Enumerating special event logs in C#

Question

I am trying to get a list of the "special" event logs in C#, like the "Microsoft\Windows\Audio\CaptureMonitor" log and all the others like it. They don't seem to be returned when I use System.Diagnostics.EventLog.GetEventLogs(). Is there a special way to get a list of all the special event logs?

Answer 1

I'll be honest and admit I don't know how these views tie into EventLogs and EventSources but take a look at the registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels

And see if that starts you down the right path. Also checkout:

How do I create a hierarchy of lognames in the Windows event system?

Answer 2

You may use the WevtUtil.exe tool:

To access event log information from the command line, use the WevtUtil.exe tool. This tool is located in the %SystemRoot%\System32 directory. For WevtUtil.exe tool help, use the wevtutil /? command.

I guess you might use a System.Diagnostigs.Process, launch the tool, then capture and parse the console output.

using System;
using System.Diagnostics;
using System.Linq;

class Program
{
    static void Main(string[] args)
    {
        var output = "";
        var p = new Process();
        var psi = new ProcessStartInfo("wevtutil.exe", "el");

        psi.CreateNoWindow = true;
        psi.RedirectStandardOutput = true;
        psi.UseShellExecute = false;
        p.StartInfo = psi;
        p.Start();

        using (var processOutput = p.StandardOutput)
        {
            output = processOutput.ReadToEnd();
        }

        p.WaitForExit();

        var eventLogs = output
            .Split(new string[] { "\r\n" }, StringSplitOptions.RemoveEmptyEntries)
            .ToList();

        foreach (var item in eventLogs)
        {
            Console.WriteLine(item);
        }
    }
}

For reading the event log, you could use the same approach (for example, call wevtutil qe Microsoft-Windows-Audio/CaptureMonitor /f:text) or the System.Diagnostics.Eventing.Reader Namespace.Try the following:

using System;
using System.Diagnostics.Eventing.Reader;

class Program
{
    static void Main(string[] args)
    {
        EventLogQuery subscriptionQuery = 
            new EventLogQuery("Microsoft-Windows-Audio/CaptureMonitor", 
                PathType.LogName, "*");

        using (EventLogReader logReader = 
            new EventLogReader(subscriptionQuery))
        {
            DisplayEventAndLogInformation(logReader);
        }
    }

    private static void DisplayEventAndLogInformation(EventLogReader logReader)
    {
        for (EventRecord eventInstance = logReader.ReadEvent();
            null != eventInstance; eventInstance = logReader.ReadEvent())
        {
            Console.WriteLine("--------------------------------------");
            Console.WriteLine("Event ID: {0}", eventInstance.Id);
            Console.WriteLine("Publisher: {0}", eventInstance.ProviderName);

            try
            {
                Console.WriteLine("Description: {0}", 
                    eventInstance.FormatDescription());
            }
            catch (EventLogException)
            {
                // The event description contains parameters, 
                // and no parameters were passed to the 
                // FormatDescription method, so an exception is thrown.
            }

            // Cast the EventRecord object as an EventLogRecord 
            // object to access the EventLogRecord class properties
            EventLogRecord logRecord = (EventLogRecord)eventInstance;
            Console.WriteLine("Container Event Log: {0}", 
                logRecord.ContainerLog);
        }
    }
}

You may have to tweak a little bit the EventLogQuery constructor's query parameter (*) according to your needs. The topic How to: Query for Events shows an implementation example.