BUG: ReadEventLog Fails with Error 87

Last reviewed: November 24, 1997
Article ID: Q177199
The information in this article applies to:
  • Microsoft Win32 Application Programming Interface (API) included with: - Microsoft Windows NT versions 3.50, 3.51, 4.0

SYMPTOMS

The ReadEventLog() Win32 API function might fail and GetLastError() returns 87 (ERROR_INVALID_PARAMETERS) while having all valid parameters passed to ReadEventLog().

CAUSE

The Event Logging Service fails to process the read operation when an application uses the ReadEventLog() function with the EVENTLOG_SEEK_READ flag to read large event log file.

RESOLUTION

The calling application should not use the EVENTLOG_SEEK_READ flag with ReadEventLog if the size of the event log file is not determined. Instead, use the EVENTLOG_SEQUENTIAL_READ flag and use repeated calls to ReadEventLog to implement code to scan to the record of interest.

STATUS

Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. We are researching this bug and will post new information here in the Microsoft Knowledge Base as it becomes available.

MORE INFORMATION

This problem is only encountered when the .EVT file is 2MB in size or larger. The event log file is found in the %SystemRoot%\system32\config directory. For example, the .EVT file for the Application log is AppEvent.evt.

If the log file has been configured not to exceed 2MB - 64K, an application can expect the EVENTLOG_SEEK_READ flag to work properly without any problem. To configure the log file size, use Event Viewer and select the Log Settings menu item from the Log Menu.

If the log file is 2MB or larger, the seek method of reading the event log will fail to read the earlier records in the file. For example, expect ReadEventLog to fail when reading records with the dwRecordOffset parameter set to 1 or 2 or maybe 11 or 12, depending on how full the log file is. ReadEventLog may continue to succeed and work properly for seeking to later records, for example dwRecordOffset set to 100 or 200.

The problem with ReadEventLog using the EVENTLOG_SEEK_READ flag is related to the file size and not the number of records.

REFERENCES

For more information about ReadEventLog see:

Platform SDK: Windows Base Services; Debugging and Error Handling; Event Logging; Event Logging Reference

Keywords          : BseEvtLog
Version           : WINNT:3.5,3.51,4.0
Platform          : winnt
Issue type        : kbbug


================================================================================


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: November 24, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.