BUG: ReadEventLog Fails with Error 87

Article translations Article translations
Article ID: 177199 - View products that this article applies to.
This article was previously published under Q177199
Expand all | Collapse all

SYMPTOMS

The ReadEventLog() Win32 API function might fail and GetLastError() returns 87 (ERROR_INVALID_PARAMETERS) while having all valid parameters passed to ReadEventLog().

CAUSE

The Event Logging Service fails to process the read operation when an application uses the ReadEventLog() function with the EVENTLOG_SEEK_READ flag to read large event log file.

RESOLUTION

The calling application should not use the EVENTLOG_SEEK_READ flag with ReadEventLog if the size of the event log file is not determined. Instead, use the EVENTLOG_SEQUENTIAL_READ flag and use repeated calls to ReadEventLog to implement code to scan to the record of interest.

STATUS

Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. We are researching this bug and will post new information here in the Microsoft Knowledge Base as it becomes available.

MORE INFORMATION

This problem is only encountered when the .EVT file is 2MB in size or larger. The event log file is found in the %SystemRoot%\system32\config directory. For example, the .EVT file for the Application log is AppEvent.evt.

If the log file has been configured not to exceed 2MB - 64K, an application can expect the EVENTLOG_SEEK_READ flag to work properly without any problem. To configure the log file size, use Event Viewer and select the Log Settings menu item from the Log Menu.

If the log file is 2MB or larger, the seek method of reading the event log will fail to read the earlier records in the file. For example, expect ReadEventLog to fail when reading records with the dwRecordOffset parameter set to 1 or 2 or maybe 11 or 12, depending on how full the log file is. ReadEventLog may continue to succeed and work properly for seeking to later records, for example dwRecordOffset set to 100 or 200.

The problem with ReadEventLog using the EVENTLOG_SEEK_READ flag is related to the file size and not the number of records.

REFERENCES

For more information about ReadEventLog see:

Platform SDK: Windows Base Services; Debugging and Error Handling; Event Logging; Event Logging Reference

Properties

Article ID: 177199 - Last Review: November 21, 2006 - Revision: 2.1
APPLIES TO
  • Microsoft Win32 Application Programming Interface, when used with:
    • Microsoft Windows NT 4.0
    • Microsoft Windows NT 3.51 Service Pack 5
    • Microsoft Windows NT 4.0
Keywords: 
kbbug kbapi kbeventlog kbkernbase kbpending KB177199

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com