| View previous topic :: View next topic |
| Author |
Message |
Guido39
Joined: 17 Sep 2002
Posts: 65
|
 Posted: Wed Sep 18, 2002 3:37 pm Post subject: |
 |
|
I have a test setup to monitor event logs on a Win2k server and NT 4.0 server. They are both monitoring RAS connections and disconnections using RemoteAccess as the source and specific event ID's. Problem is when an event is logged or e-mailed, the Win2K server works great in that the event description is correct. But when checking NT 4.0, the test is tripped but the descriptions are either blank or completely wrong. I look in the event logs on the server and it's not what I'm seeing in the Host Monitor logs or e-mails (using the reply field).
Any ideas? |
|
| Back to top |
|
 |
KS-Soft
Joined: 03 Apr 2002
Posts: 12807
Location: USA
|
| Posted: Thu Sep 19, 2002 11:25 pm Post subject: |
|
|
I don't have good idea. HostMonitor takes event descriptions from DLL that specified (in the registry) for the event source. In your case the DLL specified in registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogSystemRemoteAccessEventMessageFile
Theoretically problem can appear if Windows 2000 and Windows NT 4.0 use different IDs for the same messages... but I don't see much sense in that, I think IDs the same...
Regards
Alex |
|
| Back to top |
|
|
Guido39
Joined: 17 Sep 2002
Posts: 65
|
| Posted: Fri Sep 20, 2002 9:29 am Post subject: |
|
|
Actually, the event IDs are different between the two. For connecting to RAS, the event ID in NT is 20017 and for Win2k is 20141. For disconnecting from RAS, the event ID in NT is 20050 and for Win2k it's 20048.
You said this could cause problems. Does Hostmonitor use the actual DLL on the system? Seems strange that the event descriptions are correct in the event viewer but Host Monitor is picking up something different if they are both referencing the same DLL. |
|
| Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002
Posts: 12807
Location: USA
|
| Posted: Fri Sep 20, 2002 4:23 pm Post subject: |
|
|
No, they are referencing to different DLLs: one DLL located on your W2K system, another located on your NT 4.0 system.
Problem is: HostMonitor (and any other program) cannot (in general case) load DLL from remote system. I tried to find information how to retrieve event description from remote system but even Microsoft says "The message strings are contained in a message file specified in the source entry in the registry. To obtain the appropriate message string from the message file, load the message file with the LoadLibrary function and use the FormatMessage function." (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/eventlogrecord_str.asp). HostMonitor works exactly by instruction.
What's interesting standard Event Viewer retrieves information from remote system. I think it uses some undocumented functions (as usually  ), unfortunately I cant find information about it 
Regards
Alex |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in
