guess i just forget the source file. On Fri, 30 Nov 2001 17:38:12 -0500 (EST) Yimin Zheng wrote:
>I fixed 2 bugs in the eventlog.cpp. >1.Problem 1 described in my old post. >2.in XS_NT__Lanman_ReadEventLog(). using "recordPtr->Length" >alone one can not always correctly determine if all entries >are processed. This sometimes leads the code to terminate with >LastError=122. I added "dwUnprocessedSize" to do the job and >the problem's fixed. >Attached is the new code. > >Thanks >Yimin > > >On Tue, 6 Nov 2001 23:00:29 -0500 (EST) >Yimin Zheng wrote: > >>I found 2 problems when using Win32::Lanman to retrieve eventlogs. >>Below is my analysis of the problems. >> >>1. >>Sometimes "GetEventDescription" will fail with an error code >>2 -- file not found. >>I looked into "eventlog.cpp" in the source code and implemented >>the same code in C to debug. I determine the problem is that >>sometimes multiple resource files are registered for a single >>event source. >>For example, below is a registry entry from my Win2k machine. >>HLM\SYSTEM\CCS\Services\Eventlog\Security\Security\EventMessageFile >>= "%SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\sp2res.dll" >>Or you can search for ".dll;" under the Eventlog service registry >>key on your NT/2000 machine. >>The GetEventDescription code obviously does not expect this >>and it fails in LoadLibraryEx. >> >>2. >>If I compare the speed of H. Carvey's dumpevt.pl, which uses >>Win32::Lanman, and the MS dumpel.exe utility, by dumping an >>eventlog containing about 2,500 entries, the perl code runs >>over 50 times slower the its MS counterpart. The CPU usage stays >>close to 100% during the time and most of CPU time is spent >>in kernel mode. I would speculate that the difference lies in >>how often costly system APIs, mostly LoadLibraryEx, are called >>in dumpevt.pl and dumpel.exe. >>I have not verified, but I figure the reason the MS tool runs >>much faster is because it caches handles returned from LoadLibraryEx. >>It does not find and load the resource file for every event >>it processes, instead it caches handles return by LoadLibraryEx >>and use them directly the next time it encounters an event from >>the same source. If 30 event sources appeared in my 2,500 entry >>eventlog. Perl will load the resource files 2,500 times, while >>dumpel.exe will do it only 30 time. If there are 25,000 entries >>from 80 sources, go figure!! >>My suggestion is to add a reference to a hash variable to the >>parameters to GetEventDescription, so GetEventDescription can >>use a existing handles if the resource files were already loaded, >>and add new handles to the hash if new resource files are loaded. >>But I guess things might go wrong if people forget to close >>these handles and Perl will get blamed. I'd like to know what >>do you think. >> >>I am not yet familiar enough with Perl extension in XS so I >>would hope someone out there will do the real work. I will jump >>in soon. :) >> >>Jens, thanks for making Win32::Lanman available. And hope you >>will patch the first one soon. :) >> >>Yimin >> >> >> >> >>-------------------------------------------------------------------------- >>Global Internet phone calls, voicemail, fax, e-mail and instant >messaging. >>Sign-up today at http://www.hotvoice.com >> >> > > > >-------------------------------------------------------------------------- >Global Internet phone calls, voicemail, fax, e-mail and instant messaging. >Sign-up today at http://www.hotvoice.com > > -------------------------------------------------------------------------- Global Internet phone calls, voicemail, fax, e-mail and instant messaging. Sign-up today at http://www.hotvoice.com
eventlog.cpp
Description: Binary data
