CodeProject: Adding User Name to Events. Free source code and programming help

Announcements

	Java Competition
	Smart Client Comp
	LAMP drag-bike comp
	Monthly Competition

Want a new Job?

Would you like to work at The Code Project? (ASP.NET, C#, SQL) at The Code Project in Canada
Epic Inpatient Project Manager at Parker HealthcareIT in United States
SharePoint Developer at INTEQNA in Canada
View Latest Jobs...

Chapters

Desktop Development

Web Development

Enterprise Systems

Content Management Server

Microsoft BizTalk Server

SQL Reporting Services

Platforms, Frameworks & Libraries

Windows Communication Foundation

Windows Presentation Foundation

Windows Workflow Foundation

Cryptography & Security

Threads, Processes & IPC

Development Lifecycle

Debug Tips

Design and Architecture

Services

Feature Zones

WhitePapers / Webcasts

.NET Bug Tracking

ASP.NET Web Hosting

Advanced Search
Sitemap

Report

Discuss

5 votes for this Article.

Popularity: 3.08 Rating: 4.40 out of 5

The Event Viewer

Introduction

This article will explain how to add a user name to the Events that are logged in to the Event Viewer.

Background

I needed to add user names to events that were being logged, and I could not find anything directly on target. Microsoft's website stated to simply add the SID to the ReportEvent function. It did not tell how to get the SID. After much more investigation, I found something written in another programming language that got the user SID, so I translated it into C and combined it with what I was doing.

Using the code

I wrote a standalone program first to test out what I wanted to do at work. I will provide all the relevant portions here so that you can simply paste into your project something that works.

Collapse

    HANDLE hToken;
    HANDLE g_eventHandle = NULL;
    int rc;
    DWORD dwLength = 0;
    PTOKEN_USER pTokenUser = NULL;
    TCHAR *params[1];

        // in order to use ReportEvent we must first Register Event

    g_eventHandle = RegisterEventSource(NULL, _T("SID_TEST"));
    OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken);

    // Get required buffer size and allocate the PTOKEN_USER buffer.

    if (!GetTokenInformation(
        hToken,         // handle to the access token

        TokenUser,    // get information about the token's groups

        (LPVOID) pTokenUser,   // pointer to TOKEN_USER buffer

        0,              // size of buffer

        &dwLength       // receives required buffer size

    ))
    {
        if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
            goto Cleanup;

        pTokenUser = (PTOKEN_USER)HeapAlloc(GetProcessHeap(),
            HEAP_ZERO_MEMORY, dwLength);

        if (pTokenUser == NULL)
            goto Cleanup;
    }

    // Get the token group information from the access token.

    if (!GetTokenInformation(
        hToken,         // handle to the access token

        TokenUser,    // get information about the token's groups

        (LPVOID) pTokenUser,   // pointer to TOKEN_USER buffer

        dwLength,       // size of buffer

        &dwLength       // receives required buffer size

    ))
    {
        goto Cleanup;
    }

    params[0] = const_cast<TCHAR*>("test string");

    // the actual call that places the event into the Event Viewer

    rc = ReportEvent(g_eventHandle, EVENTLOG_INFORMATION_TYPE, 0, 0,
        pTokenUser->User.Sid,// the sid goes here <-------

        1, 0, (LPCTSTR *)params, NULL);

Cleanup:

    // Free the buffer for the token .

    if (pTokenUser != NULL)
        HeapFree(GetProcessHeap(), 0, (LPVOID)pTokenUser);

    // i am finished with the Event

    DeregisterEventSource(g_eventHandle);

Points of Interest

That's all there is to it. The GetTokenInformation function has to be called twice; if you have too much or too little allocated for your SID, the function will fail.

The Event View with our entry:

The Event Viewer

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

maththaios

I am a computer programmer in Florida.

Occupation:	Software Developer (Senior)
Location:	United States

Other popular Applications & Tools articles:

ToDoList 5.7.2 - A simple but effective way to keep on top of your tasks
A hierarchical task manager with native XML support for custom reporting.
MFC Grid control 2.26
A fully featured MFC grid control for displaying tabular data. The grid is a custom control derived from CWnd
Programming Self-generating Code for Windows Applications
Executing VC++ codes in STACK or HEAP
Asynchronous Method Invocation
How to use .NET to call methods in a non-blocking mode.
A flexible charting library for .NET
Looking for a way to draw 2D line graphs with C#? Here's yet another charting class library with a high degree of configurability, that is also easy to use.

Article Top

You must Sign In to use this message board.

Msgs 1 to 5 of 5 (Total in Forum: 5) (Refresh)

FirstPrevNext

Nice example but do you have vb.net version.

Member 4911548

17:31 25 Mar '08

hi, i using vb.net windows application. Can you help me translate to vb.net version? Many thanks for you. modified on Tuesday, March 25, 2008 11:14 PM
Sign In·View Thread·PermaLink

What about using LookupAccountName ?

lumoryel

5:22 12 Apr '06

Hi there !

I found another possibility to get the SID of a certain user. I'm calling GetUserName() (which returns the username of the current thread) and put the username into LookupAccountName(). This returns the SID for this user.


bool __fastcall
CreateEventLogEntry(AnsiString source, AnsiString message, WORD
event_type, BYTE * data, int data_size, DWORD event_id)
{

    HANDLE g_eventHandle = NULL;
    TCHAR *params[1];

    message = "\n\n" + message + "\n\n";
    params[0] = message.c_str();

    g_eventHandle = RegisterEventSource(NULL, source.c_str());
    if(g_eventHandle==NULL)
    {
      ShowMessage("CreateEventLogEntry: RegisterEventSource() Failed !");
      return false;
    }

    TCHAR lpBuffer[100];
    unsigned long size = 100;

    if(!GetUserName(lpBuffer, &size))
    {
      ShowMessage("CreateEventLogEntry: GetUserName() Failed !");
      DeregisterEventSource(g_eventHandle);
      return false;
    }

    SID Sid;
    DWORD Sid_Size = 28;
    TCHAR ReferencedDomainName[100];
    DWORD DomainName_Size = 100;
    SID_NAME_USE snu = SidTypeUser;

    if(!LookupAccountName(NULL,
                          lpBuffer,
                          &Sid,
                          &Sid_Size,
                          ReferencedDomainName,
                          &DomainName_Size,
                          &snu))
    {
      ShowMessage("CreateEventLogEntry: LookUpAccountName() Failed !");
      DeregisterEventSource(g_eventHandle);
      return false;
    }

    if(!ReportEvent(g_eventHandle, event_type, 0, event_id,
      &Sid, 1, data_size, (LPCTSTR *)params, data))
    {
      ShowMessage("CreateEventLogEntry: ReportEvent() Failed !");
      DeregisterEventSource(g_eventHandle);
      return false;
    }

    DeregisterEventSource(g_eventHandle);

    return true;
}

Re: What about using LookupAccountName ?

maththaios

6:26 12 Apr '06

I tried this code and I found 2 things. 1st, My IDE (Visual Studio) reported at the end of the function that the stack around the variable Sid was corrupted. 2nd the user name, for some reason, did not show in the event viewer. I was able to fix the stack corruption by changing SID to PSID and calling LookupAccountName twice. The first time with Sid_Size == 0, the Sid_Size is then set by this function so that PSID can be dynamically allocated, the second call fills out the sid proberly. I am not sure why the user name is not showing up in the event viewer. But I will continue to investigate.

Nice but i have a question

nesculcas

1:23 6 Mar '06

Hello,

This is interesting, I always wonder why my desriptions on event viewer never appear only like the message i wrote, it always preceded some text telling that the source was not valid or something like that. But now i try your code and once again there's a preceding text... only the difference it's now different the contents Poke tongue

My question is why in my teste de description tells this: (note i use the source text 'teste' and event id=0)

The description for Event ID ( 0 ) in Source ( teste ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details

Thanks

Nuno

Re: Nice but i have a question

maththaios

10:04 6 Mar '06

if I understand your question, so seem to be having a problem with the message itself, and not in reguards to adding the user name to the message. I did a search on The Code Project for the ReportEvent function, and this one, http://www.codeproject.com/system/xeventlog.asp, seems to be on target for the problems you are having. I hope this helps. Matt
Sign In·View Thread·PermaLink	5.00/5 (1 vote)

Last Visit: 9:27 4 Mar '09 Last Update: 9:27 4 Mar '09

General News Question Answer Joke Rant Admin

PermaLink | Privacy | Terms of Use
Last Updated: 22 Feb 2006
Editor: Smitha Vijayan