I fixed 2 bugs in the eventlog.cpp. 1.Problem 1 described in my old post. 2.in XS_NT__Lanman_ReadEventLog(). using "recordPtr->Length" alone one can not always correctly determine if all entries are processed. This sometimes leads the code to terminate with LastError=122. I added "dwUnprocessedSize" to do the job and the problem's fixed. Attached is the new code.
Thanks Yimin On Tue, 6 Nov 2001 23:00:29 -0500 (EST) Yimin Zheng wrote: >I found 2 problems when using Win32::Lanman to retrieve eventlogs. >Below is my analysis of the problems. > >1. >Sometimes "GetEventDescription" will fail with an error code >2 -- file not found. >I looked into "eventlog.cpp" in the source code and implemented >the same code in C to debug. I determine the problem is that >sometimes multiple resource files are registered for a single >event source. >For example, below is a registry entry from my Win2k machine. >HLM\SYSTEM\CCS\Services\Eventlog\Security\Security\EventMessageFile >= "%SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\sp2res.dll" >Or you can search for ".dll;" under the Eventlog service registry >key on your NT/2000 machine. >The GetEventDescription code obviously does not expect this >and it fails in LoadLibraryEx. > >2. >If I compare the speed of H. Carvey's dumpevt.pl, which uses >Win32::Lanman, and the MS dumpel.exe utility, by dumping an >eventlog containing about 2,500 entries, the perl code runs >over 50 times slower the its MS counterpart. The CPU usage stays >close to 100% during the time and most of CPU time is spent >in kernel mode. I would speculate that the difference lies in >how often costly system APIs, mostly LoadLibraryEx, are called >in dumpevt.pl and dumpel.exe. >I have not verified, but I figure the reason the MS tool runs >much faster is because it caches handles returned from LoadLibraryEx. >It does not find and load the resource file for every event >it processes, instead it caches handles return by LoadLibraryEx >and use them directly the next time it encounters an event from >the same source. If 30 event sources appeared in my 2,500 entry >eventlog. Perl will load the resource files 2,500 times, while >dumpel.exe will do it only 30 time. If there are 25,000 entries >from 80 sources, go figure!! >My suggestion is to add a reference to a hash variable to the >parameters to GetEventDescription, so GetEventDescription can >use a existing handles if the resource files were already loaded, >and add new handles to the hash if new resource files are loaded. >But I guess things might go wrong if people forget to close >these handles and Perl will get blamed. I'd like to know what >do you think. > >I am not yet familiar enough with Perl extension in XS so I >would hope someone out there will do the real work. I will jump >in soon. :) > >Jens, thanks for making Win32::Lanman available. And hope you >will patch the first one soon. :) > >Yimin > > > > >-------------------------------------------------------------------------- >Global Internet phone calls, voicemail, fax, e-mail and instant messaging. >Sign-up today at http://www.hotvoice.com > > -------------------------------------------------------------------------- Global Internet phone calls, voicemail, fax, e-mail and instant messaging. Sign-up today at http://www.hotvoice.com
