How to parse EventData from Windows event log?

Yen-Ming Chiu 21 Reputation points
2021-02-01T07:30:53.51+00:00

Hi!
I'm writing a C++ program dealing with Windows events logs.
But I'm confusing how can I parse all details information under the tag EventData from a Windows event record?

Here's what I know so far:

  1. How to use WQL to query WMI information.
  2. Get all information under tag 'System' in an event.
    (Reference: https://learn.microsoft.com/en-us/windows/win32/wmisdk/example--getting-wmi-data-from-the-local-computer)

The following picture is a snapshot from Microsoft Learn, and the lines marked red is what I wanna get.
62299-windowsevent.png

Thanks for helping!! :)
Kevin Chiu

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,420 questions
C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,526 questions
0 comments
Accepted answer
  1. Drake Wu - MSFT 991 Reputation points
    2021-02-01T10:06:22.077+00:00

    Hi @Yen-Ming Chiu You could refer to this document: Retrieving Event Data Using MOF

    Or you could use EvtCreateRenderContext with EvtRenderContextValues to get specific properties from the event. See the sample Rendering Events

    If the answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest