我试图从不同来源写入Windows EventLog,以在我的系统上重新创建一系列事件。我的想法是,我可以使用Event的XML并在EventLog中重新创建它。到目前为止,我已经找到了如何根据EventLog.WriteEntry("Service Control Manager", "a test message", EventLogEntryType.Information, 7036, 0);
的源名称从任意提供程序创建简单事件,但这只是一个经典日志,它不支持更高级的我需要模仿现代日志的数据结构。我尝试过使用System.Diagnostics.Eventing.EventProvider.WriteEvent,但这只适用于某些提供程序GUID(例如,我可以将其用于Power-Troubleshooter,但不适用于服务控制管理器)。我已经无法在互联网上找到任何东西而且我已经搜索了几天,如果有人知道这样做的话会非常有用 - 无论是否在c#中。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Diagnostics.Eventing;
using System.Diagnostics;
namespace ETWDemo
{
class Program
{
static void Main(string[] args)
{
//This writes a simple message event
EventLog.WriteEntry("Service Control Manager", "a basic message", EventLogEntryType.Information, 7036, 0);
//The rest of this writes a modern EventLog
//this is the GUID for the Service Control Manager
var eventProvider = new EventProvider(new Guid("{555908d1-a6d7-4695-8e1e-26931d2012f4}"));
if (eventProvider.IsEnabled())
Console.WriteLine("Provider is enabled");
//Outputs 'True' on my system
EventDescriptor eventDescriptor;
unchecked
{
eventDescriptor = new EventDescriptor(
7036, //EventId
0, //Version
0x0, //Channel Id
0x4, //Level
0x0, //OpCode
0x0, //Task
(long)0x8000000000000000); //Keywords
}
var wroteOk = eventProvider.WriteEvent(ref eventDescriptor, "pls", "wrk");
if (wroteOk)
Console.WriteLine("Claims to have written correctly");
else
Console.WriteLine("Did not write correctly");
//Console outputs "Claims to have written correctly", but nothing changes in the eventLog
}
}
}