[ Team LiB ] |
Recipe 6.11 Finding All Sources Belonging to a Specific Event LogProblemYou need to determine which sources are attached to a particular event log before the log is examined and/or deleted. A source is a component or application that has registered itself to a particular event log as a source of events. SolutionUse the following method to extract all of the source names registered to a log (pass the log's name in as the logName argument): public ArrayList FindSourceNamesFromLog(string logName) { ArrayList sourceNamesList = new ArrayList( ); string[] eventLogNames = Registry.LocalMachine.OpenSubKey (@"SYSTEM\CurrentControlSet\Services\Eventlog").GetSubKeyNames( ); foreach (string log in eventLogNames) { Console.WriteLine("log: " + log); if (logName == log) { string[] sourceNames = Registry.LocalMachine.OpenSubKey (@"SYSTEM\CurrentControlSet\Services\Eventlog\" + log).GetSubKeyNames( ); sourceNamesList.Capacity = Registry.LocalMachine.OpenSubKey (@"SYSTEM\CurrentControlSet\Services\Eventlog\" + log).SubKeyCount; for (int i = 0; i < sourceNames.Length; i++) { sourceNamesList.Add(sourceNames[i]); Console.WriteLine("SourceName: " + sourceNames[i]); } } } return (sourceNamesList); } To obtain a listing of all logs and their registered sources, use the following method: public static Hashtable FindSourceNamesFromAllLogs( ) { Hashtable logsAndSources = new Hashtable( ); string[] eventLogNames = Registry.LocalMachine.OpenSubKey (@"SYSTEM\CurrentControlSet\Services\Eventlog").GetSubKeyNames( ); foreach (string log in eventLogNames) { ArrayList sourceNamesList = new ArrayList( ); string[] sourceNames = Registry.LocalMachine.OpenSubKey (@"SYSTEM\CurrentControlSet\Services\Eventlog\" + log).GetSubKeyNames( ); sourceNamesList.Capacity = Registry.LocalMachine.OpenSubKey (@"SYSTEM\CurrentControlSet\Services\Eventlog\" + log).SubKeyCount; for (int i = 0; i < sourceNames.Length; i++) { sourceNamesList.Add(sourceNames[i]); } logsAndSources.Add(log, sourceNamesList); } return (logsAndSources); } This method returns a Hashtable with the log name as the key and an ArrayList of source names as the Hashtable's value. The information in the Hashtable of ArrayLists can be accessed using the following code: foreach (DictionaryEntry DE in logsAndSources) { Console.WriteLine("Log: " + DE.Key); // Display the log foreach (string source in ((ArrayList)DE.Value)) { // Display all sources for this log Console.WriteLine("\tSource: " + source); } } DiscussionThis recipe is similar to Recipe 6.8 in that we need to find information concerning an event log that can be obtained only through the registry. If we need to find the sources associated with a log called MyLog, we would look up all of the subkeys contained in the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\MyLog\ If MyLog were associated with two sources called AppSource and MonitorSource, the following keys would exist under the MyLog key: \AppSource \MonitorSource The full registry path for both keys would be: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\MyLog\AppSource HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\MyLog\MonitorSource This recipe makes use of the Registry and RegistryKey classes to look up the subkeys under the event log's key in the registry. See Recipe 6.8 for more information dealing with opening registry keys using the Registry and RegistryKey classes. The read-only SubKeyCount property and GetSubKeyNames method of the RegistryKey class are used to obtain the number of subkeys that reside under a particular key and a string array containing their names. The FindSourceNamesFromLog method uses the GetSubKeyNames method to obtain a list of event logs from the EventLog registry key. It then searches these log names until the log name passed to this method through the logName parameter is found. Once the correct log is found, its subkeys—representing all of the sources tied to that log—are saved to the sourceNamesList array. This array is then passed back to the caller. See AlsoSee Recipe 6.8; see the "Registry.LocalMachine Field" and "RegistryKey.Open Method" topics in the MSDN documentation. |
[ Team LiB ] |