You need to determine which sources are attached to a particular event log before the log is examined and/or deleted. A source is a component or application that has registered itself to a particular event log as a source of events.
Use the following method to extract all of the source names
registered to a log (pass the log’s name in as the
logName
argument):
public ArrayList FindSourceNamesFromLog(string logName) { ArrayList sourceNamesList = new ArrayList( ); string[] eventLogNames = Registry.LocalMachine.OpenSubKey (@"SYSTEMCurrentControlSetServicesEventlog").GetSubKeyNames( ); foreach (string log in eventLogNames) { Console.WriteLine("log: " + log); if (logName == log) { string[] sourceNames = Registry.LocalMachine.OpenSubKey (@"SYSTEMCurrentControlSetServicesEventlog" + log).GetSubKeyNames( ); sourceNamesList.Capacity = Registry.LocalMachine.OpenSubKey (@"SYSTEMCurrentControlSetServicesEventlog" + log).SubKeyCount; for (int i = 0; i < sourceNames.Length; i++) { sourceNamesList.Add(sourceNames[i]); Console.WriteLine("SourceName: " + sourceNames[i]); } } } return (sourceNamesList); }
To obtain a listing of all logs and their registered sources, use the following method:
public static Hashtable FindSourceNamesFromAllLogs( ) { Hashtable logsAndSources = new Hashtable( ); string[] eventLogNames = Registry.LocalMachine.OpenSubKey (@"SYSTEMCurrentControlSetServicesEventlog").GetSubKeyNames( ); foreach (string log in eventLogNames) { ArrayList sourceNamesList = new ArrayList( ); string[] sourceNames = Registry.LocalMachine.OpenSubKey (@"SYSTEMCurrentControlSetServicesEventlog" + log).GetSubKeyNames( ); sourceNamesList.Capacity = Registry.LocalMachine.OpenSubKey (@"SYSTEMCurrentControlSetServicesEventlog" + log).SubKeyCount; for (int i = 0; i < sourceNames.Length; i++) { sourceNamesList.Add(sourceNames[i]); } logsAndSources.Add(log, sourceNamesList); } return (logsAndSources); }
This method returns a Hashtable
with the log name
as the key and an ArrayList
of source names as the
Hashtable
’s value. The
information in the Hashtable
of
ArrayList
s can be accessed using the following
code:
foreach (DictionaryEntry DE in logsAndSources) { Console.WriteLine("Log: " + DE.Key); // Display the log foreach (string source in ((ArrayList)DE.Value)) { // Display all sources for this log Console.WriteLine(" Source: " + source); } }
This recipe is similar to Recipe 6.8 in that
we need to find information concerning an event log that can be
obtained only through the registry. If we need to find the sources
associated with a log called MyLog
, we would look
up all of the subkeys contained in the following location:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogMyLog
If MyLog
were associated with two sources called
AppSource
and MonitorSource
,
the following keys would exist under the MyLog
key:
AppSource MonitorSource
The full registry path for both keys would be:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogMyLogAppSource HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogMyLogMonitorSource
This recipe makes use of the Registry
and
RegistryKey
classes
to look up the subkeys under the event log’s key in
the registry. See Recipe 6.8 for more
information dealing with opening registry keys using the
Registry
and RegistryKey
classes.
The read-only SubKeyCount
property and
GetSubKeyNames
method of the
RegistryKey
class are used to obtain the number of
subkeys that reside under a particular key and a string array
containing their names.
The FindSourceNamesFromLog
method uses the
GetSubKeyNames
method to obtain a list of event
logs from the EventLog
registry key. It then
searches these log names until the log name passed to this method
through the logName
parameter is found.
Once the correct log is found, its subkeys—representing all of
the sources tied to that log—are saved to the
sourceNamesList
array. This array is then passed
back to the caller.
See Recipe 6.8; see the “Registry.LocalMachine Field” and “RegistryKey.Open Method” topics in the MSDN documentation.