How do I read boot time events on Windows 7?

Question

I am trying to use the ETW functions without success to read the file:

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

In order to capture boot time events.

I have tried various functions -

OpenTrace gives an error 161
EvtQuery gives an error 15000

Does anyone have a native code example of reading system trace files?

FYI: 161 = ERROR_BAD_PATHNAME or ERROR_MAX_SESSIONS_REACHED, 15000 = ERROR_EVT_INVALID_CHANNEL_PATH — Rup, Nov 16 '10 at 14:19
Are you making a util which loggs windows start\shut-down times? — Viktor Sehr, Nov 25 '12 at 18:44

score 6 · Accepted Answer · edited Feb 11 '14 at 11:04

I got this working as follows -

LPWSTR pwsPath = L"Microsoft-Windows-Diagnostics-Performance/Operational";
LPWSTR pwsQuery = L"Event/System[EventID=100]";

hResults = EvtQuery(NULL, pwsPath, pwsQuery,
                    EvtQueryChannelPath | EvtQueryReverseDirection);

The channel name can be found by going to Properties on an eventlog and using it's Full Name.

The error 15000 was due to me trying to open the log file with the given flags rather than the channel name.

How do I read boot time events on Windows 7?

1 Answers1

Linked