Article ID: 177199 - View products that this article applies to.
This article was previously published under Q177199
The ReadEventLog() Win32 API function might fail and GetLastError() returns 87 (ERROR_INVALID_PARAMETERS) while having all valid parameters passed to ReadEventLog().
The Event Logging Service fails to process the read operation when an application uses the ReadEventLog() function with the EVENTLOG_SEEK_READ flag to read large event log file.
The calling application should not use the EVENTLOG_SEEK_READ flag with ReadEventLog if the size of the event log file is not determined. Instead, use the EVENTLOG_SEQUENTIAL_READ flag and use repeated calls to ReadEventLog to implement code to scan to the record of interest.
Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. We are researching this bug and will post new information here in the Microsoft Knowledge Base as it becomes available.
This problem is only encountered when the .EVT file is 2MB in size or larger. The event log file is found in the %SystemRoot%\system32\config directory. For example, the .EVT file for the Application log is AppEvent.evt.
If the log file has been configured not to exceed 2MB - 64K, an application can expect the EVENTLOG_SEEK_READ flag to work properly without any problem. To configure the log file size, use Event Viewer and select the Log Settings menu item from the Log Menu.
If the log file is 2MB or larger, the seek method of reading the event log will fail to read the earlier records in the file. For example, expect ReadEventLog to fail when reading records with the dwRecordOffset parameter set to 1 or 2 or maybe 11 or 12, depending on how full the log file is. ReadEventLog may continue to succeed and work properly for seeking to later records, for example dwRecordOffset set to 100 or 200.
The problem with ReadEventLog using the EVENTLOG_SEEK_READ flag is related to the file size and not the number of records.
For more information about ReadEventLog see:
Platform SDK: Windows Base Services; Debugging and Error Handling; Event Logging; Event Logging Reference
Article ID: 177199 - Last Review: November 21, 2006 - Revision: 2.1