Reading a saved EVTX file in the given path

Question

I am currently working on a project where I need to read windows events . I am using OpenEventLog() and ReadEventLog() from Win API. I can read the events from system using the typename of the event. But I need to specify the file name or file path of the .evtx file that I have saved from the EventViewer.I tried the below code,

HANDLE logHandle = OpenEventLog(NULL, "C:\\Users\\MyAccount\\Documents\\myevents.evtx");
DWORD status = GetLastError();
if(logHandle == NULL){
    cerr<<"NO HANDLE GENERATED!!!"<<endl;
}else if(status == ERROR_INVALID_HANDLE){
    cerr<<"INVALID HANDLE!!!"<<endl;
}else if(status!=0){
    cout<<"OPENEVENTLOG ERROR STATUS::>"<<status<<endl;
}

But it does not find the specified file and switches over to default Application Events. Can anyone please tell me what the problem could be? or if there is anything to be changed in the code?

PS: I even tried placing the file in project folder and specifying just the filename(myevents.evtx) , but still doesn't work.I also tried reading the evtx directly as shown in "Reading .evt/.evtx files directly" , but later I found this can't be done. Apparently there is no way to read them directly without win API or without writing a whole bunch of parser code.

Thanks in advance.

What is the status (last error) that you've got? – macro_controller Feb 20 '18 at 13:03 — macro_controller, Feb 20 '18 at 13:03
It was 0. It didn't report any other errors. – Infant Ajay Feb 20 '18 at 19:03 — Infant Ajay, Feb 20 '18 at 19:03

score 1 · Answer 1 · answered Feb 21 '18 at 06:20

1

Well, it turns out OpenEventLog() is not meant for opening saved .evtx files. I should've been using OpenBackupEventLog() for that.

answered Feb 21 '18 at 06:20

Infant Ajay

21
6

Reading a saved EVTX file in the given path

1 Answers1