORY
Language=English
UI Events
.
; // The following are the message definitions.
MessageIdTypedef=DWORD
MessageId=0x100
Severity=Error
Facility=Runtime
SymbolicName=MSG_INVALID_COMMAND
Language=English
The command is not valid.
.
MessageId=0x101
Severity=Error
Facility=System
SymbolicName=MSG_BAD_FILE_CONTENTS
Language=English
File %1 contains content that is not valid.
.
MessageId=0x102
Severity=Warning
Facility=System
SymbolicName=MSG_RETRIES
Language=English
There have been %1 retries with %2 success! Disconnect from
the server and try again later.
.
MessageId=0x103
Severity=Informational
Facility=System
SymbolicName=MSG_COMPUTE_CONVERSION
Language=English
%1 %%4096 = %2 %%4097.
.
; // The following are the parameter strings */
MessageId=0x1000
Severity=Success
Facility=System
SymbolicName=QUARTS_UNITS
Language=English
quarts%0
.
MessageId=0x1001
Severity=Success
Facility=System
SymbolicName=GALLONS_UNITS
Language=English
gallons%0
.
If there are multiple App1.exe event sources, there is no way to tell RegisterEventSource() which source to use. RegisterEventSource() only accepts a source name, not a log name.
In fact, the Event Sources documentation says:
You cannot use a source name that has already been used as a log name. In addition, source names cannot be hierarchical; that is, they cannot contain the backslash character ("").
Which is why registering MyCustLog\App1.exe doesn't work, as it is an illegal source name. And why registering MyCustLog/App1.exe doesn't differentiate App1.exe between multiple logs, as / is not a hierarchy delimiter so RegisterEventSource() treats MyCustLog/App1.exe as the entire source name, not as App1.exe underneath MyCustLog.
So, since the source name for both logs is just App1.exe, you must use RegisterEventSource("App1.exe"), and so it will use the the first App1.exe it finds. And if it doesn't find any, it will fallback to using the Application log, which doesn't support category/message files.
So, make sure your event source is named uniquely. For instance, by NOT using your app's filename, but rather more descriptive names, eg:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
Eventlog
My Custom Log
My Custom App Name
You can point My Custom App Name to the actual App1.exe file in its EventMessageFile/CategoryMessageFile values as needed.
And then you can use RegisterEventSource("My Custom App Name").
You should have a look at your local Registry to see how other apps register their event sources. It is actually rare for filenames to be used as key names. For example, here is what is registered in the eventlog key on my local system. As you can see, none of the log keys or app keys use filenames for their names:

Custom Windows Authentication Package Logon Failed

I have developed custom authentication package that I would like to use for interactive logon. It creates the access token in the LsaApUserLogon function.
When I call LsaUserLogon from an application I can enumerate new user sessions, but when I used it for logon (also I have created a custom credential provider) I can see in Windows Event log that I was successfully logged in and then logged out.
When I select my specific Credential and try to logon, it enters into LsaApLogonUser API of my Authentication Package. If I check log file, LsaApLogonUser return STATUS_SUCCESS. But Windows is not logged on. After leaving LsaAPLogonUser, LSA calls LsaApLogonTerminated API and back LogonUI.
When I prepared the TokenInformation I got LookupPrivilegeValueW failed for the SeInteractiveLogonRight. I don't know if this is important for logon.
LsaApLogonUser(...){
......
// NetUserGetInfo
// AllocateLocallyUniqueId (LogonId)
err = GetTokenInformationv2(pdi?pdi->DomainControllerName:NULL,wszDomain,wszUser,&LocalTokenInformation,LogonId);
err = g_pSec->CreateLogonSession(LogonId);
if(ProfileBuffer)
{
*ProfileBuffer=NULL;
*ProfileBufferLength=0;
}
(*TokenInformationType)=LsaTokenInformationV2;
(*TokenInformation)=LocalTokenInformation;
return STATUS_SUCCESS;
}
GetTokenInformationv2(...){
....
....
// Call LsaEnumerateAccountRights
// check LookupPrivilegeValueW // It failed for "SeInteractiveLogonRight"
//
return STATUS_SUCCESS;
}
Is ProfileBuffer important for logon? I don't know why LSA cannot logon.
The documentation does not say that the profile buffer can be set to NULL and it seems that it is indeed mandatory. The OP reports that allocating and returning a profile buffer (just a single byte was enough) resolved the problem.
The error when attempting to retrieve a LUID for SeInteractiveLogonRight was not relevant; the user's logon rights do not need to be included in the TOKEN_PRIVILEGES structure, so no LUID is needed, and as documented, the LookupPrivilegeValue function only accepts privileges:
The LookupPrivilegeValue function supports only the privileges specified in the Defined Privileges section of Winnt.h.
(Note that the relevant section of winnt.h only contains definitions for SeXxxPrivilege; the definitions for SeXxxLogonRight are in ntsecapi.h.)

IBMIOTF/BlueMix Publish Command Syntax

I am attempting to assemble a small proof of concept system on IBM's Bluemix/Internet of Things. Currently this comprises of a Raspberry Pi feeding events up to the cloudbased app, which currently stores those events away, and periodically attempts to send down a command, using the following code block:
def sendCmd(command, payload, device="raspberrypi" ):
deviceId = #Fixed value
global cmdCount
client.publishCommand("raspberrypi", deviceId, str(command), "json", payload)
print "Sending '%s' cmd, payload '%s' to device %s" % (command, payload, deviceId)
cmdCount = cmdCount + 1
As far as the documentation is concerned this appears to be the correct syntax, as described by the documentation :
client.connect()
commandData={'rebootDelay' : 50}
client.publishCommand(myDeviceType, myDeviceId, "reboot", "json", myData)
No exceptions are thrown in this block of code, however the device is not receiving any commands; and the cloud foundry log is not throwing any errors. Is there a subtle point about the syntax I am missing?
This issue boiled down to having instantiated the wrong class on the Raspberry Pi. I had an instance of ibmiotf.application which registered a function to the variable self.client.commandCallback. However nothing appeared to be triggering the callback.
Once I instantiated the device with the ibmiotf.device import rather than ibmiotf.application, the command callback started to be called. This required a couple of the minor changes, to support slightly different function calls, but they were fairly self explanatory when trying to run the code.
The Device Class controls Events being published from the unit, and determines how to handle commands from upstream. Whereas the Application Class handles the receipt of Events and emission of Commands.

How to Change Default search provider of IE 9 by registry Editing through C++ program?

I want to change the default search provider of IE (9) by editing the registry file. I have followed the steps given in the link: http://www.online-tech-tips.com/internet-explorer-tips/change-default-search-engine-ie/.
But when I change DefaultScope value to a scope in SearchScopes, then restart the computer, or open IE, make a search in address bar, or close IE. The value of DefaultScope is restore to previous value.
Why? Or what is my mistake?
How to change the search provider engine of IE programatically (not in IE, may be through registry, or in my C++ code)? (I write a C++ program that need to change IE's search provider engine)
I have written this function for Firefox or Chrome. It works well.
With Firefox, those information is stored in the prefs.js file. I can
read or write information requisite to this file easily. With Chrome,
those information is stored in two files in user profile folder:
Preferences and Web Data files. The Preferences file is a JSON file. I
get those information easily by parsing this JSON file. But to set
search engine provider information for Chrome. We need to change those
information in Web Data file. Web Data file is a SQLite file. I use
SQLite library to access this.
With Internet Explorer, I can get those information in that registry
path. But I can't set those information with that registry path. So, I
think, like Chrome, IE (or registry) needs to change those information
somewhere. But I don't know where.
Here is a detailed answer to your question.
There are two options you may choose from use IOpenServiceManager:
CComQIPtr<IOpenServiceManager> spManager;
check(spManager.CoCreateInstance(__uuidof(OpenServiceManager), CLSCTX_ALL));
CComQIPtr<IOpenService> spService;
check(spManager->InstallService(PU_POSTINSTALL_ANT_SEARCH_PROVIDER_XML, &spService));
if(makeItDefault)
{
// Request that the user change their search default
check(spService->SetDefault( TRUE, hPromptParent ));
}
or modify the registry:
LPCWSTR searchScopesKeyName = L"Software\\Microsoft\\Internet Explorer\\SearchScopes";
createKey(rootKey, HKEY_CURRENT_USER, searchScopesKeyName);
std::wstring clsidString = findProviderClsid(false);
if( clsidString.empty() )
clsidString = mc_providerClsidString;
if( makeItDefault )
setStringValue( rootKey, mc_defaultScopeValueName, clsidString.c_str() );
ATL::CRegKey subKey;
createKey(subKey, rootKey.m_hKey, clsidString.c_str() );
setStringValue( subKey, mc_displayNameValueName, mc_providerName );
setStringValue( subKey, mc_faviconUrlValueName, mc_providerFaviconURL );
setStringValue( subKey, mc_urlValueName, mc_providerURL );
Just giving a side note that SetDefault function was deprecated on Microsoft Edge browser. Also, after KB3148198 update, it's blocked. Function will return
OS_E_CANCELLED instead.

Problem with Custom TFS Web Service Plugin

i'm not sure that what im going to do is the right so i first of all tell you my issue.
I have TFS as Bugtracking System and another system for tracking the worktime. I want that if a workitem status changes the other system changes the status too.
What i did until now is the following.
I wrote a plugin for the TFS web service were i catch the WorkItemChangedEvent.
public EventNotificationStatus ProcessEvent(TeamFoundationRequestContext requestContext, NotificationType notificationType, object notificationEventArgs,
out int statusCode, out string
statusMessage, out ExceptionPropertyCollection properties)
{
statusCode = 0;
properties = null;
statusMessage = String.Empty;
try
{
if (notificationType == NotificationType.Notification && notificationEventArgs is WorkItemChangedEvent)
{
WorkItemChangedEvent ev = notificationEventArgs as WorkItemChangedEvent;
EventLog.WriteEntry("WorkItemChangedEventHandler", "WorkItem " + ev.WorkItemTitle + " was modified");
}
}
catch (Exception)
{
}
return EventNotificationStatus.ActionPermitted;
}
I droped the DLL in C:\Program Files\Microsoft Team Foundation Server 2010\Application Tier\Web Services\bin\Plugins
but i looks like the extension is never called. So nothing apears in the event log.
But if i try to debug the service like in this post http://geekswithblogs.net/jakob/archive/2010/10/27/devleoping-and-debugging-server-side-event-handlers-in-tfs-2010.aspx
i cant hook on the process. So debugging does not work.
Why i cant debug the service? And is there a better way to do this?
Not sure if you fixed this but to me it looks like you are missing the Subscription method in the class.
public Type[] SubscribedTypes()
{
return new Type[1] {typeof(WorkItemChangedEvent)};
}
Without this your plugin will never get hit thus you will be unable to debug.
To debug the w3wp.exe process, you need to be running Visual Studio as an administrator.
From the menu, select Debug > Attach to process (or Ctrl-Alt-P)
Select Show processes from all users and Show processes in all sessions.
Find the w3wp.exe process that corresponds to your TFS Application Pool, and attach to it.
I notice that you're using EventLog.WriteEntry() - have you registered the event source previously in your code? To avoid the registration (which requires admin permissions), you might try using the TFS logger:
TeamFoundationApplication.Log("WorkItem " + ev.WorkItemTitle + " was modified", 0, System.Diagnostics.EventLogEntryType.Information);